Share via

Need a roadmap, keywords, azure tenants, ms-word-add-in with sso, how to

chepa rojer 20 Reputation points
2026-04-16T12:53:19.1466667+00:00

Dear Forum,

I am new into ms-office 365 add-ins and Azure.

My goal is to create an Word-add-in that requires the uset to login with MS-account.

This application will have a backend programmed in python that will use a rest-api to retrieve information that will be placed in the word document. The Rest-API uses OATH 2.0.

I want to use Azure for the SSO but also for storing the OATH 2.0 credentials and run the backend.

Because I am new to azure, and it Azure is a bit overwelming with inofrmation, I need to have some roadmap for where to look for the tutorials or references, quick starts that are related to the goal I have.

Can the community help me with a Quick-start?

  • So how to use Tenanants, and if I need special subscriptions, what are the minimal subscriptions I need to build a simple application, preferable free?
  • How to use Azure to run the python backend.
  • How to store credentials.
  • Any other I miss that is importent to know.

Kind regards,

Microsoft Security | Microsoft Entra | Microsoft Entra ID

Answer accepted by question author

  1. Shubham Sharma 15,180 Reputation points Microsoft External Staff Moderator
    2026-04-16T13:16:42.77+00:00

    Hello chepa rojer

    Thank you for reaching out to Microsoft Q&A.

    Below is the roadmap to:-

    • Stand up an Azure tenant/subscription (free)

    • Register your Word add-in for SSO with Azure AD

    • Host your Python REST API in Azure

    • Securely store OAuth2 credentials

    Here’s a high-level path you can follow (with minimal cost, free tiers where possible):

    1. Create an Azure tenant and free subscription – Sign up for the Azure free trial (includes $200 credit + free services). – You’ll get a default “yourname.onmicrosoft.com” tenant. – If you need a new tenant: see Quickstart: Create a new Microsoft Entra tenant https://learn.microsoft.com/entra/identity-platform/quickstart-create-new-tenant – For background on tenants/subscriptions: Define Microsoft Entra tenants https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-ad-define
    2. Register your Word Add-in in Azure AD (Entra ID) – In the Azure portal, go to Entra ID > App registrations > New registration – Choose “Accounts in any organizational directory and Microsoft personal accounts” if you want both work/school and MSA. – Add your redirect URI (e.g., https://localhost:3000/auth/callback) for your add-in’s SSO. – Note down the Application (client) ID and Directory (tenant) ID for your code. – For multi-tenant scenarios: see Multitenant user management in Entra https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction
    3. Build your Word Add-in with Office.js SSO (OAuth2/OIDC) – Use Office.js’s SSO APIs to acquire an identity token silently. – Under the hood it calls your Azure AD app registration. – On first sign-in you may get an interactive popup, then subsequent calls are SSO’ed. – (Tip: check Microsoft’s “Use single sign-on (SSO) in Office Add-ins” tutorial.)
    4. Host your Python REST API in Azure – Option A: Azure Functions (Consumption plan has a generous free grant) – Option B: Azure App Service (F1 free tier for Linux) – Deploy your Python code, enable HTTP triggers, and use Managed Identity to call other Azure resources. – See independent developer guide for integrating apps with Entra ID: https://learn.microsoft.com/entra/architecture/guide-for-independent-software-developers
    5. Securely store OAuth2 client secrets / certificates – Create an Azure Key Vault (free tier up to certain limits). – Store your client secret or certificate as a secret in Key Vault. – Grant your Function/App Service a Managed Identity, then give it “Key Vault Secrets User” rights so it can fetch the secret at runtime. – Documentation: Microsoft Entra fundamentals – Credential registration & Managed Identity patterns https://learn.microsoft.com/entra/architecture/secure-fundamentals#microsoft-entra-functional-areas
    6. Configure permissions & Conditional Access (optional but recommended) – If you need to lock down who can sign in, consider Conditional Access in Azure AD (requires Entra P1 license). – For basic SSO this isn’t required, but it’s good to know for later.
    7. Monitor, troubleshoot, and iterate – Use Azure Monitor / Application Insights for your Python API. – Review sign-in logs in Entra ID to troubleshoot SSO issues. – If you hit Graph vs. MS Graph confusion, remember Azure AD Graph is retiring—use Microsoft Graph going forward.

    Microsoft docs:-

    1. Quickstart: Create a new Microsoft Entra tenant https://learn.microsoft.com/entra/identity-platform/quickstart-create-new-tenant
    2. Define Microsoft Entra tenants https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-ad-define
    3. Multitenant user management introduction https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction
    4. Microsoft Entra ID Guide for independent software developers https://learn.microsoft.com/entra/architecture/guide-for-independent-software-developers
    5. Microsoft Entra fundamentals – secure foundations https://learn.microsoft.com/entra/architecture/secure-fundamentals
    6. Microsoft Entra functional areas (Managed Identity, credential registration) https://learn.microsoft.com/entra/architecture/secure-fundamentals#microsoft-ent ra-functional-areas

    Let us know the above steps helps

    If the resolution was helpful, kindly take a moment to accept the answer and upvote it 👍

    Thanks

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-16T12:53:48.98+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    A practical roadmap for this scenario has four main parts: understanding the tenant/subscription basics, learning Office Add-ins with SSO, choosing a Python hosting option, and handling credentials.

