How to obtain an access token for microsoft Graph API in an outlook Add-In using Federated credentials

Question

Hi Microsoft Team,

I am developing a React.js-based Outlook Add-In and for that I have been setting up a federated credential using GitHub Actions as the external Identity Provider (IdP) for an application in Microsoft Entra ID. What additional steps are needed to get an access token using the federated credential? Specifically, I want the token to be scope for calling Microsoft Graph API endpoints.

Below are the steps I have completed so far:

1. To create a federated credential, a trust relationship must be established between an external identity provider (IdP) and an app in Microsoft Entra ID by configuring a federated identity credential.
2. A software workload can exchange trusted tokens from the external identity provider for access tokens issued by the Microsoft identity platform.
3. I chose GitHub Actions as the external identity provider to establish trust between Azure and the external IdP.
4. Followed the steps outlined in the documentation to configure the federated identity credential for the application.
   https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#configure-a-federated-identity-credential-on-an-app

For set up in GitHub Action followed the steps as per steps in documentation:
Authenticate to Azure from GitHub Actions workflows | Microsoft Learn

1. Created a repository and for that repository added secrets and variables shown in the snapshot below:
   a) Azure_ClientId
   b) Azure_TenantId
2. Created a New Workflow in GitHub Action: Action Tab > New Workflow > set up a workflow yourself.
   In “.yml” file added below code and committed the changes:

                           

on: [push]

permissions:

  ``id-token: write

  ``contents: read

 

name: Run Azure Login without subscription

 

jobs:

 

  ``build-and-deploy:

    ``runs-on: ubuntu-latest

    ``steps:

 

    ``- name: Azure Login

      ``uses: azure/login@v2

      ``with:

        ``client-id: ${{ secrets.AZURE_CLIENT_ID }}

        ``tenant-id: ${{ secrets.AZURE_TENANT_ID }}

        ``allow-no-subscriptions: true

        ``enable-AzPSSession: true

 

    ``- name: Azure CLI script

      ``uses: azure/cli@v2

      ``with:

        ``azcliversion: latest

        ``inlineScript: |

          ``az account show

 

    ``- name: Run Azure PowerShell

      ``uses: azure/powershell@v2

      ``with:

        ``azPSVersion: "latest"

        ``inlineScript: |

          ``Get-AzContext

1. After running the Job build and deploy is being successful as shown in snapshot.
   Questions: How can I obtain an access token from the configuration mentioned above that grants access to Microsoft Graph API?

Answer 1

Hi Suraj, I had a similar question posted on stack overflow and ended up answering my own question here:
https://stackoverflow.com/questions/79589292/use-github-s-oidc-feature-to-authenticate-directly-to-azure-entra-id/79590023#79590023