search

OfficeDev / office-js

A repo and NPM package for Office.js, corresponding to a copy of what gets published to the official "evergreen" Office.js CDN, at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.
https://learn.microsoft.com/javascript/api/overview
Other
670 stars 96 forks source link

Files referencing add-ins deployed centrally show "Add-in Error - you don't have permission to use this add-in" when opened outside the organization or after centralized deployment is turned off. #3196

Closed gmichaud closed 5 months ago

gmichaud commented 1 year ago

Some of our customers use centralized deployment, to ensure our add-in (available on the Office Store) is available to all their users. Files that are created with centralized deployment can't be used outside the organization. If the organization decides to turn off centralized deployment, the same issue will also occur inside the organization.

The overall user experience is confusing, not clear, and even the most experienced users (IT/programmers and other power users) are unable to resolve this problem easily. The only way to "correct this" is to use the Document Inspector to completely remove the add-in reference, which is only available on PC.

Recording 1: https://www.loom.com/share/8820fe1e1b7545ae86d4efcfa0dd2b84 Recording 2 https://www.loom.com/share/3f452c61f040439699c35f1dc4d5db94 (notice this one shows the message in the side panel as well):

File using centralized deployment.xlsx

Your Environment

Expected behavior

Since centralized deployment is made using a store add-in that is publicly available, files should work out-of-the-box, with no prompt or error message.

From the user's perspective (and in the file metadata as well), there should be NO difference between a file that was created with centralized deployment on, or with

Current behavior

Add-in Error - you don't have permission to use this add-in shows up, with a retry button that does nothing but show the same error message again. In some cases, the message also shows up in the side panel.

Steps to reproduce

  1. Open attached file

Link to live example(s)

Provide additional details

Issue created as per request from @Wenjun-Gong here https://github.com/OfficeDev/office-js/issues/2878#issuecomment-1450639811

Context

We receive a disproportionate number of support requests from customers wondering why they're unable to work with a file they created earlier.

We are manually cleaning up and removing centralized add-ins from files on a regular basis.

Useful logs

ghost commented 1 year ago

Thank you for letting us know about this issue. We will take a look shortly. Thanks.

Wenjun-Gong commented 1 year ago

Thanks @gmichaud. Could you double confirm for this case, is this central deployed add-in selected from the store, or from a uploaded customized manifest? Thanks.

gmichaud commented 1 year ago

Hi @Wenjun-Gong - this is centrally deployed add-in from the store, the file I attached came from a customer and they do not have access to the manifest otherwise - we do not provide, document or suggest uploading custom manifests to customers.

Wenjun-Gong commented 1 year ago

Thanks for the confirmation @gmichaud . Do you know how the file was created? Is it created from Excel Online, or Excel desktop (Win32 or Mac)?

gmichaud commented 1 year ago

It was created on Mac, as far as I know

gmichaud commented 1 year ago

@Wenjun-Gong and in case that is relevant/important, this is a file that was built in last few weeks - so, created with a recent version of Excel for Mac.

Wenjun-Gong commented 1 year ago

Hi @gmichaud , I got your update in another thread. Do you mean the problem for Mac has gone on your side? Appreciate if you can confirm here.

From the webextention1.xml of the file you shared, it's more like from an add-in the central deployed from uploaded manifest instead of central deployed from store. We haven't figured out a way to reproduce the issue you described.

If the problem still persists for the files created on Mac, you may want to ask your customer to have the admin to remove the previous central deployed add-ins first, and then deploy your add-in from store again. Let me know if this does not work.

gmichaud commented 1 year ago

@Wenjun-Gong we'll test internally, but this file comes from a customer, and we do not share our manifest externally so not clear how that could have happened.

wh1t3cAt1k commented 1 year ago

Test on Excel Desktop for Windows (2304, Build 16310, Beta Channel):

https://www.loom.com/share/8a551e8e748d4346a9f989f5912c6b42

The issue seems to be gone.

Scenario 1:

  1. Deploy centrally.
  2. Create and save document with centrally deployed add-in, use some custom functions.
  3. Remove from central deployment.
  4. Ensure that Vx button is gone from the ribbon and the add-in is not listed in Admin managed.
  5. Open the document.

Actual result: "this add-in comes from the office store...", when you click "Allow" it gets installed for my user from the store.

I am happy with this result, seems reasonable behaviour.

Important note: @Wenjun-Gong I consistently have to manually clear the Office add-in cache before I see changes in deployment (Vx button does not immediately appear or disappear from the ribbon, even after the relaunch). I wonder if you want to take a look at the cache invalidation strategy.

Scenario 2:

  1. Deploy centrally.
  2. Create and save document with centrally deployed add-in, use some custom functions.
  3. Remove from central deployment.
  4. Ensure that Vx button is gone from the ribbon and the add-in is not listed in Admin managed.
  5. Install store-based version of the add-in
  6. Ensure that the add-in is really installed and listed in "My add-ins"
  7. Open the document that was created with centrally deployed version.

Actual result: it simply picks up the add-in and functions as usual. No duplication or additional prompts.

wh1t3cAt1k commented 1 year ago

I tried to do the same test on Mac but I found the UX very frustrating and was even blocked from conducting the experiment.

https://www.loom.com/share/dbbd367d3e094161a9951d5745df81ad

You can see I struggled for about 15 minutes before I gave up. I could not finish the experiment and the whole experience was deeply confusing.

