Updates from: 03/10/2021 04:21:26
Service Microsoft Docs article Related commit history on GitHub Change details
platform Teams Apps In Meetings https://github.com/MicrosoftDocs/msteams-docs/commits/master/msteams-platform/apps-in-teams-meetings/teams-apps-in-meetings.md
TeamsΓÇÖ meeting app extensibility centers on three concepts:
> As with all tab applications, Your app will need to follow the Teams [SSO authentication flow](../tabs/how-to/authentication/auth-aad-sso.md) for tabs. > [!NOTE]
-> Mobile clients support Tabs only in Pre and Post Meeting Surfaces. The In-meeting experiences (in-meeting dialog and panel) on mobile will be available soon
+> * Mobile clients support tabs only in pre-meeting and post-meeting surfaces. The in-meeting experiences, such as in-meeting dialog and panel on mobile will be available soon.
+> * Apps are supported only in private scheduled meetings.
### Pre-meeting app experience
TeamsΓÇÖ meeting app extensibility centers on three concepts:
### Bots
-For bot implementation, please see our [Bots in Teams meetings](../bots/how-to/create-a-bot-for-teams.md#bots-in-teams-meetings) documentation.
+For bot implementation, start with [build a bot](../build-your-first-app/build-bot.md) and then continue with [create apps for Teams meetings](../apps-in-teams-meetings/create-apps-for-teams-meetings.md#meeting-apps-api-reference).
-### Messaging Extensions
+### Messaging extensions
-For messaging extension implementation, please see our [Messaging extensions in Teams meetings](../messaging-extensions/how-to/create-messaging-extension.md#messaging-extensions-in-teams-meetings) documentation.
+For messaging extension implementation, start with [build a messaging extension](../messaging-extensions/how-to/create-messaging-extension.md) and then continue with [create apps for Teams meetings](../apps-in-teams-meetings/create-apps-for-teams-meetings.md#meeting-apps-api-reference).
## Participant roles and user types in a meeting
platform Auth Aad Sso Bots https://github.com/MicrosoftDocs/msteams-docs/commits/master/msteams-platform/bots/how-to/authentication/auth-aad-sso-bots.md
The steps to register your app through the AAD portal are similar to the [tab SS
> > You must be aware of the following important restrictions: >
- > * Only user-level Microsoft Graph API permissions, such as email, profile, offline_access, and OpenId are supported. If you need access to other Microsoft Graph scopes, such as `User.Read` or `Mail.Read`, see [recommended workaround](../../../tabs/how-to/authentication/auth-aad-sso.md#apps-that-require-additional-microsoft-graph-scopes).
+ > * Only user-level Microsoft Graph API permissions, such as email, profile, offline_access, and OpenId are supported. If you need access to other Microsoft Graph scopes, such as `User.Read` or `Mail.Read`, see [recommended workaround](../../../tabs/how-to/authentication/auth-aad-sso.md#apps-that-require-additional-graph-scopes).
> * Your application's domain name must be same as the domain name that you have registered for your AAD application. > * Multiple domains per app are currently not supported. > * Applications that use the `azurewebsites.net` domain are not supported because it is common and may be a security risk.
platform Auth Aad Sso https://github.com/MicrosoftDocs/msteams-docs/commits/master/msteams-platform/tabs/how-to/authentication/auth-aad-sso.md
keywords: teams authentication SSO AAD single sign-on api
# Single sign-on (SSO) support for tabs
-Users sign in to Microsoft Teams via their work, school, or Microsoft accounts (Office 365, Outlook, etc). You can take advantage of this by allowing a single sign-on to authorize your Microsoft Teams tab (or task module) on desktop or mobile clients. Thus, if a user consents to use your app, they wonΓÇÖt have to consent again on another device ΓÇö they will be signed in automatically. In addition, we prefetch your access token to improve performance and load times.
+Users sign in to Microsoft Teams through their work, school, or Microsoft accounts that is Office 365, Outlook, and so on. You can take advantage of this by allowing a single sign-on to authorize your Teams tab or task module on desktop or mobile clients. If a user consents to use your app, they do not have to consent again on another device as they are signed in automatically. In addition, your access token is prefetched to improve performance and load times.
> [!NOTE] > **Teams mobile client versions supporting SSO**
Users sign in to Microsoft Teams via their work, school, or Microsoft accounts (
> > Γ£öTeams for iOS (_Version_: 2.0.18 and later) >
-> For the best experience with Teams, please use the latest version of iOS and Android.
