Updates from: 02/16/2022 02:15:01
Service Microsoft Docs article Related commit history on GitHub Change details
platform Enable And Configure Your App For Teams Meetings https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/apps-in-teams-meetings/enable-and-configure-your-app-for-teams-meetings.md
Participants can share specific parts of the app to the collaborative meeting st
To share specific parts of the app to stage, you must invoke the related APIs in the Teams client SDK library. For more information, see [API reference](API-references.md).
-If you want your app to support anonymous users, initial invoke request payload must rely on `from.id` request metadata in `from` object, not `from.aadObjectId` request metadata. `from.id` is the user ID and `from.aadObjectId` is the Microsoft Azure Active Directory (Azure AD) ID of the user. For more information, see [using task modules in tabs](../task-modules-and-cards/task-modules/task-modules-tabs.md) and [create and send the task module](../messaging-extensions/how-to/action-commands/create-task-module.md?tabs=dotnet#the-initial-invoke-request).
+If you want your app to support anonymous users, initial invoke request payload must rely on `from.id` request metadata in `from` object, not `from.aadObjectId` request metadata. `from.id` is the user ID and `from.aadObjectId` is the Azure AD ID of the user. For more information, see [using task modules in tabs](../task-modules-and-cards/task-modules/task-modules-tabs.md) and [create and send the task module](../messaging-extensions/how-to/action-commands/create-task-module.md?tabs=dotnet#the-initial-invoke-request).
### After a meeting
platform Meeting App Extensibility https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/apps-in-teams-meetings/meeting-app-extensibility.md
User types, such as organizer, presenter, or attendee in a meeting can do one of
The following list details the various user types along with their accessibility and performance: * **In-tenant**: In-tenant users belong to the organization and have credentials in Microsoft Azure Active Directory (Azure AD) for the tenant. They're full-time, onsite, or remote employees. An in-tenant user can be an organizer, presenter, or attendee.
-* **Guest**: A guest is a participant from another organization invited to access Teams or other resources in the organization's tenant. Guests are added to the organizationΓÇÖs Microsoft Azure Active Directory (Azure AD) and have same Teams capabilities as a native team member. They have access to team chats, meetings, and files. A guest can be an organizer, presenter, or attendee. For more information, see [guest access in Teams](/microsoftteams/guest-access).
+* **Guest**: A guest is a participant from another organization invited to access Teams or other resources in the organization's tenant. Guests are added to the organizationΓÇÖs Azure AD and have same Teams capabilities as a native team member. They have access to team chats, meetings, and files. A guest can be an organizer, presenter, or attendee. For more information, see [guest access in Teams](/microsoftteams/guest-access).
* **Federated or external**: A federated user is an external Teams user in another organization who has been invited to join a meeting. Federated users have valid credentials with federated partners and are authorized by Teams. They don't have access to your teams or other shared resources from your organization. Guest access is a better option for external users to have access to teams and channels. For more information, see [manage external access in Teams](/microsoftteams/manage-external-access). > [!NOTE]
The following list details the various user types along with their accessibility
> [!IMPORTANT] > Currently, third-party apps are available in Government Community Cloud (GCC) but are not available for GCC-High and Department of Defense (DOD). Third-party apps are turned off by default for GCC. To turn on third-party apps for GCC, see [manage app permission policies](/microsoftteams/teams-app-permission-policies) and [manage apps](/microsoftteams/manage-apps).
-* **Anonymous**: Anonymous users don't have an Microsoft Azure Active Directory (Azure AD) identity and aren't federated with a tenant. The anonymous participants are like external users, but their identity isn't shown in the meeting. Anonymous users can't access apps in a meeting window. An anonymous user can't be an organizer but can be a presenter or attendee.
+* **Anonymous**: Anonymous users don't have an Azure AD identity and aren't federated with a tenant. The anonymous participants are like external users, but their identity isn't shown in the meeting. Anonymous users can't access apps in a meeting window. An anonymous user can't be an organizer but can be a presenter or attendee.
> [!NOTE] > Anonymous users inherit the global default user-level app permission policy. For more information, see [manage Apps](/microsoftteams/non-standard-users#anonymous-user-in-meetings-access).
The following table provides the user types and lists the features that each use
| User type | Tabs | Bots | Messaging extensions | Adaptive Cards | Task modules | In-meeting dialog | Meeting Stage | Content bubble | | :-- | :-- | :-- | :-- | :-- | :-- | :-- | :-- | :-- | | Anonymous user | Not available | Not available | Not available | Interactions in the meeting chat are allowed. | Interactions in the meeting chat from Adaptive Card are allowed. | Not available | Can view and interact with app on the meeting stage | Not available |
-| Guest, part of the tenant Microsoft Azure Active Directory (Azure AD) | Interaction is allowed. Create, update, and delete aren't allowed. | Not available | Not available | Interactions in the meeting chat are allowed. | Interactions in the meeting chat from Adaptive Card are allowed. | Available | Can start, view, and interact with app on the meeting stage | Available |
+| Guest, part of the tenant Azure AD | Interaction is allowed. Create, update, and delete aren't allowed. | Not available | Not available | Interactions in the meeting chat are allowed. | Interactions in the meeting chat from Adaptive Card are allowed. | Available | Can start, view, and interact with app on the meeting stage | Available |
| Federated user, for more information, see [non-standard users](/microsoftteams/non-standard-users). | Interaction is allowed. Create, update, and delete aren't allowed. | Interaction is allowed. Acquire, update, and delete aren't allowed. | Not available | Interactions in the meeting chat are allowed. | Interactions in the meeting chat from Adaptive Card are allowed. | Not available | Can start, view, and interact with app on the meeting stage | Not available | ## Next step
platform Registering Calling Bot https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/calls-and-meetings/registering-calling-bot.md
You must configure the application permissions for your bot in advance by using
### Get tenant administrator consent
-For apps using the Microsoft Azure Active Directory (Azure AD) V1 endpoint, a tenant administrator can consent to the application permissions using the [Azure portal](https://portal.azure.com) when your app is installed in their organization. Alternately, you can provide a sign-up experience in your app through which administrators can consent to the permissions you configured. Once administrator consent is recorded by Microsoft Azure Active Directory (Azure AD), your app can request tokens without having to request consent again.
+For apps using the Azure AD V1 endpoint, a tenant administrator can consent to the application permissions using the [Microsoft Azure portal](https://portal.azure.com) when your app is installed in their organization. Alternately, you can provide a sign-up experience in your app through which administrators can consent to the permissions you configured. Once administrator consent is recorded by Azure AD, your app can request tokens without having to request consent again.
-You can rely on an administrator to grant the permissions your app needs at the [Azure portal](https://portal.azure.com). A better option is to provide a sign-up experience for administrators by using the Microsoft Azure Active Directory (Azure AD) V2 `/adminconsent` endpoint. For more information, see [instructions on constructing an Admin consent URL](/graph/uth-v2-service#3-get-administrator-consent).
+You can rely on an administrator to grant the permissions your app needs at the [Microsoft Azure portal](https://portal.azure.com). A better option is to provide a sign-up experience for administrators by using the Azure AD V2 `/adminconsent` endpoint. For more information, see [instructions on constructing an Admin consent URL](/graph/uth-v2-service#3-get-administrator-consent).
> [!NOTE] > To construct the tenant Admin consent URL, a configured redirect URI or reply URL in the [app registration portal](https://apps.dev.microsoft.com/) is required. To add reply URLs for your bot, access your bot registration, choose **Advanced Options** > **Edit Application Manifest**. Add your redirect URL to the `replyUrls` collection.
platform Get Teams Context https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/how-to/get-teams-context.md
A bot can access additional context data about a team or chat where it is instal
## Fetch the roster or user profile
-Your bot can query for the list of members and their basic user profiles, including Teams user IDs and Microsoft Azure Active Directory (Azure AD) information, such as name and objectId. You can use this information to correlate user identities. For example, to check whether a user logged into a tab through Microsoft Azure Active Directory (Azure AD) credentials, is a member of the team. For get conversation members, minimum or maximum page size depends on the implementation. Page size less than 50, are treated as 50, and greater than 500, are capped at 500. Even if you use the non-paged version, it is unreliable in large teams and must not be used. For more information, see [changes to Teams Bot APIs for fetching team or chat members](~/resources/team-chat-member-api-changes.md).
+Your bot can query for the list of members and their basic user profiles, including Teams user IDs and Microsoft Azure Active Directory (Azure AD) information, such as name and objectId. You can use this information to correlate user identities. For example, to check whether a user logged into a tab through Azure AD credentials, is a member of the team. For get conversation members, minimum or maximum page size depends on the implementation. Page size less than 50, are treated as 50, and greater than 500, are capped at 500. Even if you use the non-paged version, it is unreliable in large teams and must not be used. For more information, see [changes to Teams Bot APIs for fetching team or chat members](~/resources/team-chat-member-api-changes.md).
The following sample code uses the paged endpoint for fetching the roster:
After you fetch the roster or user profile, you can get details of a single memb
## Get single member details
-You can also retrieve the details of a particular user using their Teams user ID, UPN, or Microsoft Azure Active Directory (Azure AD) Object ID.
+You can also retrieve the details of a particular user using their Teams user ID, UPN, or Azure AD Object ID.
The following sample code is used to get single member details:
After you get details of a single member, you can get details of the team. Curre
## Get team's details
-When installed in a team, your bot can query for metadata about that team including the Microsoft Azure Active Directory (Azure AD) group ID.
