Outlook NAA GA questions: Enable SSO in an Office Add-in using nested app authentication (preview) about office-js HOT 4 OPEN

based on your recording, it doesn't appear to be using broker based flow for Nested App Auth. There should not be a popup unless user or admin has not previously consented to the scopes you are requesting. Could you validate if you are testing in the Beta Channel with Windows/Mac, and provide the build number?

from office-js.

hi @codexeon , so much thanks for your reply. and as you can see, i pasted my code segment in above. and i was follow https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-acquire-token?tabs=javascript2 and https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in in the document. Do you mind paste your test code here, and give some suggestion. really thanks for it!

And my test environment is also stable build.
Mac version:

Win32 version:

OWA is always lastest i think.

from office-js.

The Win32 build you are using likely does not have Nested App Auth support. It requires being in the preview channel as documented here: https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in. I would expect a build 16.0.17925.20000 or later if you were to update to the latest preview today. For Mac/OWA your NAA should have support in new Outlook, however. When you mention a popup only the first time, is it for sign-in or to consent to permissions? I would expect a popup required to consent to permissions, if you haven't previously in another session, but not for a sign-in. If you are seeing that popup window to login without consent on every endpoint, it is likely an issue in the add-in JavaScript. https://github.com/OfficeDev/Office-Add-in-samples/blob/main/Samples/auth/Outlook-Add-in-SSO-NAA/src/taskpane/authConfig.ts is our sample that shows how to get additional logging from msal-browser for further diagnostic (set enableDebugLogging to true). If you enable the logging, you should be looking for a message "Nested App Auth Bridge available: true" in console. If you see "Nested App Auth Bridge available: false", the host does not support Nested App Auth. If you don't see the message at all, msal-browser is not trying to use Nested App Auth.

from office-js.

hi @codexeon , thanks your reply. sorry to see it later. i use this example: https://github.com/OfficeDev/Office-Add-in-samples/blob/main/Samples/auth/Outlook-Add-in-SSO-NAA. And it works. but as you said, I would expect a popup required to consent to permissions, if you haven't previously in another session, but not for a sign-in. So, it will also popup a permission dialog, if haven't previously in another session right? if so, do you know if there is some way for not popup that dialog? cause, as you know for Legacy Exchange tokens, there is no need popup dialog. it very silent for users. But, when we switch the NAA, if user must popup a dialog, i think that's too confuse for user. By the way, there is an admin consent on AAD app, But it still need the admin to consent also, not silent, do we have more silent way? https://learn.microsoft.com/en-us/entra/identity-platform/v2-admin-consent

from office-js.