office-addin-sso with @azure/msal-browser 121 Reputation points

Is there any difference between these 2 approaches:

(1) Using @azure/msal-browser to get an Access Token [and then using this to access MS Graph]


(2) Using OfficeRuntime.auth.getAccessToken() to get an Identity Token which can then be swapped for an Access Token [and then using this to access MS Graph]

What are the benefits/advantages of using (2) ?

JavaScript API
JavaScript API
An Office service that supports add-ins to interact with objects in Office client applications.
905 questions
Office Development
Office Development
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Development: The process of researching, productizing, and refining new or existing technologies.
3,595 questions
0 comments No comments
{count} votes

Accepted answer
  1. David Chesnut 81 Reputation points Microsoft Employee

    Hi ,

    The OfficeRuntime.auth.getAccessToken() API gives you an SSO token from Office for the currently signed in user. The advantage is that a user only needs to sign in once (to Office.) Then when your add-in is loaded you can reuse that token without requiring the user to sign in again.

    However the SSO token cannot be used to access Microsoft Graph from an SPA web app. It requires you to use the On-Behalf-Of (OBO) flow on your web server to get a Graph token that only your web server can use. So for SPA you would need to use something like @azure/msal-browser to call Graph APIs from your client code in the browser.

    You can call getAccessToken from an SPA web app and get the SSO token. It is an identity token with information about the signed in user. But you have to use the OBO flow and make calls to Microsoft Graph from your web server. There's more information about this workflow at Authorize to Microsoft Graph with SSO

    Hope this helps!

0 additional answers

Sort by: Most helpful