+> For the best experience with Teams, use the latest version of iOS and Android.
> [!NOTE] > **Quickstart** >
-> The simplest path to getting started with tab SSO is with the Microsoft Teams Toolkit for Visual Studio Code. [Learn more](../../../toolkit/visual-studio-code-tab-sso.md)
+> The simplest path to getting started with tab SSO is with the Teams toolkit for Visual Studio Code. For more information, see [SSO with Teams toolkit and Visual Studio Code for tabs](../../../toolkit/visual-studio-code-tab-sso.md)
## How SSO works at runtime
-The following diagram shows how the SSO process works:
+The following image shows how the SSO process works:
<!-- markdownlint-disable MD033 --> <img src="~/assets/images/tabs/tabs-sso-diagram.png" alt="Tab single sign-on SSO diagram" width="75%"/> 1. In the tab, a JavaScript call is made to `getAuthToken()`. This tells Teams to obtain an authentication token for the tab application.
-2. If this is the first time the current user has used your tab application, there will be a request prompt to consent (if consent is required) or to handle step-up authentication (such as two-factor authentication).
-3. Teams requests the tab application token from the Azure AD endpoint for the current user.
-4. Azure AD sends the tab application token to the Teams application.
+2. If this is the first time the current user has used your tab application, there is a request prompt to consent if consent is required or to handle step-up authentication such as two-factor authentication.
+3. Teams requests the tab application token from the Azure Active Directory (AAD) endpoint for the current user.
+4. AAD sends the tab application token to the Teams application.
5. Teams sends the tab application token to the tab as part of the result object returned by the `getAuthToken()` call.
-6. The token will be parsed in the tab application, via JavaScript, to extract the needed information, such as the user's email address.
+6. The token is parsed in the tab application using JavaScript, to extract required information, such as the user's email address.
> [!NOTE]
-> The `getAuthToken()` is only valid for consenting to a limited set of user-level APIs ΓÇö email, profile, offline_access and OpenId ΓÇö and not for further Microsoft Graph scopes such as `User.Read` or `Mail.Read`. See our section at the end of this document for suggested workarounds if you require [additional Graph scopes](#apps-that-require-additional-microsoft-graph-scopes).
+> The `getAuthToken()` is only valid for consenting to a limited set of user-level APIs that is email, profile, offline_access and OpenId. It is not used for further Graph scopes such as `User.Read` or `Mail.Read`. For suggested workarounds, see [additional Graph scopes](#apps-that-require-additional-graph-scopes).
-The SSO API will also work in [Task Modules](../../../task-modules-and-cards/what-are-task-modules.md) that embed web content.
+The SSO API also works in [task modules](../../../task-modules-and-cards/what-are-task-modules.md) that embed web content.
## Develop an SSO Microsoft Teams tab
-This section describes the tasks involved in creating a Teams tab that uses SSO. These tasks are described here are language- and framework-agnostic.
+This section describes the tasks involved in creating a Teams tab that uses SSO. These tasks are language- and framework-agnostic.
-### 1. Create your Azure Active Directory (Azure AD) application
+### 1. Create your AAD application
-#### Registering your application in the[Azure AD portal](https://azure.microsoft.com/features/azure-portal/) overview:
+**To register your application in the [AAD portal](https://azure.microsoft.com/features/azure-portal/) overview**
-1. Get your [Azure AD Application ID](/azure/active-directory/develop/howto-create-service-principal-portal#get-values-for-signing-in).
-2. Specify the permissions that your application needs for the Azure AD endpoint and, optionally, Microsoft Graph.
+1. Get your [AAD Application ID](/azure/active-directory/develop/howto-create-service-principal-portal#get-values-for-signing-in).
+2. Specify the permissions that your application needs for the AAD endpoint and, optionally, Graph.
3. [Grant permissions](/azure/active-directory/develop/howto-create-service-principal-portal#configure-access-policies-on-resources) for Teams desktop, web, and mobile applications.
-4. Pre-authorize Teams by selecting the **Add a scope** button and in the panel that opens, enter `access_as_user` as the **Scope name**.
+4. Pre-authorize Teams by selecting the **Add a scope** button and in the panel that opens, enter **access_as_user** as the **Scope name**.
