question

PiyumiPerera-0571 avatar image
0 Votes"
PiyumiPerera-0571 asked amanpreetsingh-msft commented

Azure AD SSO: Allow to get bootstrap token without granting admin consent

I am using SSO with Azure AD v2 for Office365 Addin. I registered an azure app using account1@domain1.com by following register-sso-add-in-aad-v2.

I was able to get bootstrap token using OfficeRuntime.auth.getAccessToken() without consenting.

I was unable to get bootstrap token, when I tried to use account2@domain2.com. I got following error which is expected according to the documentation (Outlook-Add-in-SSO).

 code: 13005
 message: "Missing grant for this add-in."
 name: "Preauthorization missing."

I need to understand these two behaviors.

I have added following permissions to azure app.
128982-image.png



azure-ad-graphazure-ad-msalazure-ad-app-consent
image.png (26.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PiyumiPerera-0571 • Can you share the authentication request URL i.e., starting with https://login.microsoftonline.com for both account1 and account2, hiding your confidential information. You can capture that using Fiddler tool. I suspect that the token acquisition call by the account2 includes scopes which requires admin consent.

0 Votes 0 ·

0 Answers