Updates from: 06/04/2021 03:39:33
Service Microsoft Docs article Related commit history on GitHub Change details
platform Submission Checklist https://github.com/MicrosoftDocs/msteams-docs/commits/master/msteams-platform/concepts/deploy-and-publish/appsource/prepare/submission-checklist.md
Your app's name (specifically, its [*short name*](~/resources/schema/manifest-sc
:::row-end:::
-Make sure your short name adheres to the [store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#11-app-name).
+Make sure your short name adheres to the [store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#app-name).
### Write descriptions
A concise summary of your app that should be original, engaging, and directed at
:::row-end:::
-Make sure your short description adheres to the [store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#431-short-description).
+Make sure your short description adheres to the [store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#short-description).
#### Long description
The long description can provide a narrative that highlights your app's main fea
:::row-end:::
-Make sure your long description adheres to the [store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#432-long-description).
+Make sure your long description adheres to the [store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#long-description).
### Adhere to icon design guidelines
Remember the following about screenshots:
For best practices, see the following resources:
-* [Teams store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#44-screenshots)
+* [Teams store validation guidelines](~/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md#screenshots)
* [Craft effective images for Microsoft app stores](/office/dev/store/craft-effective-appsource-store-images) ### Create a video
platform Teams Store Validation Guidelines https://github.com/MicrosoftDocs/msteams-docs/commits/master/msteams-platform/concepts/deploy-and-publish/appsource/prepare/teams-store-validation-guidelines.md
Following these guidelines increases the likelihood your app will pass the Micro
> [!NOTE] > Some guidelines may not be applicable to your app. For example, if your app doesn't include a bot, you can ignore bot-related guidelines.
-## 1.0 Value proposition
+## Value proposition
-### 1.1 App name
+### App name
An app's name plays a critical role in how users discover it in the store. Remember the following about app names:
An app's name plays a critical role in how users discover it in the store. Remem
* Must not contain profane or derogatory terms. The name also must not include racially or culturally insensitive language. * Must be unique. For example, you cannot list multiple apps for different regions with the same name and functionality.
-### 1.2 Suitable for workplace consumption
+### Suitable for workplace consumption
App content must be suitable for general workplace consumption and abide by all restrictions listed in the commercial marketplace certification policies. Content related to religion, politics, gambling, and prolonged entertainment is prohibited. For more information, see the [commercial marketplace certification policies](/legal/marketplace/certification-policies#10010-inappropriate-content). Your app must facilitate group collaboration, improve an individual's productivity, or both. Apps intended for team bonding and socializing must be collaborative and designed for multiple participants. These types of apps also should not require a substantial time investment or perceptively impact productivity.
-### 1.3 Similar platforms and services
+### Similar platforms and services
Apps must focus on the Teams experience and not include the names, icons, or imagery of other similar chat-based collaboration platforms or services unless your app provides specific interoperability.
-### 1.4 Feature names
+### Feature names
App feature names in buttons and other UI text must not conflict with terminology reserved for Teams and other Microsoft products. For example, **Start meeting**, **Make call**, or **Start chat**. Include your app name if you can't completely avoid this, such as **Start Contoso meeting** instead of **Start meeting**.
-## 2.0 Security
+## Security
-### 2.1 Microsoft 365 App Compliance Program
+### Microsoft 365 App Compliance Program
The [Microsoft 365 App Compliance Program](/microsoft-365-app-certification/overview) is intended to help organizations assess and manage risk by evaluating security and compliance information about your app. If you're publishing an app to the Teams store, you must complete the following tiers of the program:
The [Microsoft 365 App Compliance Program](/microsoft-365-app-certification/over
> [!NOTE] > If you're submitting an app that hasn't been listed previously, you can't officially complete Publisher Attestation until your app is in the Teams store. If you're updating a listed app, complete Publisher Attestation before you submit the latest version of the app.
-### 2.2 Bots
+### Bots
For apps that use the Microsoft Azure Bot Service (such as bots and messaging extensions), you must follow all requirements defined in the Microsoft [Online Services Terms](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46). Bots must always ask permission to upload a file and display a confirmation message after the file uploads.
-### 2.3 External domains
+### External domains
In most cases, you must not include domains outside of your organization's control (including wildcards) and tunneling services in your app's domain configurations. The following exceptions include: * If your app uses the Azure Bot Service's OAuthCard, you must include `token.botframework.com` as a valid domain or the **Sign in** button won't work. * If your app relies on SharePoint, you can include the associated root SharePoint site as a valid domain using the `{teamSiteDomain}` context property.
