Access Azure AD from excel add-in using IWA

Anonymous
2022-08-21T13:26:13.667+00:00

Hello,

I am trying to access endpoints hosted on azure app services from excel add-in solution. I am using integrated windows authentication to generate an access token. Everything was working fine and I could access anthing I need from azure using the add-in but suddenly today when I am testing the add-in again, I am getting this exception: Microsoft.Identity.Client.MsalClientException: There was an error parsing WS-Trust response from the endpoint. This may occur if there is an issue with your ADFS configuration. after debugging I found the the exception is raised from this code 

`IPublicClientApplication app = PublicClientApplicationBuilder.Create(configuration.ClientID)  
                               .WithAuthority(new Uri(configuration.Authority))  
                               .Build();  
Acquireenter code hereTokenByIntegratedWindowsAuthParameterBuilder authenticationResult = app.AcquireTokenByIntegratedWindowsAuth(new string[] { configuration.Audience });  
configuration.AccessToken = await authenticationResult.ExecuteAsync();`

On the other hand when I try to use the same library that acquire the access token from a console app, everything is working fine.

so what may block the excel add-in itself from acquiring the token.

Microsoft Entra
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-08-22T21:46:48.29+00:00

    Hi @Anonymous ,

    There are a number of limitations when using the AcquireTokenByIntegratedWindowsAuth method, and it seems likely that this is the cause of your issue. These limitations are listed here. Among others, the flow has the following constraints:

    1) This can only be used with federated users created in an Active Directory and backed by Azure Active Directory. Users created directly in AAD without AD backing cannot use this auth flow.

    2) It does not work for MSA users.

    3) IWA will fail when used with interactive MFA. (See explanation and constraints.)

    4) If you are testing with your own user account, consent must be granted to the application for your account. For other users, they will need to consent to the application accessing their account details, or the tenant admin must grant consent across the tenant using the Grant admin consent for Tenant button in the portal.

    5) Microsoft personal accounts are not supported.

    6) This flow is enabled for .net desktop, .net core and Windows Universal Apps.

    7) The error can also occur if Integrated Windows Authentication is not enabled in the browser properties.

    References:
    Integrated Windows Constraints
    AD FS Troubleshooting
    MSAL Error

    Let me know if this helps. If these constraints do not apply to your situation we may need to do a deeper dive into your environment.

    -
    If the information helped you, please Accept the answer. This will help us and other community members as well.

  2. Anonymous
    2022-08-28T13:36:58.857+00:00

    For me the problem was related to the app service TLS version, it was configured to use TLS version 1.0 which is depricated. Changing the version to 1.2 solved the issue for me

    0 comments