0

The Office Addin for Excel provides the method:

OfficeRuntime.auth.getAccessToken(OfficeRuneTime.authOptions)

to call the Azure Active Directory, log in the user and gain access to the users profile. The method brings up a dialog box asking the users consent for the Office App to access their profile. The consent box also includes the grants to my Web App (Angular web site that runs in the Excel Taskpane) and includes the words "If you accept, will also have access to your user profile information"

All good. But my Web App communicates with my API, which requires an additional granting of consent for my API to access the users profile.

Is there any way to cause the dialog box invoked by 'getAcccessToken' to also grant permission to my API?

When I login using MSAL as a fallback method (not getAccessToken(), but using an excel dialog box with MSAL configured as per the various Microsoft Walkthoughts), the consent box DOES include both my WebApp and my WebAPI. And authentication works correctly.

I note that the Manifest file has a tag. I had hoped that adding the Scope to my API in here would cause the Office-Addin to request consent to it, but no banana, it does nothing.

Any Ideas?

I do note that getAccessToken() deliberately does not return an access token to MS Graph, with the Microsoft Documentation citing 'security concerns', and such access to Graph must be via Server Side Code using the On-Behalf-Of flow, perhaps similar reasoning does not permit me to gain consent to any API using getAccessToken(), but what then are these section in the manifest file for? I have really struggled to get SSO working with Office Addins, there are so many nuances and unexpected behaviours.

JimbobTheSailor
  • 1,441
  • 1
  • 12
  • 21

2 Answers2

1

The getAccessToken method calls the Azure Active Directory V 2.0 endpoint to get an access token to your add-in's web application. That enables add-ins to identify users. Server-side code can use this token to access Microsoft Graph for the add-in's web application by using the "on behalf of" OAuth flow. This API requires a single sign-on configuration that bridges the add-in to an Azure application. Office users sign-in with Organizational Accounts and Microsoft Accounts. Microsoft Azure returns tokens intended for both user account types to access resources in the Microsoft Graph. Read more about that in the Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow article.

Eugene Astafiev
  • 47,483
  • 3
  • 24
  • 45
  • thanks for taking the time to respond. I have read the above from the referenced doc, but I don't quite understand it. Specifically a) Am I right that the Access Token from getAccessToken, can never be used to access my back end API? And therefore I must use the 'on behalf of flow' in my Asp net Core Restful API? ..and if so by inference, the consent request shown when using getAccessToken() can never consent to my API (only to Office App, and my (angular) web app? And b) What are the scopes in the Manifest file for? ..they don't seem to do anything? – JimbobTheSailor Oct 25 '22 at 05:37
  • I'm getting a similar issue Office.getAccesToken does not show all scope permissions which are delegated permissions. If user do not grant these permissions, my backend api can not call graph api. So how to show all the scopes in the manifest file in consent prompt ? . https://stackoverflow.com/questions/76442303/user-consent-window-not-showing-all-manifest-scopes-when-installing-microsoft-ap – infodev Jun 09 '23 at 17:57
0

In answer to my own question,

It is NOT possible to cause the dialog box invoked by 'getAcccessToken' to also grant permission to my API

I have written a lengthy response to this in my answer to this question Office-Addin MSAL Single Sign In SSO: How to Refresh the Access Token?

JimbobTheSailor
  • 1,441
  • 1
  • 12
  • 21