Multi-Tenant SPFx App Not Visible in Secondary Tenant Sites

[SanjeshSeclore]

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

No response

Issue description

We’ve developed a multi-tenant SharePoint Framework (SPFx) app that includes a File Handler component and supports Azure AD Multiple Organizations.
The app is successfully visible in My Apps of a secondary (QA) tenant, but users from that tenant cannot access or use the app when visiting a SharePoint site hosted on our primary dev tenant.

When a QA user opens a SharePoint site on the dev tenant, the app is not shown in the site’s “Add App” list or as a file handler. In the browser’s network tab, we see this failing API call when we click on the file(initiate file handler):
GET https://.sharepoint.com/_api/v2.0/drive/apps?select=*,promoted,builtIn&$expand=actions
→ Response: { "error": { "code": "accessDenied", "message": "Access denied" } }

Current Setup:
Primary (Dev) tenant: Hosts the SPFx package and app deployment.
Secondary (QA) tenant: Connected via Multi-Tenant Organization (MTO) sync.
MTO Configuration: Users are synced as members (not guests) using MTO.
All relevant inbound and outbound sharing permissions are configured and allowed.
The synced QA users appear as member users in the dev tenant with UPN as firstname.lastname
App Consent & Visibility:
The QA tenant admin ran the consent URL:
https://login.microsoftonline.com/{tenant-id}/oauth2/authorize?client_id={client-id}&state={state}&redirect_uri={redirect-uri}

The app appeared under Enterprise Applications in the QA tenant and was assigned to all QA users.
QA users can see the app in myapps.microsoft.com, confirming successful multi-tenant registration.
However:
When QA users access a SharePoint site on the dev tenant, the app does not appear, and _api/v2.0/drive/apps returns AccessDenied in network tab.

SPFx Solution Details
skipFeatureDeployment: true
includeClientSideAssets: false
isDomainIsolated: false
Sign-in Audience: AzureADMultipleOrgs
Redirect URIs: Configured for https://.../login/postAuth and a test redirect.
File Handlers: Configured for multiple file extensions (.docx, .xlsx, .pptx, etc.)
Hosting endpoint: https:///secloreo365service/openfile

What We’ve Tried
Verified MTO user sync → users appear as members in the dev tenant.
Granted all necessary permissions (both inbound and outbound) in the MTO setup.
Confirmed app consent via QA tenant admin → app appears under Enterprise Apps and MyApps.microsoft.com.
Confirmed that the SPFx app is deployed correctly and works for dev tenant users.
Despite all this, the app does not show up for synced QA users on dev tenant sites, and _api/v2.0/drive/apps fails with AccessDenied.

Additional Details
App registration configured as multi-tenant (signInAudience = AzureADMultipleOrgs).
Permissions granted to Microsoft Graph and SharePoint Online.
Users appear as MTO-synced members with correct permissions.
_api/v2.0/drive/apps works fine for dev tenant users, but not for synced users from QA tenant.
We have created a site on dev tenant and added the synced QA user as member of the site and then accessed the site using the QA user and trying to open the file using custom file handler

Request for Microsoft Guidance
We’d like Microsoft’s help to understand and resolve this issue.
Specifically:
Are there any additional Graph/SharePoint permissions or consent requirements for cross-tenant member users (synced via MTO) to access the SPFx app and file handlers?
Should the File Handler definitions be registered in the secondary tenant, or are they expected to propagate automatically once the app is consented and synced?
Does the _api/v2.0/drive/apps AccessDenied response indicate a SharePoint API limitation for cross-tenant users, or is it a configuration gap?
If this scenario (multi-tenant SPFx + File Handler + MTO) requires special setup, could Microsoft share the recommended architecture or deployment flow?
If newer documentation or guidance exists for multi-tenant SPFx app deployment with MTO integration, please share the latest steps or references.

Questions for Microsoft
Are MTO-synced users expected to have access to the Drive Apps API and SPFx-based file handlers across tenants?
Is there a known limitation or workaround for enabling cross-tenant SPFx app discovery in SharePoint Online sites?
Do we need to redeploy the SPFX App in QA tenant as well for this to work?

[Ashlesha-MSFT]

Hello @SanjeshSeclore,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.
If you don’t receive a reply within two working days, please use this escalation form to escalate.

[Ashlesha-MSFT]

@SanjeshSeclore,
We appreciate how clearly you’ve outlined the setup. Based on the information shared, reproducing this issue exactly requires the same configuration and app package used in your environment (SPFx solution, app registration, and file handler definitions).

To help us investigate further and attempt a repro on our end, could you please share:

• A ZIP of the SPFx project (or at least key configuration files if full package sharing isn’t possible).
• The Azure AD app registration details (current redirect URIs and permissions).
• A screenshot or export of the File Handler definition you’ve configured.

Once we have these details, we’ll set up a controlled environment to reproduce the behavior and analyze the _api/v2.0/drive/apps access issue.

[SanjeshSeclore]

After granting the necessary permission and doing the corresponding required configurations, we were able to see the SPFX app for the QA users.

Now the issue that we are facing is that we are using the MTO (Multi Tenant Org/Cross tenant sync) sync feature to sync users between our Dev and QA tenants. After extending the Azure apps from the Dev tenant to the QA tenant, we have configured file handlers in both tenants (Dev and QA).
The issue we're facing is as follows:

SharePoint Setup:

• We created a SharePoint site in the Dev tenant.
• We added a user (synced from the QA tenant) as a member of the Dev site. The user's UPN in the Dev tenant is in the format: firstname.lastname_qatenant@devtenant.onmicrosoft.com.

File Handlers:

• We have file handlers configured in both the Dev and QA tenants.
• However, neither the file handler from the Dev tenant nor the one from the QA tenant is visible to the synced user when accessing the SharePoint site in the Dev tenant.

Additional Information:

• SPFx (SharePoint Framework) apps from the Dev tenant are successfully showing up for the QA tenant users.
• The service principal of the app has started appearing in the QA tenant after the QA tenant admin ran the consent URL:
  https://login.microsoftonline.com/{tenant-id}/oauth2/authorize?client_id={client-id}&state={state}&redirect_uri={redirect-uri}

Despite this, the file handlers are still not appearing for the synced user.
We would greatly appreciate any insights into why the file handlers are not appearing for the user, even though SPFx apps and the service principal are showing correctly. Any guidance on resolving this issue would be helpful!

[Ashlesha-MSFT]

@SanjeshSeclore,
A related discussion exists on Microsoft Q&A that addresses a similar scenario: Multi-Tenant SPFx App Not Visible in Secondary Tenant
Key points and considerations from that discussion:

• Users synced via Multi-Tenant Org (MTO) need to have the correct member or guest type in the primary tenant.
• File handlers do not automatically propagate across tenants; each tenant must have the app registered and the file handler URL configured properly.
• API _api/v2.0/drive/apps can return AccessDenied for cross-tenant users if permissions or consent are missing.
• While multi-tenant SPFx apps can work across tenants, file handler support for cross-tenant users has limitations and may require hosting a public endpoint and ensuring proper Azure AD consent.

This Q&A post provides guidance on configuration and known limitations for multi-tenant SPFx apps with file handlers.