Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,715 questions
Authentication different audience with Microsoft Graph using an Access Token from an Outlook Add-In
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 3%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
ChristophB
6
Reputation points
community!
I am trying to use Office.js' getAccessToken / getAccessTokenAsync to request an Access Token for using Microsoft Graph on-behalf-of the Outlook user using the add-in. In a C# server-side method I use DelegateAuthenticationProvider and ConfidentialClientApplicationBuilder.AcquireTokenOnBehalfOf() to request an AccessToken with Outlook's "BootstrapToken". This actually worked a few weeks back!
One problem I have is that the initial page that is opened by the add-in is not the same as the SPA and the backend API. This is because of URL params that are added to the URL by Outlook which are blocked by the host and I cannot change that easily. Because of this, I have an initial redirection inside the add-in to call the other URL.
Therefore the <Resource> URI in the add-in manifest is also different from the eventual API URI as it has to match with the initial page.
Now my backend started throwing exceptions with the message The user or administrator has not consented to use the application with ID '...' named '...'. Send an interactive authorization request for this user and resource.
The app registration has the relevant Graph permissions configured and granted by the administrator. This worked previously and I didn't notice any change there. Also I tried calling up a user grant URI after which the error was gone but the AcquireTokenOnBehalfOf request from the backend just didn't get any response at all.
I tried to make basic calls with Postman which previously also worked with the token I got from Outlook, but they stopped working too, giving the error Access token validation failure. Invalid audience. I decoded the token and another older one I still had and noticed that the new one has the full URI from the manifest's resource tag, while the old one only held a guid as audience. Other attributes are different too, namely the scope is now only access_as_user instead of all the Graph permissions I declared in the manifest and app registration.
Was there any recent change made to the Office tokens that completely broke my scenario or is this just not possible?
I am happy for any and every advice!
Microsoft Graph
Office Development
Office Development
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Development: The process of researching, productizing, and refining new or existing technologies.
3,532 questions