In a POC using the new extension point ReportPhishingCommandSurface, I try to get an access token (in order to submit graph API call), however the method always return "SSO failed with "5001" error code." with no addiotional information.
I used the Microsoft example available at https://learn.microsoft.com/en-us/javascript/api/manifest/extensionpoint?view=word-js-preview#reportphishingcommandsurface-preview to have a running example and juste modified the called function to call OfficeRuntime.auth.getAccessToken
Additional information:
I have two applications which are identically configured in azure portal. One which triggers OfficeRuntime.auth.getAccessToken from a standard addin when a user clicks on a button -> this works as expected. The other using the ReportPhishingCommandSurface is getting "SSO failed with "5001".
From the comment below:
- I do see a request to /.well-known/microsoft-officeaddins-allowed.json which contains the following entries:
{
"allowed":
[
"https://localhost:3000/command/command.js",
"https://localhost:3000/command/command.html",
]
}
- The URLs are allowed in the "singe page application" configuration tab in Azure:
- The manifest contains the "WebApplicationInfo" section:
<WebApplicationInfo>
<Id>[redacted]</Id>
<Resource>api://localhost:3000/[redacted]</Resource>
<Scopes>
<Scope>openid</Scope>
<Scope>profile</Scope>
<Scope>email</Scope>
<Scope>User.Read</Scope>
<Scope>Mail.Read</Scope>
<Scope>Mail.ReadWrite</Scope>
<Scope>Mail.Send</Scope>
</Scopes>
</WebApplicationInfo>
IN addition here is the code which call getAccessToken:
const defaultSSO = {
allowSignInPrompt: false,
allowConsentPrompt: false,
};
function onSpamReport(event) {
const options = JSON.parse(JSON.stringify(defaultSSO));
// Begin promise chain.
return OfficeRuntime.auth.getAccessToken(options).then((accessToken) =>
{
console.log('getAccessToken done');
console.log('accesstoken: ' + accessToken); //<- we never reach this point
...
In the log file, I get the following entries:
20/09/2023 15:13:59 Verbose Runtime [Console] [Log] SDX Control is ready!
20/09/2023 15:13:59 Verbose Runtime [Console] [Log] onSpamReport
20/09/2023 15:13:59 Verbose Runtime [Console] [Log] MailboxHostExecuteApi invoked!
20/09/2023 15:13:59 Verbose Runtime [Console] [Log] RunLaunchEventHandlerFunctionWithData was invoked with funcName = onSpamReport
20/09/2023 15:13:59 Verbose Runtime [Console] [Log] callWebServerAPI(POST, https://localhost:3000/report_phishing)
20/09/2023 15:13:59 Verbose Runtime [Console] [Log] MailboxHostExecuteApi invoked!
20/09/2023 15:13:59 Monitorable WebApplicationInfo SSO failed with "5001" error code.
ReportPhishingCommandSurface in Win32 Outlook, actually has the same limitations/features as Event Based Add-ins.
https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/autolaunch?tabs=xmlmanifest#event-based-activation-behavior-and-limitations
One thing that is needed is the .well-known resource. URI see this here:
https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/use-sso-in-event-based-activation
let us know if this doesn't solve the issue.