Some executions of my side-loaded Outlook add-in report this permissions exception in my remote logger when they're run:
Error Elevated permission is required to call the method: 'mailbox.getCallbackTokenAsync'.
https://appsforoffice.microsoft.com/lib/1/hosted/outlook-win32-16.02.js:20:187671 G
https://appsforoffice.microsoft.com/lib/1/hosted/outlook-win32-16.02.js:20:204853 We
https://[mydomain]/AppRead/Home/Functions.js:22:9 Anonymous function
https://appsforoffice.microsoft.com/lib/1/hosted/office.js:46:22370 Microsoft.Office.WebExtension.onReadyInternal
https://appsforoffice.microsoft.com/lib/1/hosted/office.js:46:22842 Microsoft.Office.WebExtension.onReady
https://[mydomain]/AppRead/Home/Functions.js:17:5 functionName
https://appsforoffice.microsoft.com/lib/1/hosted/outlook-win32-16.02.js:20:156870 Anonymous function
The add-in manifest specifies the following permissions:
<Permissions>ReadWriteMailbox</Permissions>
<Rule xsi:type="RuleCollection" Mode="Or">
<Rule xsi:type="ItemIs" ItemType="Message" FormType="Read"/>
</Rule>
Based on the stack traces I have, it's always outlook-win32-16.02.js and Edge browser, so it seems to be isolated to recent-ish Outlook. I've logged a decent number of these, though it's not happened frequently enough that any customer has reported it.
It definitely seems similar to this question Elevated permission is required to call the method: 'mailbox.getUserIdentityToken', but I'm not using a timer control and this is executing in the onReady(), so Office.js should be loaded.
Have I missed a new security change that's specific to that platform? Or is my understanding of either Office.onReady() or ReadWriteMailbox permissions flawed?