+When installed in a team, your bot can query for metadata about that team including the Azure AD group ID.
The following sample code is used to get team's details:
platform Authentication https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/authentication/authentication.md
keywords: teams authentication OAuth SSO Microsoft Azure Active Directory (Azure
> [!Note] > Web-based authentication on mobile clients requires version 1.4.1 or later of the Teams JavaScript client SDK.
-To access user information protected by Microsoft Azure Active Directory (Azure AD) and to access data from services like Facebook and Twitter, the app establishes a trusted connection with those providers. If the app uses Microsoft Graph APIs in the user scope, authenticate the user to retrieve the appropriate authentication tokens.
+To access user information protected by Azure AD and to access data from services like Facebook and Twitter, the app establishes a trusted connection with those providers. If the app uses Microsoft Graph APIs in the user scope, authenticate the user to retrieve the appropriate authentication tokens.
In Teams, there are two different authentication flows for the app. Perform a traditional web-based authentication flow in a [content page](~/tabs/how-to/create-tab-pages/content-page.md) embedded in a tab, a configuration page, or a task module. If the app contains a conversational bot, use the OAuthPrompt flow and optionally the Azure Bot Framework's token service to authenticate a user as part of a conversation.
Use the web-based authentication flow for [tabs](~/tabs/what-are-tabs.md) and ch
* [Add authentication to the Teams bot](~/bots/how-to/authentication/add-authentication.md) describes how to use web-based authentication flow with a conversational bot. * [Authentication flow in tabs](~/tabs/how-to/authentication/auth-flow-tab.md) describes how tab authentication works in Teams. This shows a typical web-based authentication flow used for tabs.
-* [Microsoft Azure Active Directory (Azure AD) authentication in tabs](~/tabs/how-to/authentication/auth-tab-AAD.md) describes how to connect to Microsoft Azure Active Directory (Azure AD) from within a tab in the app in Teams.
-* [Silent authentication Microsoft Azure Active Directory (Azure AD)](~/tabs/how-to/authentication/auth-silent-AAD.md) describes how to reduce sign-in or consent prompts in the app using Microsoft Azure Active Directory (Azure AD).
+* [Azure AD authentication in tabs](~/tabs/how-to/authentication/auth-tab-AAD.md) describes how to connect to Azure AD from within a tab in the app in Teams.
+* [Silent authentication Azure AD](~/tabs/how-to/authentication/auth-silent-AAD.md) describes how to reduce sign-in or consent prompts in the app using Azure AD.
* [.Net or C#](https://github.com/OfficeDev/microsoft-teams-sample-complete-csharp) or [JavaScript or Node.js](https://github.com/OfficeDev/microsoft-teams-sample-complete-node) provides samples for web-based authentication. ## The OAuthPrompt flow for conversational bots
provides Bot authentication v3 SDK sample.
## Configure the identity provider
-Regardless of the app's authentication flow, configure the identity provider to communicate with the Teams app. Most samples and walkthroughs primarily deal with using Microsoft Azure Active Directory (Azure AD) as the identity provider. The concepts however, apply regardless of the identity provider.
+Regardless of the app's authentication flow, configure the identity provider to communicate with the Teams app. Most samples and walk throughs primarily deal with using Azure AD as the identity provider. The concepts however, apply regardless of the identity provider.
For more information, see [configuring an identity provider](~/concepts/authentication/configure-identity-provider.md).
platform Configure Identity Provider https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/authentication/configure-identity-provider.md
Title: Configure OAuth 2.0 identity providers
description: Describes how to configure identity providers with a focus on Microsoft Azure Active Directory (Azure AD) ms.localizationpriority: medium
-keywords: teams authentication Microsoft Azure Active Directory (Azure AD) oauth identity provider
+keywords: teams authentication Azure AD oauth identity provider
# Configure identity providers
-## Configuring an application to use Microsoft Azure Active Directory (Azure AD) as an identity provider
+## Configuring an application to use Azure AD as an identity provider
-Identity providers supporting OAuth 2.0 will not authenticate requests from unknown applications; applications must be registered ahead of time. To do this with Microsoft Azure Active Directory (Azure AD), follow these steps:
+Identity providers supporting OAuth 2.0 will not authenticate requests from unknown applications; applications must be registered ahead of time. To do this with Azure AD, follow these steps:
1. Open the [Application Registration Portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).
platform Deep Links https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/build-and-test/deep-links.md
Example: `https://teams.microsoft.com/l/meeting/new?subject=test%20subject&atten
The query parameters are:
-* `attendees`: The optional comma-separated list of user IDs representing the attendees of the meeting. The user performing the action is the meeting organizer. The User ID field currently only supports the Microsoft Azure Active Directory (Azure AD) UserPrincipalName, typically an email address.
+* `attendees`: The optional comma-separated list of user IDs representing the attendees of the meeting. The user performing the action is the meeting organizer. The User ID field currently only supports the Azure AD UserPrincipalName, typically an email address.
* `startTime`: The optional start time of the event. This should be in [long ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601), for example *2018-03-12T23:55:25+02:00*. * `endTime`: The optional end time of the event, also in ISO 8601 format. * `subject`: An optional field for the meeting subject.
In case of a video call, the client will ask for confirmation and turn on the ca
| Make an audio and video call to a combination of VoIP and PSTN users | https://teams.microsoft.com/l/call/0/0?users=<user1>,4:<phonenumber> | https://teams.microsoft.com/l/call/0/0?users=joe@contoso.com,4:9876543210 | Following are the query parameters:
-* `users`: The comma-separated list of user IDs representing the participants of the call. Currently, the User ID field supports the Microsoft Azure Active Directory (Azure AD) UserPrincipalName, typically an email address, or in case of a PSTN call, it supports a pstn mri 4:<phonenumber>.
+* `users`: The comma-separated list of user IDs representing the participants of the call. Currently, the User ID field supports the Azure AD UserPrincipalName, typically an email address, or in case of a PSTN call, it supports a pstn mri 4:<phonenumber>.
* `withVideo`: This is an optional parameter, which you can use to make a video call. Setting this parameter will only turn on the caller's camera. The receiver of the call has a choice to answer through audio or audio and video call through the Teams call notification window. * `Source`: This is an optional parameter, which informs about the source of the deeplink.
platform Include Saas Offer https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/deploy-and-publish/appsource/prepare/include-saas-offer.md
For complete instructions, see [build the landing page for your SaaS offer](/azu
Consider the following approaches when building a landing page for the Teams app youΓÇÖre monetizing. See an example landing page in the [end-user purchasing experience](#end-user-purchasing-experience).
-* Users must be able to log in to your landing page with the same Microsoft Azure Active Directory (Azure AD) credentials they used to buy the subscription. For more information, see [Microsoft Azure Active Directory (Azure AD) and transactable SaaS offers in the commercial marketplace](/azure/marketplace/azure-ad-saas).
+* Users must be able to log in to your landing page with the same Azure AD credentials they used to buy the subscription. For more information, see [Azure AD and transactable SaaS offers in the commercial marketplace](/azure/marketplace/azure-ad-saas).
* Allow users to take the following actions on your landing page. DonΓÇÖt forget to consider whatΓÇÖs appropriate for a userΓÇÖs role and permissions (for example, you may want to allow only subscription admins to search for users): * Search for users in their org using email or another form of identity. * See users they can assign licenses to in a list.
platform Browser Device Permissions https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/device-capabilities/browser-device-permissions.md
> [!NOTE] > The latest update on how device permissions are handled in the browser is currently available in [public developer preview](../../resources/dev-preview/developer-preview-intro.md) only.
-> This update will be generally available (GA) by February 01, 2022.
+> This update will be generally available (GA) starting February 01, 2022 and finish rolling out late February.
Teams app that require device permissions, such as camera or microphone access, now require users to manually grant permission at a per app level in the web browser. Previously, the browser handled how to grant access permissions, but now these permissions are handled in Microsoft Teams. This has implications on how you design your application and if they require these permissions in the browser.
platform Test Resource Specific Consent https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/graph-api/rsc/test-resource-specific-consent.md
Add a [webApplicationInfo](../../resources/schem#webapplicat
|Name| Type | Description| ||||
-|`id` |String |Your Microsoft Azure Active Directory (Azure AD) app ID. For more information, see [register your app in the Microsoft Azure Active Directory (Azure AD) portal](resource-specific-consent.md#register-your-app-with-microsoft-identity-platform-using-the-azure-ad-portal).|
+|`id` |String |Your Azure AD app ID. For more information, see [register your app in the Azure AD portal](resource-specific-consent.md#register-your-app-with-microsoft-identity-platform-using-the-azure-ad-portal).|
|`resource`|String| This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.| Specify permissions needed by the app.
Add a [webApplicationInfo](../../resources/schem#webapplicat
|Name| Type | Description| ||||
-|`id` |String |Your Microsoft Azure Active Directory (Azure AD) app ID. For more information, see [register your app in the Microsoft Azure Active Directory (Azure AD) portal](resource-specific-consent.md#register-your-app-with-microsoft-identity-platform-using-the-azure-ad-portal).|
+|`id` |String |Your Azure AD app ID. For more information, see [register your app in the Azure AD portal](resource-specific-consent.md#register-your-app-with-microsoft-identity-platform-using-the-azure-ad-portal).|
|`resource`|String| This field has no operation in RSC, but must be added and have a value to avoid an error response; any string will do.| |`applicationPermissions`|Array of strings|RSC permissions for your app. For more information, see [resource-specific permissions](resource-specific-consent.md#resource-specific-permissions).|
Example for RSC in a chat
> In your app manifest, only include the RSC permissions that you want your app to have. > [!NOTE]
-> If the app is meant to access calling/media APIs, then the `webApplicationInfo.Id` should be the Microsoft Azure Active Directory (Azure AD) app Id of an [Azure Bot Service](/graph/cloud-communications-get-started#register-a-bot).
