"Access token validation failure. Invalid audience" issue in outlook Add-In using Office.Auth for Microsoft Graph API calls.

Suraj Sinha 5

I've created a React.js-based Outlook add-in where I've loaded Office.js using a CDN link, and the Office API has successfully initialized. I'm using the Office.Auth API to obtain an access token for an application registered in the Azure portal. I've also added Microsoft Graph permissions and included them in the application's configuration shown in snapshot.
User's image

Also, I have added Scopes in "webApplicationInfo" element as shown in snapshot.

User's image

For local testing, I've set up the Application ID URI as "api://localhost:3000/{APP_ID}" and preauthorized the application with "ea5a67f6-b6f3-4338-b240-c655ddc3cc8e" as specified in Microsoft's documentation.
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/register-sso-add-in-aad-v2

While I can successfully retrieve an access token using the Office.Auth API through below code.
User's image

Attempting to use this token to call Microsoft Graph API results in an error:

"code": "InvalidAuthenticationToken",

"message": "Access token validation failure. Invalid audience."

Please assist.

1 answer

Yakun Huang-MSFT 6,650 Reputation points Microsoft Vendor

2024-11-11T09:23:20.1933333+00:00

Hello Suraj Sinha,

Thank you for reaching out to Microsoft Support!

If you need access to the Graph API, use SKDs to get the token, see the documentation for details,

And for permissions granted in Azure, click the button to grant administrator consent, as shown below:

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
Please sign in to rate this answer.
Suraj Sinha 5 Reputation points

2024-11-11T10:25:13.38+00:00

Hi @Yakun Huang-MSFT

We have opted not to use SDKs because the JavaScript SDK relies on the Azure MSAL library, which presents compatibility issues across different platforms, including Mac and iOS.

We are exploring alternative methods, specifically aiming to use the Office.auth API, which provides also handle authentication within Office add-ins.

Could you confirm the steps which I am missing or could be corrected to use the Office.auth API directly to obtain a Graph API access token?

Suraj Sinha 5 Reputation points

2024-11-11T11:00:19.39+00:00

Hi @Yakun Huang-MSFT

We have opted not to use SDKs because the JavaScript SDK relies on the Azure MSAL library, which presents compatibility issues across different platforms, including Mac and iOS.

We are exploring alternative methods, specifically aiming to use the Office.auth API, which provides also handle authentication within Office add-ins.

Could you confirm the steps which I am missing or could be corrected to use the Office.auth API directly to obtain a Graph API access token?

Yakun Huang-MSFT 6,650 Reputation points Microsoft Vendor

2024-11-12T06:12:27.67+00:00

From this document, token A obtained only through Add-in calls getAccessToken() cannot be used to access the Graph API directly. You also need to send an HTTP request to the server segment to get the new access token B with Microsoft Graph permissions. Check whether you have obtained token B according to the documentation.

Suraj Sinha 5 Reputation points

2024-11-12T09:40:57.34+00:00

Hi @Yakun Huang-MSFT

Referring to the following comments by Microsoft

“From this document, token A obtained only through Add-in calls getAccessToken() cannot be used to access the Graph API directly. You also need to send an HTTP request to the server segment to get the new access token B with Microsoft Graph permissions. Check whether you have obtained token B according to the documentation. Could you please assist with the following queries arises when referring to below diagram:”

It is clear that, from within an Outlook Add-In, “Authentication Token”, retrieved via getAccessToken() office API, cannot be used to access the Graph API directly.

Microsoft refers the following flow for calling Microsoft Graph APIs, from an Outlook Add-In, using the getAccessToken(). Authorize to Microsoft Graph with SSO - Office Add-ins | Microsoft Learn

Regarding the same, we have a few queries:

What does "Office Add-In server-side code" refer to? Is it a backend web-service (e.g., built in Node.js, Java, etc.)?

Is there a way to call the Microsoft Graph API directly from the “Office Add-in client-side code”, instead of calling them from "Office Add-In server-side code"?

Is it possible to use access token A to generate access token B that too on the client side? i.e., Can step 6# be executed on “Office Add-in client-side code”, instead of "Office Add-In server-side code"?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

"Access token validation failure. Invalid audience" issue in outlook Add-In using Office.Auth for Microsoft Graph API calls.

1 answer

Your answer