OfficeRuntime.auth.getAccessToken fails after a period of inactivity

[ragnarstolsmark]

Provide required information needed to triage your issue

Your Environment

• Platform [PC desktop, Mac, iOS, Office on the web]: Office on the web
• Host [Excel, Word, PowerPoint, etc.]: Outlook
• Office version number: OfficeOnline
• Operating System: Windows
• Browser (if using Office on the web): Edge 131.0.2903.112

Expected behavior

I expected the OfficeRuntime.auth.getAccessToken to return an access token. It has worked well until late december 2024 (approx. 26 december)

Current behavior

It returns error code 13006.

Steps to reproduce

1. Call getAccessToken.
2. Wait for more than 1 day.
3. Call getAccessToken again.

Provide additional details

We handle error 13006 by using an MSAL popup. Subsequent calls to getAccessToken do not fail after the popup has successfully authenticated the user.

Context

The issue is degrading the user experience of customers using our Outlook add-in. It only affects Outlook online.

Useful logs

Screenshot of our application insights showing the trend for error code 13006.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• OfficeRuntime.auth.getAccessToken() fails in Outlook with Conditional Access MFA Policy #3469
• Office.auth.getAccessToken no longer works on New Outlook Desktop #3921
• 'Share to Outlook' in Teams and SSO error 13006  #4237
• OfficeRuntime.auth.getAccessToken() throws an error on Safari browser #2993

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Ensure that the add-in id has been added to the list of authorized applications. The id needs to be pre-authorized. Refer to the doc: https://learn.microsoft.com/en-us/office/dev/add-ins/develop/register-sso-add-in-aad-v2

Reference:

• OfficeRuntime.auth.getAccessToken() fails in Outlook with Conditional Access MFA Policy #3469 (comment)

Solution 2:

We had the same problem after the last Outlook Desktop update. When we added the Client Id from the error message as a pre-authorized client in the App registration (Expose an API) it worked again.

Reference:

• Office.auth.getAccessToken no longer works on New Outlook Desktop #3921 (comment)

[ragnarstolsmark]

The similar issues are older than our new issue and they are not relevant to our problem.

[sivachandran-msft]

Hi @ragnarstolsmark , thanks for reporting and sharing the details. Could you please help us with below information to investigate it further:

• Please share the code snippet you tried to access the getAccessToken
• If you have sample addin where the issue is reproducible, please it with exextoc account
• Please share us the scenario where this issue is observed.

[ragnarstolsmark]

Here is our code that gets the accessToken:

async function getAccessTokenOfficeRuntime(): Promise<string> {
  // The getAccessToken api mutates the passed in object. So we have to destructure it every time we use it
  const parameters = {
    allowConsentPrompt: false,
    allowSignInPrompt: !isInEventContext(), //isInEventContext() returns true when the code is triggered by an outlook add-in event.
  };
  try {
    const accessToken = await OfficeRuntime.auth.getAccessToken({ ...parameters });
    return accessToken;
  } catch (error) {
    if (!shouldRetry(error)) {
      throw error;
    }
  }

  return new Promise((resolve, reject) => {
    setTimeout(() => {
      OfficeRuntime.auth
        .getAccessToken({ ...parameters })
        .then(resolve)
        .catch(reject);
    }, 300);
  });

We do not have a sample addin where the issue is reproducible.

The scenario is observed by our users who use our outlook add-in for inserting signatures into their e-mails. It seems to appear more often when the user has been inactive for some time, maybe it has something to do with a token that has expired?