> [!NOTE]
-> There are some important restrictions you should be aware of:
+> There are some important restrictions that you must know:
>
-> * We only support user-level Microsoft Graph API permissions, i.e., email, profile, offline_access, OpenId. If you need access to other Microsoft Graph scopes (such as `User.Read` or `Mail.Read`), see our [recommended workaround](#apps-that-require-additional-microsoft-graph-scopes) at the end of this documentation.
-> * It's important that your application's domain name is the same as the domain name you've registering for your Azure AD application.
-> * We don't currently support multiple domains per app.
-> * We don't support applications that use the `azurewebsites.net` domain because it is too common and may be a security risk. However, we're actively seeking to remove this restriction.
-
-#### Registering your app through the Azure Active Directory portal in-depth:
-
-1. Register a new application in the [Azure Active Directory ΓÇô App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
-2. Select **New Registration** and on the *register an application page*, set following values:
- * Set **name** to your app name.
- * Choose the **supported account types** (any account type will work) ┬╣
+> * Only user-level Graph API permissions are supported that is, email, profile, offline_access, OpenId. If you must have access to other Graph scopes such as `User.Read` or `Mail.Read`, see [recommended workaround](#apps-that-require-additional-graph-scopes).
+> * It is important that your application's domain name is the same as the domain name you have registered for your AAD application.
+> * Currently multiple domains per app are not supported.
+> * Applications that use the `azurewebsites.net` domain are not supported as it is too common and can be a security risk.
+
+**To register your app through the AAD portal**
+
+1. Register a new application in the [AAD App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
+2. Select **New Registration**. The **Register an application** page appears.
+3. In the **Register an application** page, enter the following values:
+ 1. Enter a **Name** for your app.
+ 2. Choose the **Supported account types**, select single tenant or multitenant account type. ┬╣
* Leave **Redirect URI** empty.
- * Choose **Register**.
-3. On the overview page, copy and save the **Application (client) ID**. YouΓÇÖll need it later when updating your Teams application manifest.
-4. Under **Manage**, select **Expose an API**.
-5. Select the **Set** link to generate the Application ID URI in the form of `api://{AppID}`. Insert your fully qualified domain name (with a forward slash "/" appended to the end) between the double forward slashes and the GUID. The entire ID should have the form of: `api://fully-qualified-domain-name.com/{AppID}` ┬▓
- * ex: `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`.
-
- The fully qualified domain name is the human readable domain name from which your app is served. If you are using a tunneling service such as ngrok, you will need to update this value whenever your ngrok subdomain changes.
-6. Select the **Add a scope** button. In the panel that opens, enter `access_as_user` as the **Scope name**.
-7. Set **Who can consent?** to `Admins and users`
-8. Fill in the fields for configuring the admin and user consent prompts with values that are appropriate for the `access_as_user` scope:
+ 3. Choose **Register**.
+4. On the overview page, copy and save the **Application (client) ID**. You must have it later when updating your Teams application manifest.
+5. Under **Manage**, select **Expose an API**.
+6. Select the **Set** link to generate the Application ID URI in the form of `api://{AppID}`. Insert your fully qualified domain name with a forward slash "/" appended to the end, between the double forward slashes and the GUID. The entire ID must have the form of `api://fully-qualified-domain-name.com/{AppID}`. ┬▓ For example, `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`. The fully qualified domain name is the human readable domain name from which your app is served. If you are using a tunneling service such as ngrok, you must update this value whenever your ngrok subdomain changes.
+7. Select **Add a scope**. In the panel that opens, enter **access_as_user** as the **Scope name**.
+8. In the **Who can consent?** box, enter **Admins and users**.
+9. Enter the details in the boxes for configuring the admin and user consent prompts with values that are appropriate for the `access_as_user` scope:
* **Admin consent Title: ** Teams can access the userΓÇÖs profile.
- * **Admin consent description**: Allows Teams to call the appΓÇÖs web APIs as the current user.
+ * **Admin consent description**: Teams can call the appΓÇÖs web APIs as the current user.
* **User consent title**: Teams can access the user profile and make requests on the user's behalf.
- * **User consent description:** Enable Teams to call this appΓÇÖs APIs with the same rights as the user.