+> If the app is meant to access calling/media APIs, then the `webApplicationInfo.Id` should be the Azure AD app Id of an [Azure Bot Service](/graph/cloud-communications-get-started#register-a-bot).
## Test added RSC permissions to a team using the Postman app To check whether the RSC permissions are being honored by the API request payload, you need to copy the [RSC JSON test code for team](test-team-rsc-json-file.md) into your local environment and update the following values:
-* `azureADAppId`: Your app's Microsoft Azure Active Directory (Azure AD) app ID.
-* `azureADAppSecret`: Your Microsoft Azure Active Directory (Azure AD) app password.
+* `azureADAppId`: Your app's Azure AD app ID.
+* `azureADAppSecret`: Your Azure AD app password.
* `token_scope`: The scope is required to get a token. set the value to https://graph.microsoft.com/.default. * `teamGroupId`: You can get the team group id from the Teams client as follows:
To check whether the RSC permissions are being honored by the API request payloa
To check whether the RSC permissions are being honored by the API request payload, you need to copy the [RSC JSON test code for chats](test-chat-rsc-json-file.md) into your local environment and update the following values:
-* `azureADAppId`: Your app's Microsoft Azure Active Directory (Azure AD) app ID.
-* `azureADAppSecret`: Your Microsoft Azure Active Directory (Azure AD) app password.
+* `azureADAppId`: Your app's Azure AD app ID.
+* `azureADAppSecret`: Your Azure AD app password.
* `token_scope`: The scope is required to get a token. set the value to https://graph.microsoft.com/.default.
-* `tenantId`: The name or the Microsoft Azure Active Directory (Azure AD) Object ID of your tenant.
+* `tenantId`: The name or the Azure AD Object ID of your tenant.
* `chatId`: You can get the chat thread id from the Teams *web* client as follows: 1. In the Teams web client, select **Chat** from the far left navigation bar.
platform Extend M365 Teams Message Extension https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/m365-apps/extend-m365-teams-message-extension.md
For users to interact with your messaging extension from Outlook, you'll need to
> [!NOTE] > You can skip the step if you're using [Teams messaging extension search sample](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/javascript_nodejs/50.teams-messaging-extensions-search), as the scenario doesn't involve Azure Active Directory (AAD) Single Sign-On authentication.
-Azure Active Directory Single-sign on (SSO) for messaging extensions works the same way in Outlook [as it does in Teams](/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots), however you need to add several client application identifiers to the Microsoft Azure Active Directory (Azure AD) app registration of your bot in your tenant's *App registrations* portal.
+Azure Active Directory Single-sign on (SSO) for messaging extensions works the same way in Outlook [as it does in Teams](/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots), however you need to add several client application identifiers to the Azure AD app registration of your bot in your tenant's *App registrations* portal.
1. Sign in to [Azure portal](https://portal.azure.com) with your sandbox tenant account. 1. Open **App registrations**.
platform Extend M365 Teams Personal Tab https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/m365-apps/extend-m365-teams-personal-tab.md
If your app makes use of [Content Security Policy](https://developer.mozilla.org
| Office | `*.office.com` | | Outlook | `outlook.office.com`, `outlook.office365.com` |
-## Update Microsoft Azure Active Directory (Azure AD) app registration for SSO
+## Update Azure AD app registration for SSO
-Azure Active Directory Single-sign on (SSO) for personal tabs works the same way in Office and Outlook [as it does in Teams](/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso), however you will need to add several client application identifiers to the Microsoft Azure Active Directory (Azure AD) app registration of your tab app in your tenant's *App registrations* portal.
+Azure Active Directory Single-sign on (SSO) for personal tabs works the same way in Office and Outlook [as it does in Teams](/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso), however you will need to add several client application identifiers to the Azure AD app registration of your tab app in your tenant's *App registrations* portal.
1. Sign in to [Microsoft Azure portal](https://portal.azure.com) with your sandbox tenant account. 1. Open the **App registrations** blade.
platform Moodleinstructions https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/resources/moodleInstructions.md
In this article you'll learn how to install the Moodle LMS.
> [!NOTE] > To help IT admins to easily set-up Moodle and Teams integration, open-source Microsoft 365 Moodle Plugins is updated for the following: >
-> * Auto-registration of your Moodle server with [Microsoft Azure Active Directory (Microsoft Azure Active Directory (Azure AD))](https://azure.microsoft.com/services/active-directory/).
+> * Auto-registration of your Moodle server with [Microsoft Azure Active Directory (Azure AD)](https://azure.microsoft.com/services/active-directory/).
> > * One-click deployment of your Moodle Assistant bot to Azure. >
Following are the prerequisites to install Moodle:
* Moodle administrator credentials.
-* Microsoft Azure Active Directory (Azure AD) administrator credentials.
+* Azure AD administrator credentials.
* An Azure subscription where you can create new resources.
Ensure to install and download the following before proceeding with the Microsof
> > * If you do not have an existing Moodle site, go to the [Moodle on Azure](https://github.com/azure/moodle) repo, and quickly deploy a Moodle instance and customize it to your needs.
-## 2. Configure the connection between the Microsoft 365 plugins and Microsoft Azure Active Directory (Microsoft Azure Active Directory (Azure AD))
+## 2. Configure the connection between the Microsoft 365 plugins and Azure AD
-You must configure the connection between the Microsoft 365 plugins and Microsoft Azure Active Directory (Azure AD).
+You must configure the connection between the Microsoft 365 plugins and Azure AD.
### Requisites
-Register Moodle as an application in your Microsoft Azure Active Directory (Azure AD), using the PowerShell script. The script provisions the following:
+Register Moodle as an application in your Azure AD, using the PowerShell script. The script provisions the following:
-* A new Microsoft Azure Active Directory (Azure AD) application for your Microsoft 365 tenant, which is used by the Microsoft 365 Moodle Plugins.
+* A new Azure AD application for your Microsoft 365 tenant, which is used by the Microsoft 365 Moodle Plugins.
* The app for your Microsoft 365 tenant, set up the required reply URLs and permissions for the provisioned app, and returns the `AppID` and `Key`.
-Use the generated `AppID` and `Key` in your Microsoft 365 Moodle Plugins setup page to configure your Moodle server site with Microsoft Azure Active Directory (Azure AD).
+Use the generated `AppID` and `Key` in your Microsoft 365 Moodle Plugins setup page to configure your Moodle server site with Azure AD.
> [!IMPORTANT] >
Use the generated `AppID` and `Key` in your Microsoft 365 Moodle Plugins setup p
1. Enter `Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser`. 1. Enter `./Moodle-AzureAD-Script.ps1`. 1. Sign in to your Microsoft 365 administrator account in the pop-up window.
- 1. Enter the name of the Microsoft Azure Active Directory (Azure AD) Application, for example, Moodle or Moodle plugins.
+ 1. Enter the name of the Azure AD Application, for example, Moodle or Moodle plugins.
1. Enter the URL for your Moodle server. 1. Copy the **Application ID (`AppID`)** and **Application Key(`Key`)** generated by the script and save them.
Use the generated `AppID` and `Key` in your Microsoft 365 Moodle Plugins setup p
1. After the page refreshes you can see another new section **Admin consent & additional information**. 1. Select **Provide Admin Consent** link, enter your Microsoft 365 Global Administrator credentials, then **Accept** to grant the permissions.
- 1. Next to the **Microsoft Azure Active Directory (Azure AD) Tenant** field, select the **Detect** button.
+ 1. Next to the **Azure AD Tenant** field, select the **Detect** button.
1. Next to the **OneDrive for Business URL**, select the **Detect** button. 1. After the fields populate, select the **Save changes** button again. 1. Select the **Update** button to verify the installation, and then select **Save changes**.
-1. Synchronize users between your Moodle server and Microsoft Azure Active Directory (Azure AD). To get started:
+1. Synchronize users between your Moodle server and Azure AD. To get started:
> [!NOTE] > Depending on your environment, you can select different options during this stage.
-1. Synchronize users between your Moodle server and Microsoft Azure Active Directory (Azure AD). Depending on your environment, you can select different options during this stage. To get started:
+1. Synchronize users between your Moodle server and Azure AD. Depending on your environment, you can select different options during this stage. To get started:
1. Switch to the **Sync Settings tab**.
- 1. In the **Sync users with Microsoft Azure Active Directory (Azure AD)** section, select the checkboxes that apply to your environment. You must select the following:
+ 1. In the **Sync users with Azure AD** section, select the checkboxes that apply to your environment. You must select the following:
- Γ£ö Create accounts in Moodle for users in Microsoft Azure Active Directory (Azure AD).
+ Γ£ö Create accounts in Moodle for users in Azure AD.
- Γ£ö Update all accounts in Moodle for users in Microsoft Azure Active Directory (Azure AD).
+ Γ£ö Update all accounts in Moodle for users in Azure AD.
- 1. In the **User Creation Restriction** section, you can setup a filter to limit the Microsoft Azure Active Directory (Azure AD) users that is synced to Moodle.
