Microsoft SSO and Azure AD in Office Add-ins

1 min read

Users expect to sign in once with their Microsoft 365 account and have your add-in just work. Microsoft provides the MSAL-based SSO flow for Office Add-ins, which lets you get an access token without a separate login dialog when the user is already signed in to Office.

Enable SSO in your manifest

This article explains how to:

  1. Enable SSO in your manifest and request an access token from the add-in.
  2. Use the token to call Microsoft Graph or your own API.
  3. Handle the consent flow and errors when SSO isn't available (fallback to interactive login).
  4. Apply best practices for caching and refreshing tokens.

Fallback

When SSO isn't available (e.g. some clients or consent not granted), use the interactive login fallback so users can still sign in.

Azure AD and backend

Integrating with Azure AD (Microsoft Entra ID) also opens the door to role-based access, conditional access policies, and multi-tenant scenarios. We'll show how to register your add-in in the Azure portal and wire up the backend so that your add-in and your API share the same identity.