Scenario: ADatum identifies the following technical requirements for the planned E-invoicing capabilities:

Ensure that all operations performed by E-invoicing against Office 365 are initiated by a user. Require that the user authorize E-invoicing to access the Office 365 data the first time the application attempts to

access Office 365 data on the user's behalf.

Scenario: Implement single sign-on (SSO) and minimize login prompts across browser tabs.

When your application is open in multiple tabs and you first sign in the user on one tab, the user is also signed in on the other tabs without being prompted. MSAL.js caches the ID token for the user in the browser localStorage and will sign the user in to the application on the other open tabs.

By default, MSAL.js uses sessionStorage which does not allow the session to be shared between tabs. To get SSO between tabs, make sure to set the cacheLocation in MSAL.js to localStorage.

clientState specifies the value of the clientState property sent by the service in each notification. The maximum length is 128 characters. The client can check that the notification came from the service by comparing the value of the clientState property sent with the subscription with the value of the clientState property received with each notification.

Note: A subscription allows a client app to receive notifications about changes to data in Microsoft Graph.

To use Microsoft Graph to read and write resources on behalf of a user, your app must get an access token from the Microsoft identity platform and attach the token to requests that it sends to Microsoft Graph.

One common flow used by native and mobile apps and also by some Web apps is the OAuth 2.0 authorization code grant flow.

Scenario: Email the generated invoices to customers on behalf of the current signed-in user. Any emails generated by the system will contain the invoiced.

Use Azure AD to manage identities, authentication, and authorization.