-### 2.4 Authentication
+### Authentication
For information on how to implement app authentication, see [authentication in Teams](~/concepts/authentication/authentication.md).
-#### 2.4.1 Authenticating with external services
+#### Authenticating with external services
Remember the following if your app authenticates users with an external service.
Remember the following if your app authenticates users with an external service.
* When a user signs out, they must sign out only from the app and remain signed in to Teams. * **Content sharing experiences**: Apps that require authentication with an external service to share content in Teams channels must clearly state in help documentation (or similar resources) how to disconnect or unshare content if that feature is supported on the external service. This does not mean the ability to unshare content must be present in your Teams app.
-#### 2.4.2 Government Community Cloud listings
+#### Government Community Cloud listings
To distribute your app to Government Community Cloud (GCC) users while avoiding duplicate listings in the Teams store, the authentication process must identify and route users to a GCC-specific or expected URL.
-### 2.5 Sensitive content
+### Sensitive content
Your app must not post sensitive data, such as credit card or financial payment instrument data. The app also must not display health, contact tracing, or other personally identifiable information (PII) to an audience not intended to view that content. Warn users before your app downloads any files or executables (.exe) into the user's machine or environment.
-### 2.6 Financial information
+### Financial information
Apps must not ask users to make payments within the Teams interface. Financial instrument details must not be transmitted to users through a bot interface.
Apps running on the iOS or Android version of Teams must adhere to the following
* You may determine whether an account is active indefinitely or for a limited time, but if the account expires, no UI, text, or links indicating the need to pay may be shown. * Your app's privacy policy and terms of use pages must be free of any commerce-related UI or links.
-## 3.0 General functionality and performance
+## General functionality and performance
-### 3.1 Launching external functionality
+### Launching external functionality
Apps must not take users out of Teams for core user scenarios. App content and interactions can occur within Teams capabilities, such as bots, cards, and task modules. You should link users somewhere in Teams and not to an external site or app. For scenarios that require external functionality, your app must have explicit user permission to launch that functionality.
-### 3.2 Compatibility
+### Compatibility
Apps must be fully functional on the following operating systems and browsers:
Apps must be fully functional on the following operating systems and browsers:
* iOS 9.0 and later * Android 4.4 and later
-### 3.3 Response time
+### Response time
Teams apps must respond within a reasonable timeframe, which varies depending on the capability.
Teams apps must respond within a reasonable timeframe, which varies depending on
* Messaging extensions must respond to user commands within five seconds. * Notifications must display within five seconds of the user action.
-## 4.0 App package and store listing
+## App package and store listing
App packages must be correctly formatted and include all required information and components.
-### 4.1 App manifest
+### App manifest
The Teams app manifest defines your app's configurations.
The Teams app manifest defines your app's configurations.
* If your app includes a bot or messaging extension, your manifest must be consistent with Bot Framework metadata, including bot name, logo, privacy policy link, and terms of service link. * If your app uses Azure Active Directory (Azure AD) for authentication, include the Azure AD Application (client) ID in the manifest. For more information, see the [manifest reference](~/resources/schem#webapplicationinfo).
-### 4.2 App icons
+### App icons
Icons are one of the main elements people see when browsing the Teams store. Your icons should communicate your app's brand and purpose while also adhering to the following requirements:
Icons are one of the main elements people see when browsing the Teams store. You
For more information, best practices, and examples, see the Teams app [icon guidelines](~/concepts/build-and-test/apps-package.md#app-icons).
-### 4.3 App descriptions
+### App descriptions
You must have a short and long description of your app. The descriptions in your app configurations and Partner Center must be the same. Descriptions should not directly or through insinuation disparage another brand (Microsoft owned or otherwise). Make sure your description does not include claims that can't be substantiated (for example, "Guaranteed 200 percent increase in efficiency").
-#### 4.3.1 Short description
+#### Short description
A short description is a concise summary of your app that highlights its value proposition and is directed at your target audience.
A short description is a concise summary of your app that highlights its value p
* Repeat your app name. * Use the word **app** in the short description.
-#### 4.3.2 Long description
+#### Long description
The long description can provide an engaging narrative that highlights your app's value proposition, primary audience, and target industry. While this description can be as long as 4,000 characters, most users will only read between 300-500 words.
The long description can provide an engaging narrative that highlights your app'
* "... developed for ..." * "... designed for ..."