-9. Ensure that **State** is set to **Enabled**
-10. Select the **Add scope** button to save
- * The domain part of the **Scope name** displayed just below the text field should automatically match the **Application ID** URI set in the previous step, with `/access_as_user` appended to the end:
- * `api://subdomain.example.com/00000000-0000-0000-0000-000000000000/access_as_user`
-11. In the **Authorized client applications** section, identify the applications that you want to authorize for your appΓÇÖs web application. Select *Add a client application*. Enter each of the following client IDs and select the authorized scope you created in the previous step:
- * `1fec8e78-bce4-4aaf-ab1b-5451cc387264` (Teams mobile/desktop application)
- * `5e3ce6c0-2b1f-4285-8d4b-75ee78787346` (Teams web application)
-12. Navigate to **API Permissions**. Select *Add a permission* > *Microsoft Graph* > *Delegated permissions*, then add the following permissions from Microsoft Graph API:
- * User.Read (enabled by default)
+ * **User consent description:** Teams can call this appΓÇÖs APIs with the same rights as the user.
+10. Ensure that **State** is set to **Enabled**.
+11. Select **Add scope** to save the details. The domain part of the **Scope name** displayed below the text field must automatically match the **Application ID** URI set in the previous step, with `/access_as_user` appended to the end `api://subdomain.example.com/00000000-0000-0000-0000-000000000000/access_as_user`.
+12. In the **Authorized client applications** section, identify the applications that you want to authorize for your appΓÇÖs web application. Select **Add a client application**. Enter each of the following client IDs and select the authorized scope you created in the previous step:
+ * `1fec8e78-bce4-4aaf-ab1b-5451cc387264` for Teams mobile or desktop application.
+ * `5e3ce6c0-2b1f-4285-8d4b-75ee78787346` for Teams web application.
+13. Navigate to **API Permissions**. Select **Add a permission** > **Microsoft Graph** > **Delegated permissions**, then add the following permissions from Graph API:
+ * User.Read enabled by default
* email * offline_access * OpenId * profile
-13. Navigate to **Authentication**
+14. Navigate to **Authentication**.
- If an app hasn't been granted IT admin consent, users will have to provide consent the first time they use an app.
+ If an app has not been granted IT admin consent, users have to provide consent the first time they use an app.
- Set a redirect URI:
+ To enter a redirect URI:
* Select **Add a platform**. * Select **web**.
- * Enter the **redirect URI** for your app. This will be the page where a successful implicit grant flow will redirect the user. This will be same fully qualified domain name that you entered in step 5 followed by the API route where a authentication response should be sent. If you are following any of the Teams samples, this will be: `https://subdomain.example.com/auth-end`
+ * Enter the **redirect URI** for your app. This is the page where a successful implicit grant flow redirects the user. This is the same fully qualified domain name that you entered in step 5 followed by the API route where an authentication response is sent. If you are following any of the Teams samples, this is `https://subdomain.example.com/auth-end`.
+
+ Enable implicit grant by checking the following boxes:
+ Γ£ö ID Token
+ Γ£ö Access Token
- Next, enable implicit grant by checking the following boxes:
- Γ£ö ID Token
- Γ£ö Access Token
-
-Congratulations! You have completed the app registration prerequisites to proceed with your tab SSO app.
+Congratulations! You have completed the app registration prerequisites to proceed with your tab SSO app.
> [!NOTE] >
-> * ┬╣ If your Azure AD app is registered in the _same_ tenant where you're making an authentication request in Teams, the user won't be asked to consent and will be granted an access token right away. Users only need to consent to these permissions if the Azure AD app is registered in a different tenant.
-> * ┬▓ If you get an error stating that the domain is already owned and you are the owner, follow the procedure at [Quickstart: Add a custom domain name to Azure Active Directory](/azure/active-directory/fundamentals/add-custom-domain) to register the domain, and then repeat step 5, above. (This error can also occur if you aren't signed in with Admin credentials in the Office 365 tenancy).
-> * If you are not receiving the UPN (User Principal Name) in the returned access token, you can add it as an [optional claim](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims) in Azure AD.
+> * ┬╣ If your AAD app is registered in the same tenant where you are making an authentication request in Teams, the user cannot be asked to consent and is granted an access token right away. Users only consent to these permissions if the AAD app is registered in a different tenant.
+> * ┬▓ If the custom domain is not added to AAD, you get an error stating that the host name must not be based on an already owned domain. To add custom domain to AAD and register it, follow the [add a custom domain name to AAD](/azure/active-directory/fundamentals/add-custom-domain) procedure, and then repeat step 5. You can also get this error if you are not signed in with Admin credentials in the Office 365 tenancy.
