Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,460 questions
JS API login from Outlook add-in
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 22%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
zmeggyesi
0
Reputation points
Context
I'm building an Office 365 add-in - to be run in Outlook, both desktop and web -, and I'm at the stage where I want to try logging the user in and getting an access token. However, I'm running into trouble getting the login to work.
The Troubles
I have registered the application in Entra, and I have an App ID for it. I filled out my WebApplicationInfo element in the manifest, and that's where the problems start.
Rejected sideloading
If I use the app URL Entra gives me, and get something like this
<WebApplicationInfo>
<Id>foo</Id>
<Resource>api://foo</Resource>
<Scopes>
<Scope>User.Read</Scope>
<Scope>Mail.Read</Scope>
<Scope>offline_access</Scope>
<Scope>email</Scope>
<Scope>profile</Scope>
<Scope>openid</Scope>
</Scopes>
</WebApplicationInfo>
Outlook will reject the sideload - but will not give any reasons why - and nothing will work (obviously). The Resource element looks strange, but according to Microsoft docs, this is by-design as this is how Entra enforces uniqueness in URLs.
In fact, I've gone through every iteration according to the table at https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#identifieruris-attribute, and unless I have the authority set exactly to localhost:3000, Exchange will reject the sideload - not even a different port will be accepted.
If I comment this element, things are working, but - as expected - calling the auth APIs will give an error as the add-in is not signaling auth capability.
Client error
If I "fix" the app URL to look something like an actual URL, such as this one
<WebApplicationInfo>
<Id>foo</Id>
<Resource>api://localhost:3000/foo</Resource>
<Scopes>
<Scope>User.Read</Scope>
<Scope>Mail.Read</Scope>
<Scope>offline_access</Scope>
<Scope>email</Scope>
<Scope>profile</Scope>
<Scope>openid</Scope>
</Scopes>
</WebApplicationInfo>
Outlook will accept the manifest for sideloading and I am able to call the Javascript APIs to initiate login, but this will predictably fail, because it's pointing to a localhost origin. Furthermore, the Microsoft documentation for the element shows the example as
<WebApplicationInfo>
<Id>12345678-abcd-1234-efab-123456789abc</Id>
<Resource>api://contoso.com/12345678-abcd-1234-efab-123456789abc</Resource>
<Scopes>
<Scope>Files.Read.All</Scope>
<Scope>offline_access</Scope>
<Scope>openid</Scope>
<Scope>profile</Scope>
</Scopes>
</WebApplicationInfo>
where the host is also set to a non-random value, leading me to believe the Entra UI is giving me the wrong information.
The question
How do I get the login working from within an add-in? What do I need to specify in the WebApplicationInfo element in order to be able to use the JS APIs?