Azure Teams Bot Single Sign On
Overview
This article is built on top of previous story https://cloudjourney.medium.com/azure-bot-service-39004019ccae
We will focus on testing a Teams SSO bot.
Demonstration
a) Create Microsoft App Id teams-sso-bot-app1
Application Id 67b9exxxxxxxxx
For Supported account types select Accounts in any organizational directory (Any Azure AD directory — Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
b) Create AAD App Registration (teamssso for AAD connection setting)
Client ID: 780fxxxxxx
Set the URL to https://token.botframework.com/.auth/web/redirect
In Expose an API blade, If you are building a standalone bot, enter the Application ID URI as api://botid-{YourBotId}. Here YourBotId is client id from step a 67b9exxxxxxxxx
Required:
MS confirmed that authorize following enterprise app to the API, and this is required by Teams SSO.
- 1fec8e78-bce4–4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
- 5e3ce6c0–2b1f-4285–8d4b-75ee78787346 (Teams web application)
c) Update bot manifest json file
id is the teamssso client ID, resource is teamssso URI. Based on MS doc, the resource is the Application ID URI and mus not include scope name.
"bots": [
{
"botId": "67b9exxxxxxxxx",
"scopes": [
"personal",
"team",
"groupchat"
],
"supportsFiles": false,
"isNotificationOnly": false
}
],
"webApplicationInfo": {
"id": "780fxxxxxx",
"resource": "api://botid-67b9exxxxxxxxx"
},d) Bot Channel Registration
Create Bot Channel Registration, for Microsoft App ID, use app registration from step a.
Update Bot Channel Registration, in service provider, use app registration from step b. Token Exchange URL matches the resource from manifest.json
e) Publish Bot App
Clone code from repo
Open botbuilder-samples\experimental\teams-sso\csharp_dotnetcore\TeamsAuth.sln from visual studio.
Update appsetttings with Microsoft App Id, password and AAD connection, right click the solution, select “publish” to deploy to Azure as Web App.
If need to create app service plan and app service, all can be done from Visual Studio first, then publish the code.
After code is pushed to Azure app service, from app service console, you may inspect the deployed code.
f) Update Bot Channel Registration with Bot App /api/messages URL
g) Ensure that you’ve enabled the Teams Channel
h) Zip manifest and upload to teams
manifest.json is located in experimental\teams-sso\csharp_dotnetcore\TeamsAppManifest folder
Logon to teams using admin account, either upload a new custom app or update existing.
After app is uploaded, add it to chat.
In case you received following error, go back to step2, from authentication blade, select multiple tenant account type.
{
"error": {
"code": "ServiceError",
"message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_request&error_description=AADSTS50194%3a+Application+%27780f4cda-d5e1 xxxxxxxxxxxx %27(teamssso)+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant.%0d%0aTrace+ID%3a+ba53d......"
}
}
After sign out, when type anything, it asks to sign in again
Appendix
Regarding connect teams channel in Bot Channel Registration
Once I removed teams channel connection from Bot Channel Registration, the teams bot does not respond any more.
References
BotBuilder-Samples/SSOSetup.md at main · microsoft/BotBuilder-Samples · GitHub
Does team-sso Show Token? · Issue #3034 · microsoft/BotBuilder-Samples (github.com)