+> * If you are not receiving the user principal name (UPN)) in the returned access token, you can add it as an [optional claim](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims) in AAD.
-### 2. Update your Microsoft Teams application manifest
+### 2. Update your Teams application manifest
-Add new properties to your Microsoft Teams manifest:
-
-* **WebApplicationInfo** - The parent of the following elements:
-
-> [!div class="checklist"]
-> * **id** - The client ID of the application. This is the application ID that you obtained as part of registering the application with Azure AD.
->* **resource** - The domain and subdomain of your application. This is the same URI (including the `api://` protocol) that you registered when creating your `scope` in step 6 above. You shouldn't include the `access_as_user` path in your resource. The domain part of this URI should match the domain, including any subdomains, used in the URLs of your Teams application manifest.
+Use the following code to add new properties to your Teams manifest:
```json "webApplicationInfo": {
Add new properties to your Microsoft Teams manifest:
} ```
+* **WebApplicationInfo** is the parent of the following elements:
+
+> [!div class="checklist"]
+> * **id** - The client ID of the application. This is the application ID that you obtained as part of registering the application with Azure AD.
+>* **resource** - The domain and subdomain of your application. This is the same URI (including the `api://` protocol) that you registered when creating your `scope` in step 6. You must not include the `access_as_user` path in your resource. The domain part of this URI must match the domain, including any subdomains, used in the URLs of your Teams application manifest.
+ > [!NOTE] >
->* The resource for an AAD app will usually be the root of its site URL and the appID (e.g. `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`). We also use this value to ensure your request is coming from the same domain. Therefore, make sure that the `contentURL` for your tab uses the same domains as your resource property.
->* You need to use manifest version 1.5 or higher to implement the `webApplicationInfo` field.
+>* The resource for an AAD app is usually the root of its site URL and the appID (e.g. `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`). This value is also used to ensure your request is coming from the same domain. Ensure that the `contentURL` for your tab uses the same domains as your resource property.
+>* You must use manifest version 1.5 or higher to implement the `webApplicationInfo` field.
### 3. Get an authentication token from your client-side code
-Here's what the authentication API looks like:
+Use the following authentication API:
```javascript var authTokenRequest = {
var authTokenRequest = {
microsoftTeams.authentication.getAuthToken(authTokenRequest); ```
-When you call `getAuthToken` - and additional user consent is required (for user-level permissions) - we will show a dialog to the user encouraging them to grant additional consent.
+When you call `getAuthToken` - and additional user consent is required for user-level permissions, a dialog is shown to the user to grant additional consent.
-After you receive the access token in the success callback, you can decode the access token to view the claims associated with that token. Optionally, you can manually copy and paste the access token into a tool, such as [jwt.ms](https://jwt.ms/) to inspect its contents. If you are not receiving the User Principal Name (UPN) in the returned access token, you can add it as an [optional claim](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims) in Azure AD.
+After you receive the access token in the success callback, you can decode the access token to view the claims associated with that token. Optionally, you can manually copy and paste the access token into a tool, such as [jwt.ms](https://jwt.ms/) to inspect its contents. If you are not receiving the UPN in the returned access token, you can add it as an [optional claim](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims) in AAD.
<p> <img src="~/assets/images/tabs/tabs-sso-prompt.png" alt="Tab single sign-on SSO dialog prompt" width="75%"/>
After you receive the access token in the success callback, you can decode the a
## Code sample
-|**Sample name**|**Description**|**C#**|**TypeScript**|
+|**Sample name**|**Description**|**C#**|**Node.js**|
||||--| | Tab SSO |Microsoft Teams sample app for tabs Azure AD SSO| [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp)|[View](https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/tab-sso/nodejs), </br>[Teams Toolkit](../../../toolkit/visual-studio-code-tab-sso.md)|
-## Known Limitations
+## Known limitations
-### Apps that require additional Microsoft Graph Scopes
+### Apps that require additional Graph scopes
-Our current implementation for SSO only grants consent for user-level permissions ΓÇö email, profile, offline_access, OpenId ΓÇö not for other APIs (such as User.Read or Mail.Read). If your app needs further Microsoft Graph scopes, here are some enabling workarounds:
+Our current implementation for SSO only grants consent for user-level permissions that is email, profile, offline_access, OpenId and not for other APIs such as User.Read or Mail.Read. If your app needs further Graph scopes, the next section provides some enabling workarounds.