-### 4.4 Screenshots
+### Screenshots
Screenshots provide a prominent visual preview of your app to complement your app name, icon, and descriptions. Remember the following about screenshots:
Screenshots provide a prominent visual preview of your app to complement your ap
> [!TIP] > A video can be the most effective way to communicate why people should use your app. A video also is the first thing users see in your listing (by default, a video displays before screenshots). For more information, see [create a video for your store listing](~/concepts/deploy-and-publish/appsource/prepare/submission-checklist.md#create-a-video).
-### 4.5 Privacy policy
+### Privacy policy
The privacy policy can be specific to your Teams app or an overall policy for all of your services.
The privacy policy can be specific to your Teams app or an overall policy for al
* Should not contain URLs that are broken or for beta or staging purposes. * Must not include links to AppSource.
-### 4.6 Terms of use
+### Terms of use
Your terms of use should be specific and applicable to your offering.
-### 4.7 Support links
+### Support links
Your app's support URLs should not require authentication. For example, users should not have to log in to contact you.
-### 4.8 Localization
+### Localization
If your app supports localization, your app package must include a file with language translations that display based on the Teams language setting. The file must conform to the Teams localization schema. For more information, see the [Teams localization schema](~/concepts/build-and-test/apps-localization.md).
-## 5.0 Tabs
+## Tabs
If your app includes a tab, make sure it adheres to these guidelines. > [!TIP] > For information on creating a high-quality app experience, see the [Teams tab design guidelines](~/tabs/design/tabs.md).
-### 5.1 Setup
+### Setup
* Tab setup must not dead-end a new user. Provide a message on how to complete the action or workflow. * Authentication should happen during tab setup and not after.
-### 5.2 Views
+### Views
* The sign-in screen area must not use large logos or display an entire webpage. * Content can be simplified by breaking it down across multiple tabs. * Tabs should not have a duplicate header. Remove the logo from the iframe since the tab framework already displays the app icon and name.
-### 5.3 Navigation
+### Navigation
* Tabs must not have more than three levels of navigation. * Tabs must not provide navigation that conflicts with the primary Teams navigation.
If your app includes a tab, make sure it adheres to these guidelines.
* Deep links in tabs must not link to an external webpage but somewhere within Teams. For example, task modules or other tabs. * Tabs should not allow users to navigate outside Teams for the core app experience.
-### 5.4 Usability
+### Usability
* Tabs must provide value beyond just hosting an existing website. * Users must be able to undo their last action in the tab.
If your app includes a tab, make sure it adheres to these guidelines.
> * Include a personal bot alongside a personal tab. > * Allow users to share content from their personal tab.
-## 6.0 Bots
+## Bots
If your app includes a bot, make sure it adheres to these guidelines. > [!TIP] > For information on creating a high-quality app experience, see the [Teams bot design guidelines](~/bots/design/bots.md).
-### 6.1 Bot commands
+### Bot commands
Analyzing user input and predicting user intent is difficult. Bot commands provide users a set of words or phrases your bot understands so they (and your bot) don't have to guess.
Analyzing user input and predicting user intent is difficult. Bot commands provi
> [!TIP] > For personal bots, include a **Help** tab that further describes what your bot can do.
-### 6.2 Bot welcome messages
+### Bot welcome messages
* Bots should almost always send a welcome message during first run. For the best experience, the message should include the value proposition of your bot, how to configure the bot, and briefly describe all supported bot commands. You can display the message using an Adaptive Card with buttons for better usability. For more information, see [how to trigger a bot welcome message](~/bots/how-to/conversations/send-proactive-messages.md).
-* Bot welcome messages in channels and chats are optional during first run, especially if the bot is available for personal use and performs similar actions. If your bot does send welcome messages, it must not send these to users individually (this is considered [spamming](#63-bot-message-spamming)). The message should also mention the person who added the bot.
+* Bot welcome messages in channels and chats are optional during first run, especially if the bot is available for personal use and performs similar actions. If your bot does send welcome messages, it must not send these to users individually (this is considered [spamming](#bot-message-spamming)). The message should also mention the person who added the bot.
* Notification-only bots must send a welcome message that conveys it will not reply to users' messages. > [!TIP] > In welcome messages to individual users, a carousel tour can provide an effective overview of your bot and any other app features. Including buttons the let users try bot commands is encouraged. For example, **Create a task**.
-### 6.3 Bot message spamming
+### Bot message spamming
Bots must not spam users by sending multiple messages in short succession.
Bots must not spam users by sending multiple messages in short succession.
