0

Any ideas why an Outlook addin would be getting this error?

Elevated permission is required to call the method: 'mailbox.getUserIdentityToken'

Our manifest file specifies ReadWrite permissions:

<Permissions>ReadWriteItem</Permissions>
<Rule xsi:type="RuleCollection" Mode="Or">
    <Rule xsi:type="ItemIs" ItemType="Message" FormType="Edit"/>
    <Rule xsi:type="ItemIs" ItemType="Message" FormType="Read"/>
</Rule>

It's only one user/account that is experiencing this issue out of hundreds.

Thank you.

An update: We solved the 'Elevated permission is required ...' problem but the method occasionally returns:

getUserIdentityTokenAsync failed - status: failed, error: Internal Error, code: 5001, message: An internal error has occurred.

We ignore this and try again later and it succeeds. Not sure what this error means.

Alexey
  • 556
  • 1
  • 5
  • 18
  • The manifest looks correct. Which Outlook client are they using (desktop or online)? What OS are they using (Windows 10 or macOS)? What is their version number of Outlook? This error may occur when the API is being called before Office.Initialize or when using pinning and calling when the item is NULL. Here is documentation to attach a debugger if they are on Windows 10 Outlook Desktop: https://learn.microsoft.com/en-us/office/dev/add-ins/testing/debug-add-ins-using-f12-developer-tools-on-windows-10 – Outlook Add-ins Team - MSFT Apr 27 '20 at 22:48
  • I'll post Outlook/windows version soon. Actually I believe this issue was re-produced in OWA last. Re: null item or Office.Initialize it can't be that. Our code is designed to wait for Office initialization and to handle events when pinned. Hundreds of users (a few thousands actually) use the addin daily and only this one Office 365 Org is having this issue. Are there any Office 365 account policies that could be preventing the Office.js API from functioning correctly? Thank you. – Alexey Apr 28 '20 at 00:26
  • There are policies to restrict add-in installations, but there are no policies to restrict APIs. The add-in should have the permission level specified in the manifest. Is the add-in in the store or were there any change of permissions? – Outlook Add-ins Team - MSFT Apr 28 '20 at 19:54
  • The addin is in the store. – Alexey Apr 28 '20 at 22:20
  • What about this Q, what bug was fixed? https://stackoverflow.com/questions/60647664/office-addin-elevated-permission-error-on-saving-custom-properties – Alexey Apr 28 '20 at 22:22
  • If a store add-in changes permission, there is a manual step for the user or admin to update the add-in. If the user or admin does not complete this step, the user will still have the old manifest. Were there any change in permissions? (For example if the add-in had `restricted` permissions, and then the developer submits a new one to the store with `ReadWriteItem`) – Outlook Add-ins Team - MSFT Apr 29 '20 at 00:24
  • The bug you referenced is specifically related to the saveCustomProperties API and should not affect anything else. – Outlook Add-ins Team - MSFT Apr 29 '20 at 00:24
  • No, there have not been any permission changes. We have not updated our manifest for months and this is a new user. I believe this user reported that other addins fail for him too. Would that mean some kind of an account restriction/configuration? – Alexey Apr 29 '20 at 14:44
  • Is the add-in being used in a shared folder(s)? Could you please share the name of the add-in? Since it is a store add-in, I would like to check the manifest. – Outlook Add-ins Team - MSFT Apr 30 '20 at 15:19
  • https://appsource.microsoft.com/en-us/product/office/WA200000105 – Alexey Apr 30 '20 at 21:40
  • Planning to have a screen share session with the user early next week to collect more details of the error and its context. – Alexey Apr 30 '20 at 21:41
  • Also this issue happens for this addin: https://appsource.microsoft.com/en-us/product/office/WA104380691 – Alexey Apr 30 '20 at 21:56
  • To answer your earlier question, there is no user or org configuration that would cause JS API to return the error you are seeing. There are configuration for restricting installation (example. do not allow store addin installation). However, once installed, JS API access is controlled only by permission in the manifest. To confirm: with the 2 addins you listed, are we still referring to the same single user hitting the issue? Could you confirm the Outlook and Windows version, or if this is OWA as you indicated earlier? – Outlook Add-ins Team - MSFT May 05 '20 at 05:31
  • My debug session with the user was postponed. Hope to get more details tomorrow. – Alexey May 05 '20 at 16:58
  • Alexey, I saw you posted an answer, just curious as to how much longer - I would presume it wouldn't be minutes but I figured I would check. Is the elevated permissions error coming from over the network (you can see in a network trace), or just from the local JS API. – Brian Clink May 06 '20 at 20:33
  • Brian, the error is from Office.js API. But I can't say if it's triggered by something from Network, I have not checked the network traffic. What we took away from this issue is that you can't call the IdToken method in a JS Timer. No sure why. We actually use Dart. So not sure if the compiler adds some extra code around the Timer call. – Alexey May 07 '20 at 04:12
  • This particular error comes from local JS. I suspect that you are hitting the error in the timer because by the time the getUserIdentityToken call runs, the user is on a 'null' item or switching items. The JS API layer keeps context and API calls are allowed when the user is on an item, basically after ItermChanged fired with a valid item. – Outlook Add-ins Team - MSFT May 07 '20 at 23:49
  • Well the last implementation used Timer.run (Dart) which was basically like running the command right away, without any delay so the item would not have become null yet. Simply the fact that the Timer was used created the problem. – Alexey May 08 '20 at 14:47

