Forum Discussion

Patterborn's avatar
Patterborn
Copper Contributor
Oct 23, 2025

Nested App Authentication (NAA) token to protect middle-tier server

I'm working on an outlook addin and want to use the NAA accesstoken to validate the user on an api running on a php webserver. The addin runs as a taskepane (created with yo office) with the app on...
Authentication
Authenticator app
Azure AD
OAuth
outlook
Single sign-on
Kidd_Ip's avatar
Kidd_Ip
MVP
Oct 24, 2025

Below are the steps to validate NAA Access Token in PHP:

 

Receive the Token from the Add-in
•    Your Outlook add-in should send the NAA access token in the Authorization header: 

Authorization: Bearer <access_token>


2. Validate the Token Using Microsoft Identity Platform
Use a JWT validation library in PHP (e.g., firebase/php-jwt) and follow these steps:
a. Decode the Token Header
•    Extract the kid (key ID) from the token header.
b. Fetch Microsoft’s Public Keys
•    Get the signing keys from: 

https://login.microsoftonline.com/common/discovery/v2.0/keys


•    Match the kid to the correct public key.
c. Verify Token Signature and Claims
•    Validate: 
o    Signature using the public key
o    Issuer: https://login.microsoftonline.com/{tenant}/v2.0
o    Audience: Should match your API’s client_id or App ID URI
o    Scopes: Ensure required scopes are present
o    Expiration: Check exp claim

Suggestions:

use Firebase\JWT\JWT;
use Firebase\JWT\JWK;

$jwt = $_SERVER['HTTP_AUTHORIZATION']; // Bearer token
$jwks = json_decode(file_get_contents('https://login.microsoftonline.com/common/discovery/v2.0/keys'), true);
$decoded = JWT::decode($jwt, JWK::parseKeySet($jwks), ['RS256']);

 

Resources