- 1. The **User Field Mapping** section allows you to customize the Microsoft Azure Active Directory (Azure AD) to Moodle User Profile field mapping.
+ 1. In the **User Creation Restriction** section, you can setup a filter to limit the Azure AD users that is synced to Moodle.
+ 1. The **User Field Mapping** section allows you to customize the Azure AD to Moodle User Profile field mapping.
1. In the **Teams Sync** section, you can select to automatically create Groups, such as teams for some, or all, of your existing Moodle courses.
-13. To validate [cron](https://docs.moodle.org/310/en/Cron) jobs and run them manually for the first run, select the **Scheduled tasks management page** link in the **Sync users with Microsoft Azure Active Directory (Azure AD)** section. This takes you to the **Scheduled Tasks** page.
+13. To validate [cron](https://docs.moodle.org/310/en/Cron) jobs and run them manually for the first run, select the **Scheduled tasks management page** link in the **Sync users with Azure AD** section. This takes you to the **Scheduled Tasks** page.
- 1. Scroll down and find the **Sync users with Microsoft Azure Active Directory (Azure AD)** job and select **Run now**.
+ 1. Scroll down and find the **Sync users with Azure AD** job and select **Run now**.
1. If you select to create Groups based on existing courses, you can also run the **Create user groups in Microsoft 365** job. > [!NOTE]
platform Manifest Schema https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/resources/schema/manifest-schema.md
Provide your Azure Active Directory App ID and Microsoft Graph information to he
|Name| Type| Maximum size | Required | Description| ||||||
-|`id`|string|36 characters|Γ£ö|Microsoft Azure Active Directory (Azure AD) application ID of the app. This ID must be a GUID.|
+|`id`|string|36 characters|Γ£ö|Azure AD application ID of the app. This ID must be a GUID.|
|`resource`|string|2048 characters|Γ£ö|Resource URL of app for acquiring auth token for SSO. </br> **NOTE:** If you are not using SSO, ensure that you enter a dummy string value in this field to your app manifest, for example, https://notapplicable to avoid an error response. | ## showLoadingIndicator
platform Integrating Web Apps https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/samples/integrating-web-apps.md
See how to get context for your Teams [tab](../tabs/how-to/access-teams-context.
Azure Active Directory is the identity provider for Teams. If your app uses a different identity provider, you must either do an identity mapping exercise or combine with Microsoft Azure Active Directory (Azure AD).
-Teams has single sign-on (SSO) mechanisms with Microsoft Azure Active Directory (Azure AD) for third-party apps. It also provides the guidance for authentication flows to other identity providers using standards such as OAuth and Open ID Connect, known as OIDC.
+Teams has single sign-on (SSO) mechanisms with Azure AD for third-party apps. It also provides the guidance for authentication flows to other identity providers using standards such as OAuth and Open ID Connect, known as OIDC.
> [!IMPORTANT] > Currently, third-party apps are available in Government Community Cloud (GCC) but are not available for GCC-High and Department of Defense (DOD). Third-party apps are turned off by default for GCC. To turn on third-party apps for GCC, see [manage app permission policies](/microsoftteams/teams-app-permission-policies) and [manage apps](/microsoftteams/manage-apps).
-For SharePoint pages, you can only use SSO and cannot add another Microsoft Azure Active Directory (Azure AD) ID if you want SSO to work for another app as the ID is the SharePoint app.
+For SharePoint pages, you can only use SSO and cannot add another Azure AD ID if you want SSO to work for another app as the ID is the SharePoint app.
Learn more about [authentication in Teams](../concepts/authentication/authentication.md).
platform Access Teams Context https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/access-teams-context.md
Use placeholders in your configuration or content URLs. Microsoft Teams replaces
* {entityId}: The ID you supplied for the item in this tab when first [configuring the tab](~/tabs/how-to/create-tab-pages/configuration-page.md). * {subEntityId}: The ID you supplied when generating a [deep link](~/concepts/build-and-test/deep-links.md) for a specific item within this tab. This must be used to restore to a specific state within an entity; for example, scrolling to or activating a specific piece of content.
-* {loginHint}: A value suitable as a login hint for Microsoft Azure Active Directory (Azure AD). This is usually the login name of the current user in their home tenant.
+* {loginHint}: A value suitable as a login hint for Azure AD. This is usually the login name of the current user in their home tenant.
* {userPrincipalName}: The User Principal Name of the current user in the current tenant.
-* {userObjectId}: The Microsoft Azure Active Directory (Azure AD) object ID of the current user in the current tenant.
+* {userObjectId}: The Azure AD object ID of the current user in the current tenant.
* {theme}: The current user interface (UI) theme such as `default`, `dark`, or `contrast`. * {groupId}: The ID of the Office 365 group in which the tab resides.
-* {tid}: The Microsoft Azure Active Directory (Azure AD) tenant ID of the current user.
+* {tid}: The Azure AD tenant ID of the current user.
* {locale}: The current locale of the user formatted as languageId-countryId(en-us). > [!NOTE]
The following code provides an example of context variable:
"locale": "The current locale of the user formatted as languageId-countryId (for example, en-us)", "entityId": "The developer-defined unique ID for the entity this content points to", "subEntityId": "The developer-defined unique ID for the sub-entity this content points to",
- "loginHint": "A value suitable as a login hint for Microsoft Azure Active Directory (Azure AD). This is usually the login name of the current user, in their home tenant",
+ "loginHint": "A value suitable as a login hint for Azure AD. This is usually the login name of the current user, in their home tenant",
"userPrincipalName": "The principal name of the current user, in the current tenant",
- "userObjectId": "The Microsoft Azure Active Directory (Azure AD) object id of the current user, in the current tenant",
- "tid": "The Microsoft Azure Active Directory (Azure AD) tenant ID of the current user",
+ "userObjectId": "The Azure AD object id of the current user, in the current tenant",
+ "tid": "The Azure AD tenant ID of the current user",
"groupId": "Guid identifying the current Office 365 Group ID", "theme": "The current UI theme: default | dark | contrast", "isFullScreen": "Indicates if the tab is in full-screen",
platform Auth Aad Sso https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-aad-sso.md
The following image shows how the SSO process works:
1. In the tab, a JavaScript call is made to `getAuthToken()`. `getAuthToken()` tells Teams to obtain an access token for the tab application. 2. If the current user is using your tab application for the first time, there's a request prompt to consent if consent is required. Alternately, there's a request prompt to handle step-up authentication such as two-factor authentication.
-3. Teams requests the tab access token from the Microsoft Azure Active Directory (Microsoft Azure Active Directory (Azure AD)) endpoint for the current user.
-4. Microsoft Azure Active Directory (Microsoft Azure Active Directory (Azure AD)) sends the tab access token to the Teams application.
+3. Teams requests the tab access token from the Azure AD endpoint for the current user.
+4. Azure AD sends the tab access token to the Teams application.
5. Teams sends the tab access token to the tab as part of the result object returned by the `getAuthToken()` call. 6. The token is parsed in the tab application using JavaScript, to extract required information, such as the user's email address.
The SSO API also works in [task modules](../../../task-modules-and-cards/what-ar
This section describes the tasks involved in creating a Teams tab that uses SSO. These tasks are language- and framework-agnostic.
-### 1. Create your Microsoft Azure Active Directory (Azure AD) application
+### 1. Create your Azure AD application
> [!NOTE] > There are some important restrictions that you must know: > > * Only user-level Graph API permissions are supported that is, email, profile, offline_access, OpenId. If you must have access to other Graph scopes such as `User.Read` or `Mail.Read`, see [Get an access token with Graph permissions](#get-an-access-token-with-graph-permissions).
-> * It is important that your application's domain name is the same as the domain name you have registered for your Microsoft Azure Active Directory (Azure AD) application.
+> * It is important that your application's domain name is the same as the domain name you have registered for your Azure AD application.
> * Currently multiple domains per app are not supported. > * The user must set `accessTokenAcceptedVersion` to `2` for a new application.
-**To register your app through the Microsoft Azure Active Directory (Azure AD) portal**
+**To register your app through the Azure AD portal**
-1. Register a new application in the [Microsoft Azure Active Directory (Azure AD) App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
+1. Register a new application in the [Azure AD App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
1. Select **New Registration**. The **Register an application** page appears. 1. In the **Register an application** page, enter the following values: 1. Enter a **Name** for your app.
Congratulations! You've completed the app registration prerequisites to continue
> [!NOTE] >
-> * ┬╣ If your Microsoft Azure Active Directory (Azure AD) app is registered in the same tenant where you are making an authentication request in Teams, the user cannot be asked to consent and is granted an access token right away. Users only consent to these permissions if the Microsoft Azure Active Directory (Azure AD) app is registered in a different tenant.
-> * ┬▓ If the custom domain is not added to Microsoft Azure Active Directory (Azure AD), you get an error stating that the host name must not be based on an already owned domain. To add custom domain to Microsoft Azure Active Directory (Azure AD) and register it, follow the [add a custom domain name to Microsoft Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/add-custom-domain) procedure, and then repeat step 5. You can also get this error if you are not signed in with Admin credentials in the Office 365 tenancy.
-> * If you are not receiving the user principal name (UPN) in the returned access token, you can add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Microsoft Azure Active Directory (Azure AD).
+> * ┬╣ If your Azure AD app is registered in the same tenant where you are making an authentication request in Teams, the user cannot be asked to consent and is granted an access token right away. Users only consent to these permissions if the Azure AD app is registered in a different tenant.
