Microsoft SSO and Azure AD in Office Add-ins
7 min read
Users expect to sign in once with their Microsoft 365 account and have your add-in just work. Microsoft provides the MSAL-based SSO flow for Office Add-ins, which lets you get an access token without a separate login dialog when the user is already signed in to Office.
This article explains how to enable SSO in your manifest, request an access token from the add-in, and use it to call Microsoft Graph or your own API. We cover the consent flow, handling errors when SSO isn't available (fallback to interactive login), and best practices for caching and refreshing tokens.
Integrating with Azure AD (Microsoft Entra ID) also opens the door to role-based access, conditional access policies, and multi-tenant scenarios. We'll show how to register your add-in in the Azure portal and wire up the backend so that your add-in and your API share the same identity.
This article explains how to enable SSO in your manifest, request an access token from the add-in, and use it to call Microsoft Graph or your own API. We cover the consent flow, handling errors when SSO isn't available (fallback to interactive login), and best practices for caching and refreshing tokens.
Integrating with Azure AD (Microsoft Entra ID) also opens the door to role-based access, conditional access policies, and multi-tenant scenarios. We'll show how to register your add-in in the Azure portal and wire up the backend so that your add-in and your API share the same identity.