How to get GRAPH API token in office.js (got 401 unauthorized)

S W 40 Reputation points
2024-05-28T16:29:48.7533333+00:00

I set up my Azure app registration application following this document: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow

I have my Web URI set as: https://localhost:xxxx/Application (client) ID. I added my custom page to the Web Redirect URIs, created a custom scope called 'ReadUser,' and configured the client application with Office Web client IDs. Additionally, I have ensured that all necessary permissions (openid, user.read, profile) are granted.

This is the configuration code in my XML files:

<WebApplicationInfo>

<Id>My Application (client) ID</Id>

<Resource>api://localhost:xxxx/Application (client) ID</Resource>

<Scopes>

	<Scope>user.read</Scope>

	<Scope>openid</Scope>

	<Scope>profile</Scope>

</Scopes>

</WebApplicationInfo>

However, when I use the access token generated by the office.auth.getAccessToken() function to make a call to the Graph API https://graph.microsoft.com/v1.0/meto retrieve my user profile, it returns a 401 unauthorized error.

Can I ask where I went wrong? Is it possible to obtain an access token with the 'user.read' permission for the signed-in user?

Appreciated for the helps!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,218 questions
JavaScript API
JavaScript API
An Office service that supports add-ins to interact with objects in Office client applications.
994 questions
Office Development
Office Development
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Development: The process of researching, productizing, and refining new or existing technologies.
3,963 questions
{count} votes

Accepted answer
  1. CarlZhao-MSFT 42,131 Reputation points
    2024-05-30T10:11:13.97+00:00

    Hi @S W

    The audience of your token is your custom web API instead of graph API, so it cannot be used to call graph API. If you are using OBO flow, you also need to use the current web API access token as a middle-tier token to get the access token of downstream graph API.

    Decode the access token of graph API, the value of aud claim should be:

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.