Call Azure AD protected WebApi from Excel VSTO WorkBook

Question

I am attempting to call an Azure AD protected WebApi from Excel VSTO WorkBook. This is the same webApi we use for our SPA applications but now want to also consume this same Api directly from Excel.

I have searched for quite a while and cannot find any guidance on how this should work.

Does anyone know if this is possible and if so how it should be accomplished?

Answer 1

I ran into this yesterday and got it working, thanks this thread.

It sounds like this scenario was unsupported for a time, but it definitely works now. Here's what needs to be done:

The service that is being accessed from Excel, it should send back a HTTP 401 response at some point to let the client (Excel) know that authentication is required (this should already be happening). Excel will then send another request to the service with the header Authorization: Bearer. It's important to note that nothing comes after Bearer, because once the authentication flow has been completed, Excel will start sending requests with a similar header, but there will be more information after the word Bearer, and those requests you should allow to continue through the request pipeline.

In order for the authentication flow to work correctly, the service response to the aforementioned request must contain the following header value:

WWW-Authenticate: Bearer authorization_uri="Your auth URI here"

The quotes SHOULD be included in the response. Since you are using Azure AD, your URI will look something like this:

https://login.microsoftonline.com/{tenantId}/oauth2/authorize

Replace {tenantId} with your tenant ID.

The one caveat that I've found for this to work, is that the URL to the domain of the service (e.g. http://my.domain.com) must match the App Uri Id in the App Registration. I'm hoping there's a way around this because I believe I've read in the past that this is not a good practice (though I can't find the source anymore). If there's another way to handle this, I'll come back and update my answer.