After subscription migration of Excel AddIn application manifest can't authenticate users through Microsoft Entra ID (Expose API url had not changed)

@Shireesha Eeraboina Yes we need future assistance we checked everything and we are sure that this is related to the latest Microsoft update with Microsoft Entra ID Manifest https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html because we found absolutely the same thread with the problem with other people https://github.com/richard6094/Issue-analyzer/issues/18

I beg you, please contact Microsoft support. I'm sure something broke with the latest updates and now it's impossible to migrate to another subscription excel add in container aps due to this microsoft entra id authorization problem with new manifest

Hi @Pavel Trostianko

Can you check the 'resource' section passed to 'getAccessTokenAsync()' then if your code has something like this:

"Office.context.auth.getAccessTokenAsync({ resource: "https://graph.microsoft.com" }, callback);"

Make sure the 'resource' is valid and registered in entra ID as an exposed API or part of allowed scopes.

For microsoft graph use: resource: "api://<client-id>"

For custom APIs, use the application ID URI : resource: "api://<client-id>"

Make sure the value matches the application id uri filed from your entra app registration

Azure Portal > Entra ID > App registrations > Your app > Expose an API > Application ID URI

Update the manifest XML in your office add-in look for:

<WebApplicationInfo>

<Id>YOUR-CLIENT-ID</Id>

<Resource>WRONG-RESOURCE-URL</Resource> <<update this

</WebApplicationInfo>

Replace the resource with either microsoft graph or your API's valid resource URI

Then re-upload the manifest.

We fix this issue by latest Microsoft update of azure container manifest

We fix this issue by latest Microsoft update of azure container manifest.

After Microsoft release update for container app manifest with new Microsoft graph settings our frontend start working and we start getting backend container errors that we was able to solve ourselves. Errors like this:

Hello Pavel Trostianko,

Even though the Application ID URI (Expose an API) was not manually changed, migrating your container app triggered a mismatch between the resource URL configured inside your Excel Add-In manifest.xml, and the application ID URI registered inside Microsoft Entra ID (App Registration). Additionally, due to recent Microsoft Entra updates for Office Add-ins authentication, the excel add-in manifest must strictly reference the backend API in this format- api://<backend-client-id>

If not, authentication fails with error Code 13004 – “Invalid resource URL specified in the manifest”

I would recommend you validate your app registrations (both Frontend and Backend)

Inside Entra ID under Backend App (Excel-Backend-API), go to app registrations -> Excel-Backend-API. Under Expose an API, ensure application ID URI is-

api://<backend-client-id>

Example:

Same for Frontend App (Excel-AddIn-Frontend), go to app registrations -> Excel-AddIn-Frontend and under API permissions, ensure delegated permission for backend API is added, selecting the correct scope (like access_as_user).

Example:

Update the <WebApplicationInfo> section like this-

<WebApplicationInfo>

  <Id>frontend-client-id-here</Id>

  <Resource>api://backend-client-id-here</Resource>

</WebApplicationInfo>

Where will be your Frontend App’s Application (client) ID and will be your Backend API’s Application ID URI (api://backend-client-id).

Upload the updated manifest followed by updating your JavaScript login code to force consent just in case if admin consent was not granted during migration

Office.context.auth.getAccessTokenAsync({ forceConsent: true }, function (result) {

    if (result.status === "succeeded") {

        console.log("Access Token acquired:", result.value);

    } else {
        console.error("Error acquiring token:", result.error.message);
    }
});

This should ensure the user sees a sign-in and consent prompt during login inside the Add-in.

After fixing frontend authentication, you mentioned encountering backend API call failures, showing CORS errors as below-

Access to fetch at '<backend-api-url>' from origin '<frontend-url>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This is expected because once the frontend starts calling backend APIs, CORS must be correctly configured on the backend Azure Container App. You must configure your backend API to return proper CORS headers.

Something like this.

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type

Reference MS docs-

• Define Expose an API Settings
• Office.context.auth.getAccessTokenAsync method

Hope this clears your query. Thanks

Hello Pavel Trostianko, We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.