Written By Ronnie Quan

Overview

I have been working in Azure Bot Service for some time, it’s so easy to create a bot app, configure an app registration. It works almost effortless, since most of the plumbing work is handled by Bot service framework SDK.

I always wonder how authentication and authorization work in Bot framework service and SDK.

In this article I will share my understanding of product features. I will start with authentication between Azure Bot Service and bot app, including how bot authenticates Azure Bot Service, and how Azure Bot Service authenticate bot.

I will also cover user authentication, channel, LUIS and QnA maker access control a little bit, more to come in future articles.

System Diagram

Authentication Flow

Bot Authentication Example

This sample uses bot authentication capabilities in Azure Bot Service, providing features to make it easier to develop a bot that authenticates users to various identity providers such as Azure AD (Azure Active Directory)

Code:

BotBuilder-Samples/samples/csharp_dotnetcore/18.bot-authentication at main · microsoft/BotBuilder-Samples · GitHub

Installation:

visual studio and BotFramework emulator (Releases · microsoft/BotFramework-Emulator · GitHub)

Enable Authentication Steps:

A1) Create Microsoft App Id for Bot Authentication
https://docs.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv2%2Ccsharp#create-the-azure-bot-registration

Configure Microsoft App Id and password with bot channel registration.
In this exercise, I register application with AAD, the app name is ronniebot1. When configure Microsoft App Id with Both channel registration and Bot code, you don’t use the app name, you use client id of the app registration.

A2) Create OAuth Connection Settings for User Authentication
The Azure Active Directory (Azure AD) is a cloud identity service that allows you to build applications that securely sign in users using industry standard protocols like OAuth2.0.

Create another app registration and add OAuth connection setting.

Test From Local:

(This approach so far works with basic echo bot, user authentication bot might not work, since it needs to reach out to bot channel registration to get AD connection setting. )

B1) Kick off bot app from Visual Studio.

Bot app is up and running and listen port 3978.

B2) Configure Bot Framework Emulator for Authentication
https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-emulator?view=azure-bot-service-4.0&tabs=csharp#configure-the-emulator-for-authentication

B3) Test from Bot Framework Emulator
Bring up bot framework emulator, open the bot which is running from visual studio locally, and connect to the bot.

If you encounter "The bot's Microsoft App ID or Microsoft App Password is incorrect." Make sure the app registration for Bot authentication uses following type,

Accounts in any organizational directory (Any Azure AD directory — Multitenant) and personal Microsoft accounts (e.g. Xbox)

https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-emulator?view=azure-bot-service-4.0&tabs=csharp#use-bot-credentials

Test from Azure:

Deploy a bot from Visual Studio to Azure as a web app, once the web is up and running, it opens the URL in browser.

Register the URL with bot channel registration, for example, https://<hostname>.azurewebsites.net/api/messages
Test the bot from bot channel registration web chat.

If you encounter following error, ensure to create app registration with right type - Accounts in any organizational directory (Any Azure AD directory — Multitenant) and personal Microsoft accounts (e.g. Xbox)

Teams Auth Example

Code:

BotBuilder-Samples/samples/csharp_dotnetcore/46.teams-auth at main · microsoft/BotBuilder-Samples · GitHub

Ngrok

After install Ngrok, create tunnel

Create Azure Bot Channel Registration

create teamsbotapp app registration, and Bot channel registration ronnieteamsauthbot.

Add Teams Channel to Bot Channel Registration

details are in below MS doc

Connect a bot to Microsoft Teams — Bot Service | Microsoft Docs

Add Bot App to Teams

Update bot app manifest file with Microsoft App Id, create zip file and upload it as custom app to Teams.

Edit the manifest.json contained in the teamsAppManifest folder to replace your Microsoft App Id (that was created when you registered your bot earlier) everywhere you see the place holder string <<YOUR-MICROSOFT-APP-ID>> (depending on the scenario the Microsoft App Id may occur multiple times in the manifest.json)

Zip up the contents of the teamsAppManifest folder to create a manifest.zip

Upload the manifest.zip to Teams (in the Apps view click "Upload a custom app")

Deploy Bot to Azure

Configure bot app appsettings with Microsoft App Id and password, configure ConnectionName as well, deploy team auth bot app to Azure web app.

Make sure Bot Channel Registration is configured with App Id and OAuth connection settings, update bot api endpoint in Bot Channel registration as well.

Test from Teams

Run the bot app from Teams, now we get the user token for testuser1.

After sign out, when type anything, it asks to sign in again.

Conclusion

Best practice is to always enable Bot Authentication, in case need to access secured resource on behalf of user, always enable user authentication.

Always use https for data in transit encryption.

Always protect your data at rest, in case need to persist your data. Minimize valuable information, harden your database, protect your database server with firewall and use Azure security center to monitor and alert.

Reference Links

Add authentication to a bot via Azure Bot Service — Bot Service | Microsoft Docs

Add Single sign on to a bot — Bot Service | Microsoft Docs

Connect a bot to Microsoft Teams — Bot Service | Microsoft Docs

Appendix — ngrok

In case need to debug local code, but work with Bot service and receive message from channel, use ngrok.

Use ngrok to redirect internet traffic to your local bot, and register ngrok URL to bot channel registration.

Debug a channel using ngrok — Bot Service | Microsoft Docs