* **Bot messages in personal apps**: Don't send multiple messages in quick succession. Send one message with complete information. Avoid multi-turn conversations to complete a single workflow. Instead, consider using a form (or task module) to collect all inputs from a user at one time. * **Welcome messages**: Repeating the same welcome message over regular intervals is not allowed and considered spamming. For example, when a new member is added to a team, don't spam the other members with a welcome message. Message the new member personally instead.
-### 6.4 Bot notifications
+### Bot notifications
Bot notifications must include content relevant for the scope you define for the bot (team, chat, or personal).
-### 6.5 Bots and Adaptive Cards
+### Bots and Adaptive Cards
Adaptive Cards are a highly recommended way to display bot messages. Your cards must be lightweight and include only 1-3 actions. If you need to display more content, consider using a task module or tab.
See the following resources for more information:
* [Designing Adaptive Cards](~/task-modules-and-cards/cards/design-effective-cards.md) * [Cards reference](~/task-modules-and-cards/cards/cards-reference.md#types-of-cards)
-## 7.0 Messaging extensions
+## Messaging extensions
If your app includes a messaging extension, make sure it adheres to these guidelines. > [!TIP] > For information on creating a high-quality app experience, see the [Teams messaging extension design guidelines](~/messaging-extensions/design/messaging-extension-design.md).
-### 7.1 Action commands
+### Action commands
Action-based messaging extensions should do the following: * Allow users to trigger actions on a message without completing intermediate steps, such as signing in. * Pass the message context to the next work state.
-### 7.2 Preview links (link unfurling)
+### Preview links (link unfurling)
Messaging extensions should preview recognized links in the Teams compose box. Do not add domains that are outside your control (either absolute URLs or wildcards). For example, `yourapp.onmicrosoft.com` is valid but `*.onmicrosoft.com` is not valid. Top-level domains also are prohibited (for example, `*.com` or `*.org`).
-### 7.3 Search commands
+### Search commands
* Search-based messaging extensions must provide text that helps users effectively search. * @mention executables must be clear, easy to understand, and readable.
-## 8.0 Task modules
+## Task modules
A task module must include an icon and the short name of the app it's associated with. > [!TIP] > For information on creating a high-quality app experience, see the [Teams task module design guidelines](~/task-modules-and-cards/task-modules/design-teams-task-modules.md).
-## 9.0 Meeting extensions
+## Meeting extensions
If your app includes a meeting extension, make sure it adheres to these guidelines. > [!TIP] > For information on creating a high-quality app experience, see the [Teams meeting extension design guidelines](~/apps-in-teams-meetings/design/designing-apps-in-meetings.md).
-### 9.1 Pre- and post-meeting experience
+### Pre- and post-meeting experience
* Pre- and post-meeting screens must adhere to general tab design guidelines. For more information, see the [Teams design guidelines](~/tabs/design/tabs.md). * Tabs must not have horizontal scrolling. * Tabs should have an organized layout when displaying multiple items. For instance, more than 10 polls or surveys. See an [example layout](~/apps-in-teams-meetings/design/designing-apps-in-meetings.md#after-a-meeting). * Your app must notify users when the results of a survey or poll are exported by stating, "Results successfully downloaded".
-### 9.2 In-meeting experience
+### In-meeting experience
* Apps must only use a dark theme during meetings. For more information, see the [Teams design guidelines](~/apps-in-teams-meetings/design/designing-apps-in-meetings.md#theming). * A tooltip should display the app name when hovering over the app icon during meetings. * Messaging extensions must function the same during meetings as they do outside meetings.
-### 9.3 In-meeting tabs
+### In-meeting tabs
* Must be responsive. Make sure to maintain padding and component sizes. * Must have a back button if there is more than one layer of navigation. * Must not include more than one dismiss or close button. This may confuse users since there's already a built-in header button to dismiss the tab. * Must not have horizontal scrolling.
-### 9.4 In-meeting dialogs
+### In-meeting dialogs
* Should be used sparingly and for scenarios that are light and task-oriented. * Must display content in a single column and not have multiple navigation levels.
If your app includes a meeting extension, make sure it adheres to these guidelin
* Must align with the center of the meeting stage. * Should be dismissed once a user selects a button or performs an action.
-## 10.0 Notifications
+## Notifications
If your app uses the [activity feed APIs provided by Microsoft Graph](/graph/teams-send-activityfeednotifications), make sure it adheres to the following guidelines.