+> * ┬▓ If the custom domain is not added to Azure AD, you get an error stating that the host name must not be based on an already owned domain. To add custom domain to Azure AD and register it, follow the [add a custom domain name to Azure AD](/azure/active-directory/fundamentals/add-custom-domain) procedure, and then repeat step 5. You can also get this error if you are not signed in with Admin credentials in the Office 365 tenancy.
+> * If you are not receiving the user principal name (UPN) in the returned access token, you can add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Azure AD.
### 2. Update your Teams application manifest
Use the following code to add new properties to your Teams manifest:
* **WebApplicationInfo** is the parent of the following elements: > [!div class="checklist"]
-> * **id** - The client ID of the application. This is the application ID that you obtained as part of registering the application with Microsoft Azure Active Directory (Azure AD).
+> * **id** - The client ID of the application. This is the application ID that you obtained as part of registering the application with Azure AD.
>* **resource** - The domain and subdomain of your application. This is the same URI (including the `api://` protocol) that you registered when creating your `scope` in step 6. You must not include the `access_as_user` path in your resource. The domain part of this URI must match the domain, including any subdomains, used in the URLs of your Teams application manifest. > [!NOTE] >
->* The resource for an Microsoft Azure Active Directory (Azure AD) app is usually the root of its site URL and the appID (e.g. `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`). This value is also used to ensure your request is coming from the same domain. Ensure that the `contentURL` for your tab uses the same domains as your resource property.
+>* The resource for an Azure AD app is usually the root of its site URL and the appID (e.g. `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`). This value is also used to ensure your request is coming from the same domain. Ensure that the `contentURL` for your tab uses the same domains as your resource property.
>* You must use manifest version 1.5 or higher to implement the `webApplicationInfo` field. ### 3. Get an access token from your client-side code
microsoftTeams.authentication.getAuthToken(authTokenRequest);
When you call `getAuthToken` and user consent is required for user-level permissions, a dialog is shown to the user to grant consent.
-After you receive access token in success callback, decode access token to view claims for that token. Optionally, manually copy and paste access token into a tool, such as [jwt.ms](https://jwt.ms/). If you aren't receiving the UPN in the returned access token, add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Microsoft Azure Active Directory (Azure AD). For more information, see [access tokens](/azure/active-directory/develop/access-tokens).
+After you receive access token in success callback, decode access token to view claims for that token. Optionally, manually copy and paste access token into a tool, such as [jwt.ms](https://jwt.ms/). If you aren't receiving the UPN in the returned access token, add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Azure AD. For more information, see [access tokens](/azure/active-directory/develop/access-tokens).
<p> <img src="~/assets/images/tabs/tabs-sso-prompt.png" alt="Tab single sign-on SSO dialog prompt" width="75%"/>
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create
|**Sample name**|**Description**|**C#**|**Node.js**| ||||--|
-| Tab SSO |Microsoft Teams sample app for tabs Microsoft Azure Active Directory (Azure AD) SSO| [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp)|[View](https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/tab-sso/nodejs), </br>[Teams Toolkit](../../../toolkit/visual-studio-code-tab-sso.md)|
+| Tab SSO |Microsoft Teams sample app for tabs Azure AD SSO| [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp)|[View](https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/tab-sso/nodejs), </br>[Teams Toolkit](../../../toolkit/visual-studio-code-tab-sso.md)|
## Known limitations ### Get an access token with Graph permissions
-Our current implementation for SSO only grants consent for user-level permissions that are not usable for making Graph calls. To get the permissions (scopes) needed to make a Graph call, SSO solutions must implement a custom web service to exchange the token received from the Teams JavaScript SDK for a token that includes the needed scopes. This is accomplished using Microsoft Azure Active Directory (Azure AD) [on-behalf-of flow](/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow).
+Our current implementation for SSO only grants consent for user-level permissions that are not usable for making Graph calls. To get the permissions (scopes) needed to make a Graph call, SSO solutions must implement a custom web service to exchange the token received from the Teams JavaScript SDK for a token that includes the needed scopes. This is accomplished using Azure AD [on-behalf-of flow](/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow).
### Tenant Admin Consent
A simple way of consenting on behalf of an organization as a tenant admin is to
#### Ask for consent using the Auth API
-Another approach for getting Graph scopes is to present a consent dialog using our existing [web-based Microsoft Azure Active Directory (Azure AD) authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-pop-up-page). This approach involves popping up an Microsoft Azure Active Directory (Azure AD) consent dialog box.
+Another approach for getting Graph scopes is to present a consent dialog using our existing [web-based Azure AD authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-pop-up-page). This approach involves popping up an Azure AD consent dialog box.
**To ask for additional consent using the Auth API**
-1. The token retrieved using `getAuthToken()` must be exchanged server-side using Microsoft Azure Active Directory (Azure AD) [on-behalf-of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those other Graph APIs. Ensure you use the v2 Graph endpoint for this exchange.
-2. If the exchange fails, Microsoft Azure Active Directory (Azure AD) returns an invalid grant exception. There are usually one of two error messages, `invalid_grant` or `interaction_required`.
-3. When the exchange fails, you must ask for consent. Show some user interface (UI) asking the user to grant other consent. This UI must include a button that triggers an Microsoft Azure Active Directory (Azure AD) consent dialog box using our [Microsoft Azure Active Directory (Azure AD) authentication API](~/concepts/authentication/auth-silent-aad.md).
-4. When asking for more consent from Microsoft Azure Active Directory (Azure AD), you must include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to Microsoft Azure Active Directory (Azure AD), otherwise Microsoft Azure Active Directory (Azure AD) doesn't ask for the other scopes.
+1. The token retrieved using `getAuthToken()` must be exchanged server-side using Azure AD [on-behalf-of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those other Graph APIs. Ensure you use the v2 Graph endpoint for this exchange.
+2. If the exchange fails, Azure AD returns an invalid grant exception. There are usually one of two error messages, `invalid_grant` or `interaction_required`.
+3. When the exchange fails, you must ask for consent. Show some user interface (UI) asking the user to grant other consent. This UI must include a button that triggers an Azure AD consent dialog box using our [Azure AD authentication API](~/concepts/authentication/auth-silent-aad.md).
+4. When asking for more consent from Azure AD, you must include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to Azure AD, otherwise Azure AD doesn't ask for the other scopes.
* Instead of `?scope={scopes}` * Use this `?prompt=consent&scope={scopes}` * Ensure that `{scopes}` includes all the scopes you're prompting the user for, for example, Mail.Read or User.Read. 5. Once the user has granted more permission, retry the on-behalf-of-flow to get access to these other APIs.
-### Non-Microsoft Azure Active Directory (Azure AD) authentication
+### Non-Azure AD authentication
-The above-described authentication solution only works for apps and services that support Microsoft Azure Active Directory (Azure AD) as an identity provider. Apps that want to authenticate using non-Microsoft Azure Active Directory (Azure AD) based services must continue using the pop-up-based [web authentication flow](~/concepts/authentication.md).
+The above-described authentication solution only works for apps and services that support Azure AD as an identity provider. Apps that want to authenticate using non-Azure AD based services must continue using the pop-up-based [web authentication flow](~/concepts/authentication.md).
> [!NOTE]
-> SSO is supported for customer owned apps within the Microsoft Azure Active Directory (Azure AD) B2C tenants.
+> SSO is supported for customer owned apps within the Azure AD B2C tenants.
## Step-by-step guides
platform Auth Flow Tab https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-flow-tab.md
For example, the authentication flow for tabs and bots using Node and the [OAuth
![Tab authentication sequence diagram](~/assets/images/authentication/tab_auth_sequence_diagram.png) 1. The user interacts with the content on the tab configuration or content page, commonly a **Sign in** or **Log in** button.
-2. The tab constructs the URL for its auth start page. Optionally, it uses information from URL placeholders or calls `microsoftTeams.getContext()` Teams client SDK method to streamline the authentication experience for the user. For example, when authenticating with A Microsoft Azure Active Directory (Azure AD), if the `login_hint` parameter is set to the user's email address, the user does not have to sign in if they have done so recently. This is because Microsoft Azure Active Directory (Azure AD) uses the user's cached credentials. The pop-up window is shown briefly and then disappears.
+2. The tab constructs the URL for its auth start page. Optionally, it uses information from URL placeholders or calls `microsoftTeams.getContext()` Teams client SDK method to streamline the authentication experience for the user. For example, when authenticating with A Azure AD, if the `login_hint` parameter is set to the user's email address, the user does not have to sign in if they have done so recently. This is because Azure AD uses the user's cached credentials. The pop-up window is shown briefly and then disappears.
3. The tab then calls the `microsoftTeams.authentication.authenticate()` method and registers the `successCallback` and `failureCallback` functions.
-4. Teams opens the start page in an iframe in a pop-up window. The start page generates random `state` data, saves it for future validation, and redirects to the identity provider's `/authorize` endpoint, such as `https://login.microsoftonline.com/<tenant ID>/oauth2/authorize` for Microsoft Azure Active Directory (Azure AD). Replace `<tenant id>` with your own tenant id that is context.tid.
+4. Teams opens the start page in an iframe in a pop-up window. The start page generates random `state` data, saves it for future validation, and redirects to the identity provider's `/authorize` endpoint, such as `https://login.microsoftonline.com/<tenant ID>/oauth2/authorize` for Azure AD. Replace `<tenant id>` with your own tenant id that is context.tid.
