Setup Microsoft Identify Platform and "Missing grant for this add-in" for localhost

Question

. 。 Answers to this question are eligible for a +500 reputation bounty. SoftTimur wants to : ：

This bounty is for Sridevi's answer.

I have an Excel add-in where single sign-on was implemented, but recently I realize that the SSO does not work anymore. So I tried to debug it in localhost.

First, I met the Missing grant for this add-in error in my add-in. Then, I had the same error with the sample project: https://learn.microsoft.com/en-us/office/dev/add-ins/quickstarts/sso-quickstart . Note that I don't have this error with https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-nodejs .

I created a test Azure account: test.sso.2023@gmail.com and registered the app . I put the updated code of sso-quickstart that produces the error in this repository .

After launching the code we could sign in Excel Online in Chrome, then sideload the add-in. Clicking on the button Get My User Profile Information launched Office.auth.getAccessToken , which raised the error POST https://login.microsoftonline.com/consumers/oauth2/v2.0/token 400 (Bad Request) and Missing grant for this add-in.

The request https://login.microsoftonline.com/consumers/oauth2/v2.0/token returned

AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope...

The JSON of my settings on the Microsoft Identity Platform:

{
    "id": "f61962fb-722b-465f-a265-4a1e70a744e3",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "e55f4769-4293-4b71-94ea-5eb16dcfe41d",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2023-01-31T19:16:20Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [
        "api://localhost:3000/e55f4769-4293-4b71-94ea-5eb16dcfe41d"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "sso",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [
        {
            "adminConsentDescription": "Allow Office to have read/write permissions to all user files and read permissions to all user mail. Office can call the app's web APIs as the current user.",
            "adminConsentDisplayName": "Read/write permissions to user files. Read permissions to user mail and profiles.",
            "id": "9b6c01b1-9818-4eb3-898c-e412fad8ae03",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": "Allow Office to have read/write permissions to your files, and read permissions to your mail and profile.",
            "userConsentDisplayName": "Read/write permissions to your files. Read permissions to your mail and profile.",
            "value": "access_as_user"
        }
    ],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2023-07-30T18:17:18.762Z",
            "keyId": "10c2239b-b83c-4085-b277-a37931990aa1",
            "startDate": "2023-01-31T19:17:18.762Z",
            "value": null,
            "createdOn": "2023-01-31T19:17:25.3206496Z",
            "hint": "~l2",
            "displayName": "secret"
        }
    ],
    "preAuthorizedApplications": [
        {
            "appId": "ea5a67f6-b6f3-4338-b240-c655ddc3cc8e",
            "permissionIds": [
                "9b6c01b1-9818-4eb3-898c-e412fad8ae03"
            ]
        },
        {
            "appId": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
            "permissionIds": [
                "9b6c01b1-9818-4eb3-898c-e412fad8ae03"
            ]
        },
        {
            "appId": "93d53678-613d-4013-afc1-62e9e444a0a5",
            "permissionIds": [
                "9b6c01b1-9818-4eb3-898c-e412fad8ae03"
            ]
        }
    ],
    "publisherDomain": null,
    "replyUrlsWithType": [
        {
            "url": "https://localhost:3000/fallbackauthdialog.html",
            "type": "Spa"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "14dad69e-099b-42c9-810b-d002981feec1",
                    "type": "Scope"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

And API permissions which can also be found in the above JSON:

Does anyone know what may be the cause of this error?

(* Link in Github office-js *)

Answer 1

Redirect URIs: https://localhost:3000 (should it be https://localhost:3000 or https://localhost:8000?)

Of course. There is nothing running on localhost:3000. Everything should use the same URL.

Anyway, I'd suggest trying to create an empty add-in and use the automatic tool for registering the web add-in in Azure. Following that way you can be sure that SSO is working correctly for your tenant and the warning shown on the screenshot is not related to that if the sample add-in is working correctly. Then you can start delving deeper with your existing solution to find the root cause.

The configure-sso NPM package can help setting things up correctly for your sample add-in. See Single sign-on (SSO) quick start for a guide.

Answer 2

I tried to reproduce the same in my environment and got below results:

I ran the below commands to create My Office Add-in for Excel using JavaScript and Single-sign-on by selecting required options:

npm install -g yo generator-office
yo office

Response:

Now I ran npm run configure-sso that took me to browser where I picked one user credentials:

Once the login is successful, I got output saying new application is registered successfully in Azure AD and updated source files automatically like below:

When I checked the same in Portal, Azure AD application is registered successfully with below details:

I have below API permissions added to the application automatically like below:

When I checked Expose an API tab, it added below details like App ID URI, scopes etc...

I have below Redirect URIs added to my application:

When I ran npm start command, it asked to install certificate initially like below:

This opened Excel with My Office Add-in where I got consent screen like below:

After consenting to the permissions, I got the user profile details successfully like below:

In your case, make sure to have one Azure account with active Azure subscriptions and assign Global administrator role to the test user account on that tenant, which is required to consent the permissions.

If you don't have active Azure accounts, get Free Trial subscription by clicking Start free button in this link .

Now, repeat the whole process by configuring the add-in again with this user credentials .