Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
Azure AD SSO: Allow to get bootstrap token without granting admin consent
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 79%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Piyumi Perera
101
Reputation points
I am using SSO with Azure AD v2 for Office365 Addin. I registered an azure app using account1@domain1.com by following register-sso-add-in-aad-v2.
I was able to get bootstrap token using OfficeRuntime.auth.getAccessToken() without consenting.
I was unable to get bootstrap token, when I tried to use account2@domain2.com. I got following error which is expected according to the documentation (Outlook-Add-in-SSO).
code: 13005
message: "Missing grant for this add-in."
name: "Preauthorization missing."
I need to understand these two behaviors.
I have added following permissions to azure app.
{count} votes
-
AmanpreetSingh-MSFT 56,311 Reputation points2021-09-23T12:15:05.18+00:00 @Piyumi Perera • Can you share the authentication request URL i.e., starting with https://login.microsoftonline.com for both account1 and account2, hiding your confidential information. You can capture that using Fiddler tool. I suspect that the token acquisition call by the account2 includes scopes which requires admin consent.
Sign in to comment