3 Answers3

1

To your issue of: 

getUserIdentityTokenAsync failed - status: failed, error: Internal Error, code: 5001, message: An internal error has occurred.

This can occur when network errors occur preventing a token from being fetched. Retrying is the valid way to account for this. If you want to find out more about the network issue that may occur, there is a diagnostics object on the asyncResult: https://learn.microsoft.com/en-us/javascript/api/office/office.asyncresult?view=word-js-preview#diagnostics

Outlook Add-ins Team - MSFT
  • 8,906
  • 1
  • 9
  • 21
0

For some reason if you schedule the method call for later in a timer then this "Elevated permission ..." error happens. We refactored our token refresh code to abandon using Timer and that seems to have fixed it!

I guess Office API looses some important context when it's called in background, using Timers.

Alexey
  • 556
  • 1
  • 5
  • 18
  • A quick followup question. Is it possible for Outlook to show the PIN but for the loaded Office.js to be <1.5 version so that the itemChanged event is not supported? – Alexey May 07 '20 at 21:26
  • If the addin has the pin button, itemChanged event is supported. The itemChanged event should be handled in order for APIs to work after item switch. More info here: https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/pinnable-taskpane – Outlook Add-ins Team - MSFT May 07 '20 at 23:51
  • This is probably worth creating a separate Q but our manifest requires v 1.3 in the section where it activates the pin support which I suspect could potentially tell Outlook to show the pin but Office.js 1.3 could still be loaded by the addin which does not support the event handler. This user seems to have this situation. Outlook shows the pin but no changedItem events are firing (reaching our code). – Alexey May 08 '20 at 14:51
  • No this is not possible. Note though, that if your add-in has a tag in the manifest, you must call addHandlerAsync with the item changed event, and must handle the event. If a user clicks on a header item, or something that loads nothing in the preview pane, then a NULL item will be sent to you. If the execution of getUserIdentityTokenAsync occurs after this event, then then you will get the elevated permission error. – Outlook Add-ins Team - MSFT May 12 '20 at 00:23
  • Sorry a tangential question. Trying to debug the itemChanged event for the same mailbox which stops being sent or delivered but only in Outlook (desktop). Tried to attach to Outlook using F12 tools, but attaching to an Outlook process that is not our addin (target: top_something). What does it mean? How can we attach to the addin process? Can it be running in Edge while the main Outlook process is IE 11? – Alexey May 21 '20 at 02:44
  • Indeed the addin runs in Edge! How can we debug why Outlook stops notifying our addin of the ItemChanged events? Is possible the event handler gets reset? – Alexey May 21 '20 at 19:39
  • https://stackoverflow.com/questions/61942680/pinned-outlook-web-addin-itemchanged-event-stops-arriving – Alexey May 21 '20 at 19:48
0

If you have installed the Add-In by file you need to delete it and upload it back into outlook, otherwise it will not detect any changes in your manifest file.

Crypto-Frank
  • 142
  • 6
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jun 12 '22 at 18:19