Similar to other application auth flows in Teams, the start page must be on a domain that is in its `validDomains` list, and on the same domain as the post sign in redirect page. > [!NOTE]
Sample code showing the tab authentication process:
| **Sample name** | **Description** | **C#** | **Node.js** | |--|--|-||
-| Teams tab authentication | Authentication process for tabs using Microsoft Azure Active Directory (Azure AD). | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-complete-sample/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-complete-sample/nodejs) |
+| Teams tab authentication | Authentication process for tabs using Azure AD. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-complete-sample/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-complete-sample/nodejs) |
## See also
-For a detailed implementation for tab authentication using Microsoft Azure Active Directory (Azure AD), see:
+For a detailed implementation for tab authentication using Azure AD, see:
* [Authenticate a user in a Teams tab](~/tabs/how-to/authentication/auth-tab-AAD.md) * [Silent authentication](~/tabs/how-to/authentication/auth-silent-AAD.md)
platform Auth Silent Aad https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-silent-aad.md
Title: Silent authentication
-description: Describes silent authentication, Single-sign-on, Microsoft Azure Active Directory (Azure AD) for tabs
+description: Describes silent authentication, Single-sign-on, Azure AD for tabs
ms.localizationpriority: medium
-keywords: teams authentication SSO silent Microsoft Azure Active Directory (Azure AD) tab
+keywords: teams authentication SSO silent Azure AD tab
# Silent authentication
keywords: teams authentication SSO silent Microsoft Azure Active Directory (Azur
> [!NOTE] > For authentication to work for your tab on mobile clients, ensure that you're using Teams JavaScript SDK version 1.4.1 or later.
-Silent authentication in Microsoft Azure Active Directory (Azure AD) minimizes the number of times a user enters their credentials by silently refreshing the authentication token. For true single sign-on support, see [SSO documentation](~/tabs/how-to/authentication/auth-aad-sso.md).
+Silent authentication in Azure AD minimizes the number of times a user enters their credentials by silently refreshing the authentication token. For true single sign-on support, see [SSO documentation](~/tabs/how-to/authentication/auth-aad-sso.md).
-To keep your code client-side, use the [Microsoft Azure Active Directory (Azure AD) authentication library](/azure/active-directory/develop/active-directory-authentication-libraries) for JavaScript to get an Microsoft Azure Active Directory (Azure AD) access token silently. If the user has signed in recently, they do not see a popup dialog box.
+To keep your code client-side, use the [Azure AD authentication library](/azure/active-directory/develop/active-directory-authentication-libraries) for JavaScript to get an Microsoft Azure Active Directory (Azure AD) access token silently. If the user has signed in recently, they do not see a popup dialog box.
While Active Directory Authentication Library is optimized for AngularJS applications, it also works with JavaScript single-page applications (SPA).
While Active Directory Authentication Library is optimized for AngularJS applica
## How silent authentication works
-The Active Directory Authentication Library creates a hidden iframe for OAuth 2.0 implicit grant flow. But the library specifies `prompt=none`, so Microsoft Azure Active Directory (Azure AD)does not display the sign-in page. User interaction may be needed if the user needs to sign in or grant access to the application. If user interaction is necessary, Microsoft Azure Active Directory (Azure AD) returns an error that the library reports to your app. If necessary, your app can now display a sign-in option.
+The Active Directory Authentication Library creates a hidden iframe for OAuth 2.0 implicit grant flow. But the library specifies `prompt=none`, so Azure AD does not display the sign-in page. User interaction may be needed if the user needs to sign in or grant access to the application. If user interaction is necessary, Azure AD returns an error that the library reports to your app. If necessary, your app can now display a sign-in option.
## How to do silent authentication The code in this article comes from the Teams sample app that is [Teams authentication sample node](https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/app-auth/nodejs/src/views/tab/silent/silent.hbs).
-[Initiate silent and simple authentication configurable tab using Microsoft Azure Active Directory (Azure AD)](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-channel-group-config-page-auth/csharp) and follow the instructions to run the sample on your local machine.
+[Initiate silent and simple authentication configurable tab using Azure AD](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-channel-group-config-page-auth/csharp) and follow the instructions to run the sample on your local machine.
### Include and configure Active Directory Authentication Library
Include Active Directory Authentication Library in your tab pages and configure
// Active Directory Authentication Library configuration let config = { clientId: "YOUR_APP_ID_HERE",
- // redirectUri must be in the list of redirect URLs for the Microsoft Azure Active Directory (Azure AD) app
+ // redirectUri must be in the list of redirect URLs for the Azure AD app
redirectUri: window.location.origin + "/tab-auth/silent-end", cacheLocation: "localStorage", navigateToLoginRequestUrl: false,
Include Active Directory Authentication Library in your tab pages and configure
### Get the user context
-In the tab's content page, call `microsoftTeams.getContext()` to get a sign-in hint for the current user. The hint is used as a `loginHint` in the call to Microsoft Azure Active Directory (Azure AD).
+In the tab's content page, call `microsoftTeams.getContext()` to get a sign-in hint for the current user. The hint is used as a `loginHint` in the call to Azure AD.
```javascript // Set up extra query parameters for Active Directory Authentication Library
authContext.acquireToken(config.clientId, function (errDesc, token, err, tokenTy
### Process the return value
-Active Directory Authentication Library parses the result from Microsoft Azure Active Directory (Azure AD) by calling `AuthenticationContext.handleWindowCallback(hash)` in the sign-in callback page.
+Active Directory Authentication Library parses the result from Azure AD by calling `AuthenticationContext.handleWindowCallback(hash)` in the sign-in callback page.
Check that you have a valid user and call `microsoftTeams.authentication.notifySuccess()` or `microsoftTeams.authentication.notifyFailure()` to report the status to your main tab content page.
if (authContext.isCallback(window.location.hash)) {
### Handle the sign-out flow
-Use the following code to handle sign out flow in Microsoft Azure Active Directory (Azure AD) authentication:
+Use the following code to handle sign out flow in Azure AD authentication:
> [!NOTE] > When you logout from Teams tab or bot, the current session is cleared.
window.location.href = "@Url.Action("<<Action Name>>", "<<Controller Name>>")";
## See also
-* [Configure identity providers to use Microsoft Azure Active Directory (Azure AD)](../../../concepts/authentication/configure-identity-provider.md)
+* [Configure identity providers to use Azure AD](../../../concepts/authentication/configure-identity-provider.md)
* [Know about Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview)
platform Auth Tab Aad https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-tab-aad.md
keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD)
> [!Note] > For authentication to work for your tab on mobile clients, you need to ensure that you're using version 1.4.1 or later of the Teams JavaScript SDK.
-There are many services that you may want to consume inside your Teams app, and most of those services require authentication and authorization to get access to the service. Services include Facebook, Twitter, and Teams. Teams user profile information is stored in Microsoft Azure Active Directory (Azure AD) using Microsoft Graph and this article will focus on authentication using Microsoft Azure Active Directory (Azure AD) to get access to this information.
+There are many services that you may want to consume inside your Teams app, and most of those services require authentication and authorization to get access to the service. Services include Facebook, Twitter, and Teams. Teams user profile information is stored in Azure AD using Microsoft Graph and this article will focus on authentication using Azure AD to get access to this information.
-OAuth 2.0 is an open standard for authentication used by Microsoft Azure Active Directory (Azure AD) and many other service providers. Understanding OAuth 2.0 is a prerequisite for working with authentication in Teams and Microsoft Azure Active Directory (Azure AD). The examples below use the OAuth 2.0 Implicit Grant flow with the goal of eventually reading the user's profile information from Microsoft Azure Active Directory (Azure AD) and Microsoft Graph.
+OAuth 2.0 is an open standard for authentication used by Azure AD and many other service providers. Understanding OAuth 2.0 is a prerequisite for working with authentication in Teams and Azure AD. The examples below use the OAuth 2.0 Implicit Grant flow with the goal of eventually reading the user's profile information from Azure AD and Microsoft Graph.
-The code in this article comes from the Teams sample app [Microsoft Teams tab authentication sample (Node)](https://github.com/OfficeDev/microsoft-teams-sample-complete-node). It contains a static tab that requests an access token for Microsoft Graph and shows the current user's basic profile information from Microsoft Azure Active Directory (Azure AD).
+The code in this article comes from the Teams sample app [Microsoft Teams tab authentication sample (Node)](https://github.com/OfficeDev/microsoft-teams-sample-complete-node). It contains a static tab that requests an access token for Microsoft Graph and shows the current user's basic profile information from Azure AD.
For general overview of authentication flow for tabs, see [Authentication flow in tabs](~/tabs/how-to/authentication/auth-flow-tab.md).
Authentication flow in tabs differs slightly from authentication flow in bots.
## Configuring identity providers
-See the topic [Configure identity providers](~/concepts/authentication/configure-identity-provider.md) for detailed steps on configuring OAuth 2.0 callback redirect URL(s) when using Microsoft Azure Active Directory (Azure AD) as an identity provider.
+See the topic [Configure identity providers](~/concepts/authentication/configure-identity-provider.md) for detailed steps on configuring OAuth 2.0 callback redirect URL(s) when using Azure AD as an identity provider.
## Initiate authentication flow
Authentication flow should be triggered by a user action. You should not open th
Add a button to your configuration or content page to enable the user to sign in when needed. This can be done in the tab [configuration](~/tabs/how-to/create-tab-pages/configuration-page.md) page or any [content](~/tabs/how-to/create-tab-pages/content-page.md) page.
