Outlook web add-in calling Microsoft Graph

Solution 1:

There are 2 questions here.

Question #1: For SSO login, should it be redirected in the Outlook add-in instead of open a new Web Browser window?

It should not be redirected in the Office add-in, for the very simple reason that this is against OAuth. With OAuth authentication, you'll have to show user the URL - otherwise you can spoof a UI which looks similar to Microsoft login in your add-in and steal people's credentials. Obviously this is not secure. So instead, when you call the getAccessTokenAsync it should pop-up a dialog, if the user is not signed in. Signing in is handled by Microsoft, which afterwards, the token becomes available through the same method getAccessTokenAsync.

Question #2: How do I get the access token from my add-in?

Refer to the documentation here: https://docs.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins#add-client-side-code

Office.context.auth.getAccessTokenAsync(function (result) {
    if (result.status === "succeeded") {
        // Use this token to call Web API
        var ssoToken = result.value;
        ...
    } else {
        if (result.error.code === 13003) {
            // SSO is not supported for domain user accounts, only
            // work or school (Office 365) or Microsoft Account IDs.
        } else {
            // Handle error
        }
    }
});