#### Tenant Admin Consent
-The simplest approach is to get a tenant admin to pre-consent on behalf of the organization. This means users wonΓÇÖt have to consent to these scopes and you can then be free to exchange the token server side using Azure ADΓÇÖs [on-behalf-of flow](/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow). This workaround is acceptable for internal line-of-business applications but may not be enough for third-party developers who may not be able to rely on tenant admin approval.
+The simplest approach is to get a tenant admin to pre-consent on behalf of the organization. This means users do not have to consent to these scopes and you can then be free to exchange the token server side using AADΓÇÖs [on-behalf-of flow](/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow). This workaround is acceptable for internal line-of-business applications but is not enough for third-party developers who are not able to rely on tenant admin approval.
-A simple way of consenting on behalf of an organization (as a tenant admin) is to visit:
+A simple way of consenting on behalf of an organization as a tenant admin is to refer to `https://login.microsoftonline.com/common/adminconsent?client_id=<AAD_App_ID>`.
-* `https://login.microsoftonline.com/common/adminconsent?client_id=<AAD_App_ID>`
+#### Ask for additional consent using the Auth API
-#### Asking for additional consent using the Auth API
+Another approach for getting additional Graph scopes is to present a consent dialog using our existing [web-based Azure AD authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-popup-page) which involves popping up an Azure AD consent dialog box.
-Another approach for getting additional Microsoft Graph scopes is to present a consent dialog using our existing [web-based Azure AD authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-popup-page) which involves popping up an Azure AD consent dialog. There are some notable additions:
+**To ask for additional consent using the Auth API**
-1. The token retrieved using `getAuthToken()` needs to be exchanged server-side using Azure AD [on-behalf-of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those additional Microsoft Graph APIs.
- * Be sure to use the v2 Microsoft Graph endpoint for this exchange
-2. If the exchange fails, Azure AD will return an invalid grant exception. There are usually one of two error messages: `invalid_grant` or `interaction_required`
-3. When the exchange fails, then you need to ask for additional consent. We recommend showing some UI asking the user to grant additional consent. This UI should include a button that triggers an Azure AD consent dialog using our [Azure AD authentication API](~/concepts/authentication/auth-silent-aad.md).
-4. When asking for additional consent from Azure AD, you need to include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to Azure AD otherwise Azure AD will not ask for the additional scopes.
- * Instead of: `?scope={scopes}`
- * Use this: `?prompt=consent&scope={scopes}`
- * Be sure that `{scopes}` includes all the scopes you are prompting the user for (ex: Mail.Read or User.Read).
+1. The token retrieved using `getAuthToken()` needs to be exchanged server-side using AAD [on-behalf-of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those additional Graph APIs. Ensure you use the v2 Graph endpoint for this exchange.
+2. If the exchange fails, AAD returns an invalid grant exception. There are usually one of two error messages, `invalid_grant` or `interaction_required`.
+3. When the exchange fails, you must ask for additional consent. Show some user interface (UI) asking the user to grant additional consent. This UI must include a button that triggers an AAD consent dialog box using our [AAD authentication API](~/concepts/authentication/auth-silent-aad.md).
+4. When asking for additional consent from AAD, you must include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to AAD, otherwise AAD does not ask for the additional scopes.
+ * Instead of `?scope={scopes}`
+ * Use this `?prompt=consent&scope={scopes}`
+ * Ensure that `{scopes}` includes all the scopes you are prompting the user for, for example, Mail.Read or User.Read.
5. Once the user has granted additional permission, retry the on-behalf-of-flow to get access to these additional APIs.
-### Non-Azure AD Authentication
+### Non-AAD authentication
-The above-described authentication solution only works for apps and services that support Azure AD as an identity provider. Apps that want to authenticate using non-Azure AD based services need to continue using the pop-up-based [web authentication flow](~/concepts/authentication.md).
+The above-described authentication solution only works for apps and services that support AAD as an identity provider. Apps that want to authenticate using non-AAD based services must continue using the pop-up-based [web authentication flow](~/concepts/authentication.md).
-> [!NOTE]
-> SSO is supported for customer owned apps within the Azure AD B2C tenants.
+> [!NOTE]
+> SSO is supported for customer owned apps within the AAD B2C tenants.