JS API login from Outlook add-in

zmeggyesi 0 Reputation points
2024-05-20T11:43:23.8166667+00:00

Context

I'm building an Office 365 add-in - to be run in Outlook, both desktop and web -, and I'm at the stage where I want to try logging the user in and getting an access token. However, I'm running into trouble getting the login to work.

The Troubles

I have registered the application in Entra, and I have an App ID for it. I filled out my WebApplicationInfo element in the manifest, and that's where the problems start.

Rejected sideloading

If I use the app URL Entra gives me, and get something like this

<WebApplicationInfo>
  <Id>foo</Id>
  <Resource>api://foo</Resource>
  <Scopes>
    <Scope>User.Read</Scope>
    <Scope>Mail.Read</Scope>
    <Scope>offline_access</Scope>
    <Scope>email</Scope>
    <Scope>profile</Scope>
    <Scope>openid</Scope>
  </Scopes>
</WebApplicationInfo>

Outlook will reject the sideload - but will not give any reasons why - and nothing will work (obviously). The Resource element looks strange, but according to Microsoft docs, this is by-design as this is how Entra enforces uniqueness in URLs.
In fact, I've gone through every iteration according to the table at https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#identifieruris-attribute, and unless I have the authority set exactly to localhost:3000, Exchange will reject the sideload - not even a different port will be accepted.

If I comment this element, things are working, but - as expected - calling the auth APIs will give an error as the add-in is not signaling auth capability.

Client error

If I "fix" the app URL to look something like an actual URL, such as this one

<WebApplicationInfo>
  <Id>foo</Id>
  <Resource>api://localhost:3000/foo</Resource>
  <Scopes>
    <Scope>User.Read</Scope>
    <Scope>Mail.Read</Scope>
    <Scope>offline_access</Scope>
    <Scope>email</Scope>
    <Scope>profile</Scope>
    <Scope>openid</Scope>
  </Scopes>
</WebApplicationInfo>

Outlook will accept the manifest for sideloading and I am able to call the Javascript APIs to initiate login, but this will predictably fail, because it's pointing to a localhost origin. Furthermore, the Microsoft documentation for the element shows the example as

<WebApplicationInfo>
  <Id>12345678-abcd-1234-efab-123456789abc</Id>
  <Resource>api://contoso.com/12345678-abcd-1234-efab-123456789abc</Resource>
  <Scopes>
    <Scope>Files.Read.All</Scope>
    <Scope>offline_access</Scope>
    <Scope>openid</Scope>
    <Scope>profile</Scope>
  </Scopes>
</WebApplicationInfo>

where the host is also set to a non-random value, leading me to believe the Entra UI is giving me the wrong information.

The question

How do I get the login working from within an add-in? What do I need to specify in the WebApplicationInfo element in order to be able to use the JS APIs?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,051 questions
0 comments No comments
{count} votes