-Microsoft Azure Active Directory (Azure AD), like most identity providers, does not allow its content to be placed in an iframe. This means that you will need to add a pop-up page to host the identity provider. In the following example this page is `/tab-auth/simple-start`. Use the `microsoftTeams.authenticate()` function of the Microsoft Teams client SDK to launch this page when your button is selected.
+Azure AD, like most identity providers, does not allow its content to be placed in an iframe. This means that you will need to add a pop-up page to host the identity provider. In the following example this page is `/tab-auth/simple-start`. Use the `microsoftTeams.authenticate()` function of the Microsoft Teams client SDK to launch this page when your button is selected.
```javascript microsoftTeams.authentication.authenticate({
microsoftTeams.authentication.authenticate({
### Notes
-* The URL you pass to `microsoftTeams.authentication.authenticate()` is the start page of the authentication flow. In this example that is `/tab-auth/simple-start`. This should match what you registered in the [Microsoft Azure Active Directory (Azure AD) Application Registration Portal](https://apps.dev.microsoft.com).
+* The URL you pass to `microsoftTeams.authentication.authenticate()` is the start page of the authentication flow. In this example that is `/tab-auth/simple-start`. This should match what you registered in the [Azure AD Application Registration Portal](https://apps.dev.microsoft.com).
* Authentication flow must start on a page that's on your domain. This domain should also be listed in the [`validDomains`](~/resources/schem#validdomains) section of the manifest. Failure to do so will result in an empty pop-up.
microsoftTeams.authentication.authenticate({
## Navigate to the authorization page from your pop-up page
-When your pop-up page (`/tab-auth/simple-start`) is displayed the following code is run. The main goal of this page is to redirect to your identity provider so the user can sign in. This redirection could be done on the server side using HTTP 302, but in this case it is done on the client side using with a call to `window.location.assign()`. This also allows `microsoftTeams.getContext()` to be used to retrieve hinting information, which can be passed to Microsoft Azure Active Directory (Azure AD).
+When your pop-up page (`/tab-auth/simple-start`) is displayed the following code is run. The main goal of this page is to redirect to your identity provider so the user can sign in. This redirection could be done on the server side using HTTP 302, but in this case it is done on the client side using with a call to `window.location.assign()`. This also allows `microsoftTeams.getContext()` to be used to retrieve hinting information, which can be passed to Azure AD.
```javascript microsoftTeams.getContext(function (context) {
microsoftTeams.getContext(function (context) {
let state = _guid(); // _guid() is a helper function in the sample localStorage.setItem("simple.state", state); localStorage.removeItem("simple.error");
- // Go to the Microsoft Azure Active Directory (Azure AD) authorization endpoint
+ // Go to the Azure AD authorization endpoint
let queryParams = { client_id: "YOUR_APP_ID_HERE", response_type: "id_token token",
After the user completes authorization, the user is redirected to the callback p
### Notes
-* See [get user context information](~/tabs/how-to/access-teams-context.md) for help building authentication requests and URLs. For example, you can use the user's login name as the `login_hint` value for Microsoft Azure Active Directory (Azure AD) sign in, which means the user might need to type less. Remember that you should not use this context directly as proof of identity since an attacker could load your page in a malicious browser and provide it with any information they want.
+* See [get user context information](~/tabs/how-to/access-teams-context.md) for help building authentication requests and URLs. For example, you can use the user's login name as the `login_hint` value for Azure AD sign in, which means the user might need to type less. Remember that you should not use this context directly as proof of identity since an attacker could load your page in a malicious browser and provide it with any information they want.
* Although the tab context provides useful information regarding the user, don't use this information to authenticate the user whether you get it as URL parameters to your tab content URL or by calling the `microsoftTeams.getContext()` function in the Microsoft Teams client SDK. A malicious actor could invoke your tab content URL with its own parameters, and a web page impersonating Microsoft Teams could load your tab content URL in an iframe and return its own data to the `getContext()` function. You should treat the identity-related information in the tab context simply as hints and validate them before use. * The `state` parameter is used to confirm that the service calling the callback URI is the service you called. If the `state` parameter in the callback does not match the parameter you sent during the call the return call is not verified and should be terminated. * It is not necessary to include the identity provider's domain in the `validDomains` list in the app's manifest.json file. ## The callback page
-In the last section you called the Microsoft Azure Active Directory (Azure AD) authorization service and passed in user and app information so that Microsoft Azure Active Directory (Azure AD) could present the user with its own monolithic authorization experience. Your app has no control over what happens in this experience. All it knows is what is returned when Microsoft Azure Active Directory (Azure AD) calls the callback page that you provided (`/tab-auth/simple-end`).
+In the last section you called the Azure AD authorization service and passed in user and app information so that Azure AD could present the user with its own monolithic authorization experience. Your app has no control over what happens in this experience. All it knows is what is returned when Azure AD calls the callback page that you provided (`/tab-auth/simple-end`).
-In this page you need to determine success or failure based on the information returned by Microsoft Azure Active Directory (Azure AD) and call `microsoftTeams.authentication.notifySuccess()` or `microsoftTeams.authentication.notifyFailure()`. If the login was successful you will have access to service resources.
+In this page you need to determine success or failure based on the information returned by Azure AD and call `microsoftTeams.authentication.notifySuccess()` or `microsoftTeams.authentication.notifyFailure()`. If the login was successful you will have access to service resources.
````javascript
-// Split the key-value pairs passed from Microsoft Azure Active Directory (Azure AD)
+// Split the key-value pairs passed from Azure AD
// getHashParameters is a helper function that parses the arguments sent
-// to the callback URL by Microsoft Azure Active Directory (Azure AD) after the authorization call
+// to the callback URL by Azure AD after the authorization call
let hashParams = getHashParameters(); if (hashParams["error"]) { // Authentication/authorization failed microsoftTeams.authentication.notifyFailure(hashParams["error"]); } else if (hashParams["access_token"]) { // Get the stored state parameter and compare with incoming state
- // This validates that the data is coming from Microsoft Azure Active Directory (Azure AD)
+ // This validates that the data is coming from Azure AD
let expectedState = localStorage.getItem("simple.state"); if (expectedState !== hashParams["state"]) { // State does not match, report error
if (hashParams["error"]) {
} ````
-This code parses the key-value pairs received from Microsoft Azure Active Directory (Azure AD) in `window.location.hash` using the `getHashParameters()` helper function. If it finds an `access_token`, and the `state` value is the same as the one provided at the start of the authentication flow, it returns the access token to the tab by calling `notifySuccess()`; otherwise it reports an error with `notifyFailure()`.
+This code parses the key-value pairs received from Azure AD in `window.location.hash` using the `getHashParameters()` helper function. If it finds an `access_token`, and the `state` value is the same as the one provided at the start of the authentication flow, it returns the access token to the tab by calling `notifySuccess()`; otherwise it reports an error with `notifyFailure()`.
### Notes
For more information on Single Sign-On (SSO) see the article [Silent authenticat
## Code sample
-Sample code showing the tab authentication process using Microsoft Azure Active Directory (Azure AD):
+Sample code showing the tab authentication process using Azure AD:
| **Sample name** | **description** | **.NET** | **Node.js** | |--|--|-|
-| Microsoft Teams tab authentication | Tab authentication process using Microsoft Azure Active Directory (Azure AD). | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-channel-group-config-page-auth/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-auth/nodejs) |
+| Microsoft Teams tab authentication | Tab authentication process using Azure AD. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-channel-group-config-page-auth/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-auth/nodejs) |
## See also
platform Create Personal Tab https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/create-personal-tab.md
Also, this project requires that you have the following installed in your develo
**Do you require Microsoft Azure Active Directory (Azure AD) Single-Sign-On support for the tab?**
- Choose **not** to include Microsoft Azure Active Directory (Azure AD) Single-Sign-On support for the tab. The default is yes, enter **n**.
+ Choose **not** to include Azure AD Single-Sign-On support for the tab. The default is yes, enter **n**.
> [!IMPORTANT] > The path component **yourDefaultTabNameTab** is the value that you entered in the generator for **Default Tab Name** plus the word **Tab**.
platform Cards Format https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/task-modules-and-cards/cards/cards-format.md
The following code shows an example of Adaptive Card with a mention:
### Microsoft Azure Active Directory (Azure AD) Object ID and UPN in user mention
-Teams platform allows to mention users with their Microsoft Azure Active Directory (Azure AD) Object ID and User Principle Name (UPN), in addition to the existing mention IDs. Bots with Adaptive Cards and Connectors with Incoming Webhooks support the two user mention IDs.
+Teams platform allows to mention users with their Azure AD Object ID and User Principle Name (UPN), in addition to the existing mention IDs. Bots with Adaptive Cards and Connectors with Incoming Webhooks support the two user mention IDs.
The following table describes the newly supported user mention IDs: |IDs | Supporting capabilities | Description | Example | |-|--|||
-| Microsoft Azure Active Directory (Azure AD) object ID | Bot, Connector | Microsoft Azure Active Directory (Azure AD) userΓÇÖs object ID | 49c4641c-ab91-4248-aebb-6a7de286397b |
-| UPN | Bot, Connector | Microsoft Azure Active Directory (Azure AD) userΓÇÖs UPN | john.smith@microsoft.com |
+| Azure AD object ID | Bot, Connector | Azure AD userΓÇÖs object ID | 49c4641c-ab91-4248-aebb-6a7de286397b |
+| UPN | Bot, Connector | Azure AD userΓÇÖs UPN | john.smith@microsoft.com |
#### User mention in bots with Adaptive Cards
Following image illustrates the user mention with Adaptive Card in Bot:
#### User mention in Incoming Webhook with Adaptive Cards
-Incoming webhooks start to support user mention in Adaptive Cards with the Microsoft Azure Active Directory (Azure AD) Object ID and UPN.