-### 10.1 General
+### General
* All the notification triggers specified in your app configurations should get a notification in the app. * Notifications must be localized per the supported languages configured for your app. * Notifications must display within five seconds of user action.
-### 10.2 Avatars
+### Avatars
* The notification avatar should match your app's color icon. * Notifications triggered by a user should include the user's avatar.
-### 10.3 Spamming
+### Spamming
* Apps must not send more than 10 notifications per minute to a user. * Bots and the activity feed should not trigger duplicate notifications. * Notifications must provide some value to users and not be used for trivial or irrelevant events.
-### 10.4 Navigation and layout
+### Navigation and layout
* Notifications must adhere to the Teams activity feed layout and experience. * When selecting a notification, the user must be directed to relevant content within Teams and not taken out of the Teams experience.
-## 11.0 Advertising
+## Advertising
Apps must not display advertising, including dynamic ads, banner ads, and ads in messages.
-## See also
-
-[4.0 App package and store listing](#40-app-package-and-store-listing)
- ## Next step > [!div class="nextstepaction"]
platform Auth Aad Sso https://github.com/MicrosoftDocs/msteams-docs/commits/master/msteams-platform/tabs/how-to/authentication/auth-aad-sso.md
This section describes the tasks involved in creating a Teams tab that uses SSO.
**To register your application in the [AAD portal](https://azure.microsoft.com/features/azure-portal/) overview**
-1. Get your [AAD Application ID](/azure/active-directory/develop/howto-create-service-principal-portal#get-values-for-signing-in).
-2. Specify the permissions that your application needs for the AAD endpoint and, optionally, Graph.
-3. [Grant permissions](/azure/active-directory/develop/howto-create-service-principal-portal#configure-access-policies-on-resources) for Teams desktop, web, and mobile applications.
-4. Pre-authorize Teams by selecting the **Add a scope** button and in the panel that opens, enter **access_as_user** as the **Scope name**.
+1. Get your [AAD Application ID](/azure/active-directory/develop/howto-create-service-principal-portal#get-values-for-signing-in).
+1. Specify the permissions that your application needs for the AAD endpoint and, optionally, Graph.
+1. [Grant permissions](/azure/active-directory/develop/howto-create-service-principal-portal#configure-access-policies-on-resources) for Teams desktop, web, and mobile applications.
+1. Pre-authorize Teams by selecting the **Add a scope** button and in the panel that opens, enter **access_as_user** as the **Scope name**.
> [!NOTE] > There are some important restrictions that you must know:
This section describes the tasks involved in creating a Teams tab that uses SSO.
**To register your app through the AAD portal** 1. Register a new application in the [AAD App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
-2. Select **New Registration**. The **Register an application** page appears.
-3. In the **Register an application** page, enter the following values:
+1. Select **New Registration**. The **Register an application** page appears.
+1. In the **Register an application** page, enter the following values:
1. Enter a **Name** for your app. 2. Choose the **Supported account types**, select single tenant or multitenant account type. ┬╣ * Leave **Redirect URI** empty. 3. Choose **Register**.
-4. On the overview page, copy and save the **Application (client) ID**. You must have it later when updating your Teams application manifest.
-5. Under **Manage**, select **Expose an API**.
-6. Select the **Set** link to generate the Application ID URI in the form of `api://{AppID}`. Insert your fully qualified domain name with a forward slash "/" appended to the end, between the double forward slashes and the GUID. The entire ID must have the form of `api://fully-qualified-domain-name.com/{AppID}`. ┬▓ For example, `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`. The fully qualified domain name is the human readable domain name from which your app is served. If you are using a tunneling service such as ngrok, you must update this value whenever your ngrok subdomain changes.
-7. Select **Add a scope**. In the panel that opens, enter **access_as_user** as the **Scope name**.
-8. In the **Who can consent?** box, enter **Admins and users**.
-9. Enter the details in the boxes for configuring the admin and user consent prompts with values that are appropriate for the `access_as_user` scope:
+1. On the overview page, copy and save the **Application (client) ID**. You must have it later when updating your Teams application manifest.
+1. Under **Manage**, select **Expose an API**.
+
+ > [!NOTE]
+ > If you are building an app with a bot and a tab, enter the Application ID URI as `api://fully-qualified-domain-name.com/botid-{YourBotId}`.