Again, just like on Windows, the add-in did not appear immediately after I enabled the central deployment. I had to clear the Office cache, but the steps on Mac are super involved and we cannot expect our users to do it.

@Wenjun-Gong I strongly believe something needs to be done about the WEF cache invalidation strategy so the changes propagate immediately upon the next Excel launch.

When it did appear, for some reason it appeared in "My add-ins" section even though it was centrally deployed (!)

When I clicked the "Admin managed" section I consistently got the error of "could not connect to catalog" and could not view the list.

image

Then, after I removed the add-in from My addins in Excel for Mac (not from admin center, directly in Excel - and reminder: it was centrally deployed!), I could not get it to appear anymore after multiple relaunches of Excel.

Device ID: 64832662-F890-5BD5-A5D4-4054B80A8331

(I don't know how to find session ID on a Mac desktop).

Excel for Mac 16.71.

wh1t3cAt1k commented 1 year ago

I restarted my Mac and signed out of my account and signed in again, I still see the error saying "cannot connect to the catalog". @Wenjun-Gong please help sort this out, I am blocked from any further testing, it seems I cannot deploy the addin from the admin center to see on a Mac.

(Please take a look at my last video above - I saw it in "My add-ins" section for some reason after deploying centrally. Then I was able to "Remove" it from Excel for Mac directly, and then none of the following: clearing cache, re-login, computer restart, make any difference. I don't see the add-in anymore and the "admin managed" section says "cannot connect to catalog" consistently).

wh1t3cAt1k commented 1 year ago

I just found the below link with posts as recent as 15-16 March 2023: (additional data: M1 Mac, Ventura)

https://techcommunity.microsoft.com/t5/word/office-add-ins-error-cannot-connect-to-catalog/m-p/2702496

Apparently it's a known issue by now:

https://github.com/OfficeDev/office-js/issues/3221

I will continue testing when it is resolved.

wh1t3cAt1k commented 1 year ago

But at any rate, @Wenjun-Gong I do think that once the deployment policy changes, the changes should propagate to users the next time they launch Excel - we shouldn't expect the users to have to clear the web cache to see changes propagated from their administrator. I saw this issue both on Excel for Mac and Excel for Windows.

wh1t3cAt1k commented 1 year ago

@Wenjun-Gong @penglongzhaochina @gmichaud I was finally able to confirm on Excel for Mac, too, that store-installed add-ins and centrally deployed add-ins can be used interchangeably.

For that, I did two tests:

Test 1.

Test 2.

Looks like this issue can be marked as resolved @Wenjun-Gong @penglongzhaochina.

❗️❗️❗️ There is just one thing I'd ask you to follow up on if you have time. For some reason, when "picking up" another version of the add-in at the last step in each of the tests, our contextual tab did not show up on the first attempt. I had to reopen/reload the side panel for it to show.

I wonder if it has something to do with the add-in identifier changing. But it is a relatively minor issue, admittedly.

Wenjun-Gong commented 1 year ago

Hi @wh1t3cAt1k , I appreciate your patience on this issue very much. Good to know your two tests work now.

If you are still able to repro the "could not connect to catalog" issue after the central deployment, please let us know. It looks like a bug to me.

For the central deployed add-in not showing up on "Admin managed" tab nor the contextual tab timely, it might because of the time needed for the central deployed add-ins to show up on the app client side: https://learn.microsoft.com/en-us/microsoft-365/admin/manage/centralized-deployment-faq?view=o365-worldwide#how-long-does-it-take-for-add-ins-to-show-up-for-all-users-

But for the user installed add-in from the store, the expected behavior is the add-in would show up immediately after the installation. Are you able to consistently repro the "contextual tab did not show up on the first attempt" issue?

wh1t3cAt1k commented 1 year ago

@Wenjun-Gong thanks for the explanation!

The contextual tab not appearing is quite frequent, but I am not certain it's related to the channel change.

Just sideloading our manifest is enough for the contextual tab to frequently not appear.

(The problem usually doesn't happen with the store)

I will file a separate issue and tag you there.

This one we can close!

Regarding add-in poisoning, we just have one big pain point remaining - implementing the automatic equivalence of sideloaded and store add-ins.

If that could be done, our experience could become seamless.

wh1t3cAt1k commented 1 year ago

I just confirmed one additional test scenario:

  1. Use Excel for Mac Desktop.
  2. Create the file using a centrally deployed store add-in
  3. Switch off central deployment
  4. Ensure add-in disappears from "Admin managed"
  5. Reopen Excel, reopen the file.
image

I saw this as expected and was able to reinstall the add-in from the store individually, then start using it. 🎉

wh1t3cAt1k commented 1 year ago

@gmichaud @Wenjun-Gong let's close this, I deem it fully verified.

As a follow-up, I filed the below issue regarding the ribbon, it is consistently repro and might be related to the fact that the tab disappears after changing channels. @Wenjun-Gong could we hope someone takes a look at that? Thanks again for all your help, I strongly appreciate your responsiveness and availability.

https://github.com/OfficeDev/office-js/issues/3476#issuecomment-1618996552

XuanZhouMSFT commented 5 months ago

Close the case based on the previous discussion, we will track the issue with #3476. Please feel free to leave comments if you still have any concerns.