How do I grant consent to SharePoint Delegated Permissions in Word Online Addin using Azure Active Directory V2?

2
votes

I originally posted the following on github: https://github.com/OfficeDev/office-js/issues/323, but they suggested I post on stack overflow.

I have an Azure Active Directory v2 application which lists some SharePoint delegated permissions: enter image description here

I have a Word Online Addin that uses the V2 app. I tried adding the SharePoint permissions as scopes in the Office Manifest such as

<Scope>AllSites.Read</Scope>

However, I get the following message after attempting to grant consent inside Word Online:

enter image description here

Is this error expected? Ultimately I wanted to enable single sign on in Office (Similar to https://docs.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins but for CSOM, not Graph). I was able to get this to work for Graph permissions.

1
azure-active-directoryoffice365office-jssharepoint-online
In the flow you're currently using for login are you able to supply what endpoint you want to connect to? I have a hypothesis that the getAccessTokenAsync method may be hard coded to request Microsoft Graph context and that we need to get you a method to request a SharePoint context instead. I'm going to keep following up internally until we have a solid answer for you, but wanted to get things going with that question.Jeremy Kelley - Microsoft
Hi I work with @JBart. We're not oauth experts by any means so I'm not sure what you mean by supplying the endpoint. I've been doing a bunch of experiments lately with SSO trying to get our backend service to impersonate a 365 user and route documents to sharepoint on their behalf. I haven't had any luck properly authenticating via CSOM. I tried MSAL and the tutorial in the below comment and neither worked for me. I get back generic errors like 403 forbidden and whatever I google I hit brick walls. Super frustrating.Chris C
sharepoint.stackexchange.com/questions/243915/…Chris C

1 Answers

2
votes

First, let me clarify that the SSO API is still in-preview. In production, you should be using Dialog API to login the user but it does not provide SSO. Now coming to the in-preview SSO API - Have you tried any of the SharePoint scopes owned by Graph? Adding that to the manifest should work. Currently, we do not support any other scope other than Graph. But there is no reason why the same token can be used to access SharePoint provided you use Graph scopes.