Authenticate user in Azure AD without client-secret and authentication pop-ups in an Outlook Add-In

Hi Microsoft Team,

I am developing a React.js-based Outlook Add-In and need assistance with implementing a seamless authentication flow for my application. Here's the situation:

1. Objective: I want to authenticate users in Azure Active Directory (AAD) without relying on a client secret. The goal is to securely obtain an access token for Microsoft Graph without exposing sensitive secrets.
2. Requirements:
   • No Client Secrets: The solution should not depend on client secrets or any other confidential client credentials.
   • No Additional Pop-Ups: The user is already signed in to Outlook, and the add-in should leverage this authenticated session. There should be no additional pop-ups or user interaction for authentication.
   • Seamless Sign-In: The add-in should automatically authenticate the user using their existing Outlook session.
3. What I’ve Tried:
   • I am using the Office.context.auth.getAccessTokenAsync() method to retrieve a token (Token A) tied to the current user's authenticated session in Outlook.
   • I have attempted to exchange Token A for a Microsoft Graph API access token (Token B) using the On-Behalf-Of (OBO) flow, but this requires the use of client secrets or certificates, which I want to avoid.
4. Challenges:
   • The OBO flow seems to mandate a client secret or a certificate, but I am looking for a way to securely authenticate without these.
   • I would like to make use of the user's authenticated session in Outlook and avoid redundant authentication steps or exposing sensitive credentials.

Key Question:

How can I securely authenticate users in AAD and obtain a Microsoft Graph access token without requiring a client secret or displaying additional pop-ups, by using the advantage of the authenticated session already established in Outlook?