Feedback - Unclear of needed steps for typical initial SSO configuration for Office.js Addin #5187
Description
Type of issue
Other (describe below)
Feedback
I am trying to setup up an Office.js addin that has permission to getAccessToken. I am looking for the required step needed to call this api. This page is very confusing and does not follow the typical enterprise steps.
- Most developers in an enterprise do not have access to the O365 admin center or Entra.
- The initial Office.js Addin Integrated app registration creates the initial Entra application registration from the manifest file that the developer provides..
- The person registering the initial Office.js addin, needs to go to Entra and get the created Application (client) Id for the developer.
- The developer needs to change the addin manifest.xml.
- Increment the version
- Add the WebApplicationInfo element in:
-- Id
-- Resource
-- Scopes - This should only mention and list the needed scopes to be able to call getAccessToken, nothing else.
- The O365 or Entra Admin need to update the Entra configuration to allow the Office.js addin to call the getAccessToken api.
- After the Entra app registration is updated, the O365 Admin must update the addin registration in O365 admin center with the newly updated manifest from the developer.
Issues:
- There needs to a section/tab/page for updating an existing Entra application registration to support getAccessToken.
- Need Scopes
-- Manifest.xml scopes
-- Entra Scopes
-OpenId- and -Profile- mentions have different counts and the -OpenId- is not listed as an added scope in the existing Entra configuration step.
-- Remove Extra scopes (Outlook, User.Read, etc., that are not required for getAccessToken)- Entra Screen shots per needed menu page with values to check highlighted.
- Entra Manifest values, what values need to be/are set in the Entra manifest for the addin to call getAccessToken.
- Entra Screen Shots to Manifest values mapping.
- Are SSO OAuth urls needed or not?
- Should a secret be added?
- Article mentions that the -Directory (tenant) ID- is needed, but never says where its it needed.
When attempting to import a Office.js manifest in O365, the listed -App capabilities-:
- ReadWriteDocument
- SendReceiveData
Its unclear what these value are and how they are setup, -ReadWriteDocument- is assumed to be the manifest -Permissions- element value, but -SendReceiveData- does not seem to map to anything.
Cross referencing this page to other SSO based office.js pages provide similar but different configuration steps. The getAccessToken page should be the definitive page on how to setup Entra from a new Entra application registration in addition to updating an existing non Entra App registration created via the O365 admin center to a SSO registration.
Page URL
Content source URL
Author
Document Id
2ff91ce8-95f6-0e45-a07d-c87d4e7bcaaf
Platform Id
8c869906-a778-8bfd-f85f-903c392ac6ec