Query on authorizing to Microsoft Graph with SSO flow in Outlook Add-Ins.

Question

Hi Team,

Referring to the comments by Microsoft in the link:

https://learn.microsoft.com/en-us/answers/questions/2117658/access-token-validation-failure-invalid-audience-i

“From this document, token A obtained only through Add-in calls getAccessToken() cannot be used to access the Graph API directly. You also need to send an HTTP request to the server segment to get the new access token B with Microsoft Graph permissions. Check whether you have obtained token B according to the documentation. Could you please assist with the following queries arises when referring to below diagram:”

 

• It is clear that, from within an Outlook Add-In, “Authentication Token”, retrieved via getAccessToken() office API, cannot be used to access the Graph API directly.
• Microsoft refers the following flow for calling Microsoft Graph APIs, from an Outlook Add-In, using the getAccessToken(). Authorize to Microsoft Graph with SSO - Office Add-ins | Microsoft Learn

Regarding the same, we have a few queries:

1. . What does "Office Add-In server-side code" refer to? Is it a backend web-service (e.g., built in Node.js, Java, etc.)?
2. Is there a way to call the Microsoft Graph API directly from the “Office Add-in client-side code”, instead of calling them from "Office Add-In server-side code"?
3. Is it possible to use access token A to generate access token B that too on the client side? i.e., Can step 6# be executed on “Office Add-in client-side code”, instead of "Office Add-In server-side code"?