How does an organizational user log into an add-in

Question

The Microsoft docs state that

To sell Office Add-ins to organizations, you need to create a licensing database. This is necessary because:

• ...
• Centralized deployment does not allow users to buy add-ins from AppSource and deploy them. AppSource paid add-ins today only work with personal identities (Microsoft accounts), not work or school accounts.

So, if I want an organization to adopt my Office Add-in I have to handle the licensing workflow myself. This raises a few questions that the docs don't answer.

An organizational user will not have an AppSource (AS) token. Instead, how do I authenticate an org user if the user is not logged in to Office? My add-in should implement a log on screen or single sign-on (SSO)? How do you log a Microsoft user on without single sign-on? They input their username/password and I send this to Microsoft Graph? That doesn't sound secure at all (the fact that I have their Office credentials, that is).

I guess I'm confused about the authentication and authorization workflow of an add-in that is intended for organizational license. Can anyone point me to a working example or provide more information, please?

Answer 1

You seem to have multiple, related questions. I don't know if this will answer them all.

Users can log into Office with either a Microsoft Account or a work-or-school account. There is a single sign-on system, that is currently in preview, that enables you to leverage this same sign-on credential (including a work-or-school credential) for your application. For an overview of the system, see SSO in Office Add-ins.

Like any web application, you could also of course, implement your own backend user tables with user names, encrypted passwords, user permissions, and license status.

Finally, your web application could leverage one of the social identity providers such as Facebook or Microsoft Account. In the case of Microsoft Account, if you don't use the SSO system, then users would have to login to the MS account a second time, even if they are already logged into Office with that account.