I have an Outlook add-in with ReadWriteMailbox permissions that calls Office.context.mailbox.getCallbackTokenAsync({isRest: true}) to get what is generally a valid auth token:
{
"oid": "oid",
"puid": "puid",
"smtp": "xxx",
"upn": "xxx",
"clientappid": "3382ce5c-ed22-4195-aeca-c5b67384706f",
"ver": "Exchange.Callback.V2",
"appid": "00000002-0000-0ff1-ce00-000000000000",
"deploymentid": "https://outlook.office365.com/",
"tid": "tid",
"acr": "1",
"appidacr": "0",
"scp": "Mail.ReadWrite Mail.Send Calendars.ReadWrite Contacts.ReadWrite",
"nbf": 1588259750,
"exp": 1588260650,
"iss": "https://outlook.office365.com/",
"aud": "a_vanity_url",
"happ": "API"
}
In Outlook for iOS, I am now seeing this exception in a handful of environments:
{
"readyState": 4,
"responseText": "omitted_for_redundancy",
"responseJSON": {
"error": {
"code": "InvalidAudienceForResource",
"message": "The audience claim value is invalid for current resource.
Audience claim is 'a_vanity_url',
request url is 'https://outlook.office365.com/api/v2.0/me/messages/a_message_id'
and resource type is 'Exchange'.",
"innerError": {
"requestId": "requestId",
"date": "2020-04-30T15:15:51"
}
}
},
"status": 401,
"statusText": "Unauthorized"
}
The common theme seems to be whenever an MDM/MAM is configured (usually Intune), and it's happening across all managed devices on the tenant, and continues to fail until a device is unregistered and its Outlook accounts are removed and re-added.
Is there something I can do differently when I request an auth token to prevent this failure? Or is there a device management setting that Outlook for iOS requires to run add-ins?
The workaround here is just to use the vanity domain returned in the JWT's audience claim as the API URL base instead of the value returned by Office.context.mailbox.restUrl.