0

We are implementing SSO in outlook adding. Let's presume, there is two tenants for simplicity.

  1. Home Tenant
  2. Customer Tenant

We have added Customer Tenant's user as guest in Home Tenant. Hence, we can manage guest user with certain accessibility.

We have created multi-tenant app registration in Home Tenant to get user consent and authentication from Customer Tenant. And we have put application (client) id and application id uri in Outlook-addin xml as show in below.

</OfficeApp>
    ...
    ...
    <WebApplicationInfo>
      <Id>928cd908-multi-tenant-application-id</Id>
      <Resource>api://company-domain.com/928cd908-multi-tenant-application-id</Resource>
      <Scopes>
        <Scope>Files.Read.All</Scope>
        <Scope>offline_access</Scope>
        <Scope>openid</Scope>
        <Scope>profile</Scope>
      </Scopes>
    </WebApplicationInfo>
    </VersionOverrides>
  </VersionOverrides>
</OfficeApp>

Let's assume consent has been done on before,

In order to do SSO, I'm following steps,

  1. Executing OfficeJs.auth.getAccessToken and get access token which is issued by Customer Tenant.
  2. Passing Customer Tenant token to application server through api call.
  3. Exchanging Customer into Home Tenant AD token by using on-behalf-of (OBO) request.
POST /2e627697-home-tenant-ad-id/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&client_id=928cd908-multi-tenant-application-id
&client_secret=.m_7Qxxx
&assertion=eyJ0eXAiOiJKV1Q-customer-tenant-ad-token
&requested_token_use=on_behalf_of
&scope=api://company-domain.com/928cd908-multi-tenant-application-id/access_as_user openid
  1. Received accesstoken from Home Tenant AD, since Customer Tenant's user exist in Home Tenant AD as guest.
  2. Allowing user to access server resource.
  3. Send response to Outlook-addin from server.

So far all good, The problem is,

If I enable Per-User MFA for the guest user, then I started to get below error when I do on-behalf-of request from server.

{
    "error": "invalid_grant",
    "error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '928cd908-multi-tenant-application-id'.\r\nTrace ID: 706875e8-bfe7-44b8-a9f9-402b1f4a2201\r\nCorrelation ID: 8a4bde4c-9222-4aa0-a4d6-cd0748ff3816\r\nTimestamp: 2022-06-29 18:00:31Z",
    "error_codes": [
        50076
    ],
    "timestamp": "2022-06-29 18:00:31Z",
    "trace_id": "706875e8-bfe7-44b8-a9f9-402b1f4a2201",
    "correlation_id": "8a4bde4c-9222-4aa0-a4d6-cd0748ff3816",
    "error_uri": "https://login.microsoftonline.com/error?code=50076",
    "suberror": "basic_action"
}

There is two options to make user interations,

OPTION 1

  1. Get Customer Tenant token by calling Officejs.auth.getAccessToken.
  2. Send Customer Tenant token to server.
  3. Create on-behalf-of request from server.
  4. Get 50076 error and then send error response to addin.
  5. Open authorize popup for MFA from addin by using following url. This will do MFA against Home Tenat AD.
const authorizeUrl = 
`https://login.microsoftonline.com/2e627697-home-tenant-ad-id/oauth2/v2.0/authorize?client_id=928cd908-multi-tenant-application-id
&response_type=id_token+token
&redirect_uri=https://company-domain.com/928cd908-multi-tenant-application-id
&scope=openid api://company-domain.com/928cd908-multi-tenant-application-id/access_as_user
&response_mode=fragment
&state=12345
&nonce=678910`

window.open(authorizeUrl)
  1. Close authorize popup on after MFA completed.
  2. Call Officejs.auth.getAccessToken to get Customer Tenant token (2e627697-home-tenant-ad-id MFA Passed).
  3. Pass Customer Tenant token with MFA to server.
  4. Create on-behalf-of request from server with Customer Tenant token (2e627697-home-tenant-ad-id MFA Passed).
  5. Get Home Tenant AD token successfully.

OPTION 2

  1. Get Customer Tenant token by calling Officejs.auth.getAccessToken.
  2. Send Customer Tenant token to server.
  3. Create on-behalf-of request from server.
  4. Get 50076 error and then send error response to addin.
  5. Call Officejs.auth.getAccessToken to get Customer Tenant token (MFA Passed). Here I don't have clear understand to force OfficeJs to get Customer Tenant token on after passing MFA for 2e627697-home-tenant-ad-id.

Questions

  1. Option 1 is getting MFA through window.open from Outlook-addin code, instead of getting MFA through OfficeJs. is this correct way?
  2. If Option 2 is correct way, how do I force OfficeJs to perform MFA for 2e627697-home-tenant-ad-id?
HILARUDEEN S ALLAUDEEN
  • 1,722
  • 1
  • 18
  • 33

1 Answers1

-1

To ensure MFA is satisfied use the message returned by MS Graph as the Office.AuthOptions.authChallenge value. E.g.

let exchangeResponse = await getGraphToken(bootstrapToken);
await Officejs.auth.getAccessToken({
   authChallenge: exchangeResponse.claims
});
Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
AlfredoRevilla-MSFT
  • 3,171
  • 1
  • 12
  • 18