+Incoming webhooks start to support user mention in Adaptive Cards with the Azure AD Object ID and UPN.
> [!NOTE]
-> * Enable user mention in the schema for Incoming webhooks to support Microsoft Azure Active Directory (Azure AD) Object ID and UPN.
-> * UI/UX changes are not required for user mentions with Microsoft Azure Active Directory (Azure AD) Object ID and UPN.
+> * Enable user mention in the schema for Incoming webhooks to support Azure AD Object ID and UPN.
+> * UI/UX changes are not required for user mentions with Azure AD Object ID and UPN.
##### Example
platform People Picker https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/task-modules-and-cards/cards/people-picker.md
To enable search within a list of conversation members, use the appropriate data
### Data Submission You can use `Action.Submit` or `Action.Execute` to submit selected data to your bot. The `invoke` payload received on your bot is a list of Microsoft Azure Active Directory (Azure AD) IDs or the IDs provided in static list.
-In People Picker, when a user is selected in the control, the `Microsoft Azure Active Directory (Azure AD) ID` of the user is the value sent back. The `Microsoft Azure Active Directory (Azure AD) ID` is a string and uniquely identifies a user in the directory.
+In People Picker, when a user is selected in the control, the `Azure AD ID` of the user is the value sent back. The `Azure AD ID` is a string and uniquely identifies a user in the directory.
The format of the value submitted to the bot depends on the value of the `isMultiSelect` property:
With the `Azure AD ID`, People Picker preselects the corresponding user.
People Picker supports preselection of user in the control, when creating and sending an Adaptive Card. `Input.ChoiceSet` supports the `value` property that is used to preselect a user. The format of this `value` property is the same as the submitted value format in [data submission](#data-submission). The following list provides the information to preselect users:
-* For single user in the control, specify the `Microsoft Azure Active Directory (Azure AD) ID` of the user as the `value`.
-* For multiple users, such as `isMultiSelect` is `true`, specify a comma-separated string of `Microsoft Azure Active Directory (Azure AD) ID`s.
+* For single user in the control, specify the `Azure AD ID` of the user as the `value`.
+* For multiple users, such as `isMultiSelect` is `true`, specify a comma-separated string of `Azure AD ID`s.
The following example describes preselection of a single user:
platform What Are Cards https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/task-modules-and-cards/what-are-cards.md
Adaptive Cards with Incoming Webhooks enables you to use the rich and flexible c
## Support for Azure AD Object ID and UPN in user mention
-Bots with Adaptive Cards support user mention IDs, such as Microsoft Azure Active Directory (Azure AD) Object ID and User Principle Name (UPN) in addition to the existing IDs. Incoming webhooks start to support user mention in Adaptive Card with the Microsoft Azure Active Directory (Azure AD) Object ID and UPN.
+Bots with Adaptive Cards support user mention IDs, such as Microsoft Azure Active Directory (Azure AD) Object ID and User Principle Name (UPN) in addition to the existing IDs. Incoming webhooks start to support user mention in Adaptive Card with the Azure AD Object ID and UPN.
## Next step
platform Teamsfx Collaboration https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/toolkit/TeamsFx-collaboration.md
The following list guides us to understand the collaboration process and its lim
> [!NOTE] > Before adding collaborators for an environment, project owner needs to [provision](provision.md) the project first.
-* In **ENVIRONMENT** section on Teams Toolkit, select **collaborators**. It displays the options **Add Microsoft 365 Teams App (with Microsoft Azure Active Directory (Azure AD) App) Owners** and **List Microsoft 365 Teams App (with Azure AD App) Owners** as shown in the following images:
+* In **ENVIRONMENT** section on Teams Toolkit, select **collaborators**. It displays the options **Add Microsoft 365 Teams App (with Azure AD App) Owners** and **List Microsoft 365 Teams App (with Azure AD App) Owners** as shown in the following images:
:::image type="content" source="../assets/images/teams-toolkit-v2/teams toolkit fundamentals/add collaborators.png" alt-text="collaborators":::
-* Select **Add Microsoft 365 Teams App (with Microsoft Azure Active Directory (Azure AD) App) Owners** and add other Microsoft 365 account email address as collaborator. The account to be added must be on the same tenant as project owner for remote debug as shown in the image:
+* Select **Add Microsoft 365 Teams App (with Azure AD App) Owners** and add other Microsoft 365 account email address as collaborator. The account to be added must be on the same tenant as project owner for remote debug as shown in the image:
:::image type="content" source="../assets/images/teams-toolkit-v2/teams toolkit fundamentals/manifest preview-1.png" alt-text="add envi":::
-* To view collaborators in current environment, select **List Microsoft 365 Teams App (with Microsoft Azure Active Directory (Azure AD) App) Owners**, then collaborators are listed in the output channel as shown in following image:
+* To view collaborators in current environment, select **List Microsoft 365 Teams App (with Azure AD App) Owners**, then collaborators are listed in the output channel as shown in following image:
:::image type="content" source="../assets/images/teams-toolkit-v2/teams toolkit fundamentals/list of collaborators.png" alt-text="list":::
You can't remove collaborators directly from Teams Toolkit extension. Perform th
1. Go to Teams Developer Portal and select your Teams app by name or app ID. 2. Select **Owners** from left panel. 3. Select and remove the collaborator.
- 4. Go to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps), select **App registration** from left panel, and find your Microsoft Azure Active Directory (Azure AD) App.
- 5. Select **Owners** from left panel in Microsoft Azure Active Directory (Azure AD) App management page.
+ 4. Go to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps), select **App registration** from left panel, and find your Azure AD App.
+ 5. Select **Owners** from left panel in Azure AD App management page.
6. Select and remove the collaborator. > [!NOTE]
platform Provision https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/toolkit/provision.md
When you create a new project, you can use all the Azure resources. The ARM temp
|Resource|Purpose| |-|--|
-| Microsoft Azure Active Directory (Azure AD) application for API management service | Allows Microsoft Power Platform access APIs managed by API management service |
+| Azure AD application for API management service | Allows Microsoft Power Platform access APIs managed by API management service |
| API management service | Manage your APIs hosted in function app | | API management product | Group your APIs, define terms of use and runtime policies | | API management OAuth server | Enables Microsoft Power Platform to access your APIs hosted in function app |
When you create a new project, you can use all the Azure resources. The ARM temp
|Resources|Purpose of this resource| |-|--|
-| Azure Key Vault Service | Manage secrets (e.g. Microsoft Azure Active Directory (Azure AD) app client secret) used by other Azure Services |
+| Azure Key Vault Service | Manage secrets (e.g. Azure AD app client secret) used by other Azure Services |
| User Assigned Identity | Authenticate Azure service-to-service requests | ## Customize resource provision
You can customize the following scenarios:
#### Use an existing Azure AD app for your bot
-You can add following configuration snippet to `.fx/configs/config.{env}.json` file to use an Microsoft Azure Active Directory (Azure AD) app created by yourself for your Teams app. To create an Microsoft Azure Active Directory (Azure AD) app, see <https://aka.ms/teamsfx-existing-aad-doc>.
+You can add following configuration snippet to `.fx/configs/config.{env}.json` file to use an Azure AD app created by yourself for your Teams app. To create an Azure AD app, see <https://aka.ms/teamsfx-existing-aad-doc>.
```json "auth": {
You can add following configuration snippet to `.fx/configs/config.{env}.json` f
After adding the snippet, add your secret to related environment variable so the tool can resolve the actual secret during provision. > [!NOTE]
-> Ensure not to share the same Microsoft Azure Active Directory (Azure AD) app in multiple environments. If you don't have permission to update the Microsoft Azure Active Directory (Azure AD) app, you can get a warning with instructions about how to manually update the Microsoft Azure Active Directory (Azure AD) app. Follow the instructions to update your Microsoft Azure Active Directory (Azure AD) app after provision.
+> Ensure not to share the same Azure AD app in multiple environments. If you don't have permission to update the Azure AD app, you can get a warning with instructions about how to manually update the Azure AD app. Follow the instructions to update your Azure AD app after provision.
#### Use an existing Azure AD app for your Teams app
-You can add following configuration snippet to `.fx/configs/config.{env}.json` file to use an Microsoft Azure Active Directory (Azure AD) app created by yourself for your bot:
+You can add following configuration snippet to `.fx/configs/config.{env}.json` file to use an Azure AD app created by yourself for your bot:
```json "bot": {
platform Use CICD Template https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/toolkit/use-CICD-template.md
To provision and deploy resources targeting Azure inside CI/CD, you must create
Perform the following steps to create Azure service principals: 1. Register an Microsoft Azure Active Directory (Azure AD) application in single tenant.
-2. Assign a role to your Microsoft Azure Active Directory (Azure AD) application to access your Azure subscription, and `Contributor` role is recommended.
-3. Create a new Microsoft Azure Active Directory (Azure AD) application secret.
+2. Assign a role to your Azure AD application to access your Azure subscription, and `Contributor` role is recommended.
+3. Create a new Azure AD application secret.
> [!TIP] > Save your tenant id, application id(AZURE_SERVICE_PRINCIPAL_NAME), and the secret(AZURE_SERVICE_PRINCIPAL_PASSWORD) for future use.