Outlook getAccessToken does not return Scopes declared in manifest

Question

I have an Outlook web add-in which should load data from the MS-Graph. So I added a App Registration with the scopes the backend needs to get the needed information. To request the token I use:

    OfficeRuntime.auth.getAccessToken({
        forMSGraphAccess: true
    })

Further I added my needes scopes to the manifest.xml like so:

    <WebApplicationInfo>
      <Id>${API_ID}</Id>
      <Resource>api://${FULL_CLIENT_PATH}/${API_ID}</Resource>
      <Scopes>
        <Scope>Mail.Read</Scope>
        <Scope>offline_access</Scope>
        <Scope>openid</Scope>
        <Scope>profile</Scope>
        <Scope>User.Read</Scope>
      </Scopes>
    </WebApplicationInfo>

As described here:

https://github.com/OfficeDev/office-js-docs-pr/blob/master/docs/develop/sso-in-office-add-ins.md https://github.com/OfficeDev/office-js-docs-pr/blob/master/docs/develop/authorize-to-microsoft-graph.md

My expectation is that the scopes, defined in App Registration and Manifest, are present in the resulting token. (Which they were when I worked on my add-in last year). In fact they aren't there at all, but the token is valid.

Decoded token:

Why is this? How to get the scopes into the token?

Answer 1

The token is intended to have only the "access_as_user" scope and the other scopes have to be requested by the application itself. See the following issue: https://github.com/OfficeDev/office-js/issues/1594

Other helpful links to get the Graph requests working:

https://learn.microsoft.com/de-de/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api

https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-aspnet

https://learn.microsoft.com/de-de/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow