Documentation

Welcome
Intro to Bear DecisionsBear Decisions on your DeviceAuthenticationAccount TypesYour First Analysis (Example)
OverviewCreating AnalysesInterpreting ResultsSettings & ConfigurationAutomatic Macro ExecutionBest Practices
Enterprise AdministrationTechnical Authentication DetailsIT Approval Guide

Technical Authentication Details

This page provides technical details about how Bear Decisions implements Microsoft SSO authentication for enterprise users.

Overview

The Bear Decisions Excel Add-in uses NAA (Nested App Authentication) with MSAL.js (@azure/msal-browser) to authenticate work/school accounts via Microsoft Entra ID (formerly Azure AD). The implementation uses createNestablePublicClientApplication from MSAL.js to acquire tokens through the NAA protocol, Microsoft's authentication system for Office Add-ins.

Authentication Flow

Authentication requests OIDC scopes (openid, profile) which require only user consent (no admin consent), enabling immediate sign-in for new tenants.

Token Handling

The tokens received are Microsoft Graph tokens (audience: 00000003-0000-0000-c000-000000000000 or https://graph.microsoft.com), but the implementation does not call the Microsoft Graph API during authentication. Instead, user identity (email, tenant ID, object ID) is extracted directly from the token's JWT claims:

  • preferred_username: User's preferred email address
  • upn: User Principal Name
  • email: User's email address
  • tid: Tenant ID
  • oid: Object ID (user's unique identifier)

This approach eliminates Graph API dependency from the critical authentication path and reduces consent friction for enterprise tenants.

Token Verification

Token verification uses a trust-based model rather than cryptographic signature verification, as Microsoft Graph tokens with OIDC scopes are not designed for third-party signature validation. The backend validates:

  • Token Structure: Valid JWT format and structure
  • Issuer: Microsoft domains (trusted Microsoft Entra ID issuers)
  • Expiry: Token has not expired
  • Required Claims: All necessary claims are present and valid

This approach trusts the Office environment's authentication of the user, which is appropriate for Office Add-ins running within the trusted Microsoft Office context.

Personal Microsoft Accounts

Personal Microsoft accounts are detected via tenant ID (9188040d-6c67-4c5b-b112-36a304b66dad) and automatically routed to Supabase OTP authentication. This ensures that personal accounts use the email-based authentication flow while work/school accounts use Microsoft SSO.

Enterprise Multi-Tenant Support

This approach aligns with Microsoft's recommended pattern for Office Add-ins and supports multi-tenant enterprise scenarios without requiring per-tenant admin consent. The user consent model allows immediate access for new tenants while maintaining security through Microsoft Entra ID's authentication infrastructure.

Key Technical Details

Authentication Protocol:
NAA (Nested App Authentication) v1.1
SDK/Library:
MSAL.js (@azure/msal-browser v3.28.1+)
Identity Provider:
Microsoft Entra ID
Authority:
https://login.microsoftonline.com/organizations (work/school accounts only)
Scopes:
OIDC (openid, profile) — user consent only
Token Type:
Microsoft Graph tokens (extract claims only, no API calls)
Verification Model:
Trust-based (structure/issuer/claims validation)
Office Requirement:
NestedAppAuth 1.1 (requires Office May 2025 or later)

Additional Resources

For more information about user-facing authentication, see the Authentication section in Getting Started.

For details about account types and licensing, see Account Types.