I need to know the identity of the user who is invoking my Excel-based add-in so that I can rigorously and securely associate various external data access levels with them. It doesn't matter if they are not signed in - the app defaults to a Guest User and can encourage the user to sign into their excel client.

Specifically, I spent the last 2 days picking my way through the wilderness of ADAL and MSAL options and have concluded that I cannot use them within the confines of an Excel task pane app AND provide a satisfactory user experience. This is because I cannot/should not persist the security tokens in a shared spreadsheet where it won't be possible to identify which user is which. Thus, the user would have to explicitly log in every single time. All this would be bypassed if office.js would only provide the identity ('sub' field of the Azure basic profile information?). I have no problem with registering the app and providing some sort of application id to office.js.

All help would be much appreciated!