+
+1. Select the **Set** link to generate the Application ID URI in the form of `api://{AppID}`. Insert your fully qualified domain name with a forward slash "/" appended to the end, between the double forward slashes and the GUID. The entire ID must have the form of `api://fully-qualified-domain-name.com/{AppID}`. ┬▓ For example, `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`. The fully qualified domain name is the human readable domain name from which your app is served. If you are using a tunneling service such as ngrok, you must update this value whenever your ngrok subdomain changes.
+1. Select **Add a scope**. In the panel that opens, enter **access_as_user** as the **Scope name**.
+1. In the **Who can consent?** box, enter **Admins and users**.
+1. Enter the details in the boxes for configuring the admin and user consent prompts with values that are appropriate for the `access_as_user` scope:
* **Admin consent Title: ** Teams can access the userΓÇÖs profile. * **Admin consent description**: Teams can call the appΓÇÖs web APIs as the current user. * **User consent title**: Teams can access your profile and make requests on your behalf. * **User consent description:** Teams can call this appΓÇÖs APIs with the same rights as you have.
-10. Ensure that **State** is set to **Enabled**.
-11. Select **Add scope** to save the details. The domain part of the **Scope name** displayed below the text field must automatically match the **Application ID** URI set in the previous step, with `/access_as_user` appended to the end `api://subdomain.example.com/00000000-0000-0000-0000-000000000000/access_as_user`.
-12. In the **Authorized client applications** section, identify the applications that you want to authorize for your appΓÇÖs web application. Select **Add a client application**. Enter each of the following client IDs and select the authorized scope you created in the previous step:
+1. Ensure that **State** is set to **Enabled**.
+1. Select **Add scope** to save the details. The domain part of the **Scope name** displayed below the text field must automatically match the **Application ID** URI set in the previous step, with `/access_as_user` appended to the end `api://subdomain.example.com/00000000-0000-0000-0000-000000000000/access_as_user`.
+1. In the **Authorized client applications** section, identify the applications that you want to authorize for your appΓÇÖs web application. Select **Add a client application**. Enter each of the following client IDs and select the authorized scope you created in the previous step:
* `1fec8e78-bce4-4aaf-ab1b-5451cc387264` for Teams mobile or desktop application. * `5e3ce6c0-2b1f-4285-8d4b-75ee78787346` for Teams web application.
-13. Navigate to **API Permissions**. Select **Add a permission** > **Microsoft Graph** > **Delegated permissions**, then add the following permissions from Graph API:
+1. Navigate to **API Permissions**. Select **Add a permission** > **Microsoft Graph** > **Delegated permissions**, then add the following permissions from Graph API:
* User.Read enabled by default * email * offline_access * OpenId * profile
-14. Navigate to **Authentication**.
+1. Navigate to **Authentication**.
If an app has not been granted IT admin consent, users have to provide consent the first time they use an app.
Congratulations! You have completed the app registration prerequisites to procee
> > * ┬╣ If your AAD app is registered in the same tenant where you are making an authentication request in Teams, the user cannot be asked to consent and is granted an access token right away. Users only consent to these permissions if the AAD app is registered in a different tenant. > * ┬▓ If the custom domain is not added to AAD, you get an error stating that the host name must not be based on an already owned domain. To add custom domain to AAD and register it, follow the [add a custom domain name to AAD](/azure/active-directory/fundamentals/add-custom-domain) procedure, and then repeat step 5. You can also get this error if you are not signed in with Admin credentials in the Office 365 tenancy.
-> * If you are not receiving the user principal name (UPN)) in the returned access token, you can add it as an [optional claim](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims) in AAD.
+> * If you are not receiving the user principal name (UPN)) in the returned access token, you can add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in AAD.
### 2. Update your Teams application manifest
microsoftTeams.authentication.getAuthToken(authTokenRequest);
When you call `getAuthToken` - and additional user consent is required for user-level permissions, a dialog is shown to the user to grant additional consent.
-After you receive the access token in the success callback, you can decode the access token to view the claims associated with that token. Optionally, you can manually copy and paste the access token into a tool, such as [jwt.ms](https://jwt.ms/) to inspect its contents. If you are not receiving the UPN in the returned access token, you can add it as an [optional claim](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims) in AAD.
+After you receive the access token in the success callback, you can decode the access token to view the claims associated with that token. Optionally, you can manually copy and paste the access token into a tool, such as [jwt.ms](https://jwt.ms/) to inspect its contents. If you are not receiving the UPN in the returned access token, you can add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in AAD.
<p> <img src="~/assets/images/tabs/tabs-sso-prompt.png" alt="Tab single sign-on SSO dialog prompt" width="75%"/>