    1. Tenant and subscription basics
    • A Microsoft 365 tenant is the central container for services, users, and apps in an organization. It is associated with one or more DNS domains and holds subscriptions and licenses.
    • When creating a tenant, it is assigned to a geo; planning and configuration are important for identity, domains, and apps.
    • For learning and simple development, a minimal setup is:
      • A Microsoft 365 subscription that includes Word and allows add-ins.
      • A Microsoft Entra ID (formerly Azure AD) tenant that comes with the subscription.
    • Use the tenant roadmap guidance to understand:
      • Subscriptions, licenses, and tenants.
      • How the Microsoft 365 tenant integrates with Microsoft Entra services.

    Relevant steps from the tenant roadmap:

    • Plan:
      • Understand subscriptions, licenses, and Microsoft Entra tenants.
      • Understand how a Microsoft 365 tenant is integrated with Microsoft Entra services.
    • Deploy:
      • Add DNS domains if needed.
      • Build out identity infrastructure for secure sign-in.

    This gives the foundation for registering apps and using SSO.

    1. Office Word add-in with SSO

    For the Word add-in that requires sign-in and uses SSO:

    • Use the Office Add-ins SSO learning module as the main guided path. It covers:
      • How Office Add-ins use SSO to call Microsoft Graph.
      • Creating Word, Excel, and Outlook add-ins that use SSO.
      • Microsoft Entra app registration guidance for Office Add-ins and SSO.
    • The module includes:
      • “Implement single sign-on (SSO) for Office Add-ins”.
      • “Exercise – Create an Office Add-in for Word that implements single sign-on”.
      • “Microsoft Entra applications for Office Add-ins and SSO”.

    Key concept:

    • Single sign-on (SSO) for Office Add-ins uses Microsoft Entra ID tokens based on the user’s existing Office login, so the add-in can authenticate without a separate sign-in step.
    • The recommended pattern is nested app authentication (NAA), described in the glossary entry for SSO.
    1. App registration and SSO configuration

    To enable SSO for the add-in, an app registration in Microsoft Entra ID is required:

    • In the Azure portal → App registrations:
      1. Create a new registration for the add-in (for example, Office-Add-in-SSO).
      2. Set supported account types to “Any Entra ID Tenant + Personal Microsoft accounts” if the add-in must support both organizational and personal accounts.
      3. Configure a Web redirect URI such as https://localhost:[port]/dialog.html for local development.
      4. After registration, copy the Application (client) ID.
      5. Under “Expose an API”, generate an Application ID URI and adjust it to include localhost:[port]/ as described.

    This registration is used by Office clients (Word) to obtain tokens for the add-in and, if needed, for Microsoft Graph.

    1. Running the Python backend and storing credentials

    The provided context does not specify a particular Azure compute service for Python (such as Functions, App Service, or Containers), but the general pattern is:

    • Host the Python REST API in an Azure compute service that supports Python.
    • Protect the API with OAuth 2.0 using Microsoft Entra ID as the identity provider.
    • Configure the Office add-in to acquire tokens via SSO and send them to the backend for authorization.

    For credentials and secrets (such as client secrets for OAuth 2.0):

    • Use a secure secret store rather than hard-coding secrets in code or configuration.
    • In the Microsoft ecosystem, this is typically done with a dedicated secrets or key management service; the context does not name a specific product, so follow the general principle: keep secrets out of source code and restrict access based on least privilege.
    1. Recommended learning path and keywords

    Based on the context, a focused learning path is:

    1. Understand Microsoft 365 tenants and Entra ID integration:
      • Read the “Tenant roadmap for Microsoft 365” article sections on planning and deploying a tenant.
    2. Learn Office Add-ins and SSO:
      • Complete the “Using single sign-on (SSO) with Office Add-ins” module, especially:
        • Implement single sign-on (SSO) for Office Add-ins.
        • Exercise – Create an Office Add-in for Word that implements single sign-on.
        • Microsoft Entra applications for Office Add-ins and SSO.
    3. Learn SSO concepts for Office Add-ins:
      • Review the glossary entry for “single sign-on (SSO)” and nested app authentication (NAA).
    4. Apply app registration steps:
      • Follow the “Create an app registration” guidance for Office Add-in SSO to configure the Entra app.

    Useful keywords from the context for further searching within Microsoft documentation:

    • “Office Add-ins SSO”
    • “Using single sign-on (SSO) with Office Add-ins”
    • “Microsoft Entra applications for Office Add-ins and SSO”
    • “Tenant roadmap for Microsoft 365”
    • “single sign-on (SSO) Office Add-ins nested app authentication”

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.