Updates from: 06/04/2022 01:20:40
Service Microsoft Docs article Related commit history on GitHub Change details
platform API References https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/apps-in-teams-meetings/API-references.md
The `GetParticipant` API must have a bot registration and ID to generate auth to
### Query parameters > [!TIP]
-> Get participant IDs and tenant IDs from the [tab SSO authentication](../tabs/how-to/authentication/auth-aad-sso.md).
+> Get participant IDs and tenant IDs from the [tab SSO authentication](../tabs/how-to/authentication/tab-sso-overview.md).
The `Meeting` API must have `meetingId`, `participantId`, and `tenantId` as URL parameters. The parameters are available as part of the Teams Client SDK and bot activity.
The `shareAppContentToStage` API enables you to share specific parts of your app
### Prerequisite
-* To use the `shareAppContentToStage` API, you must obtain the RSC permissions. In the app manifest, configure the `authorization` property, and the `name` and `type` in the `resourceSpecific` field. For example:
+* To use the `shareAppContentToStage` API, you must obtain the RSC permissions. In the app manifest, configure the `authorization` property, and the `name` and `type` in the `resourceSpecific` field. For example:
```json "authorization": {
The `shareAppContentToStage` API enables you to share specific parts of your app
} } ```
-* `appContentUrl` must be allowed by `validDomains` array inside manifest.json, else API would return 501.
+
+* `appContentUrl` must be allowed by `validDomains` array inside manifest.json, else API would return 501.
### Query parameter
platform Enable And Configure Your App For Teams Meetings https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/apps-in-teams-meetings/enable-and-configure-your-app-for-teams-meetings.md
To add a bot to a meeting:
In a meeting chat, enter the **@** key and select **Get bots**. > [!NOTE]
+>
> * The in-meeting dialog displays a dialog in a meeting and simultaneously posts an Adaptive Card in the meeting chat that users can access. The Adaptive Card in the meeting chat helps users while attending the meeting or if the Teams app is minimized.
-> * The user identity must be confirmed using [Tabs SSO](../tabs/how-to/authentication/auth-aad-sso.md). After authentication, the app can retrieve the user role using the `GetParticipant` API.
+> * The user identity must be confirmed using [Tabs SSO](../tabs/how-to/authentication/tab-sso-overview.md). After authentication, the app can retrieve the user role using the `GetParticipant` API.
> * Based on the user role, the app has the capability to provide role specific experiences. For example, a polling app allows only organizers and presenters to create a new poll. > * Role assignments can be changed while a meeting is in progress. For more information, see [roles in a Teams meeting](https://support.microsoft.com/office/roles-in-a-teams-meeting-c16fa7d0-1666-4dde-8686-0a0bfe16e019).
Participants can share specific parts of the app to the collaborative meeting st
To share specific parts of the app to stage, you must invoke the related APIs in the Teams client SDK library. For more information, see [API reference](API-references.md). > [!NOTE]
+>
> * To share specific parts of the app to stage, use Teams manifest version 1.12 or later. > * Share specific parts of the app to stage is supported for Teams desktop clients only.
platform Meeting App Extensibility https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/apps-in-teams-meetings/meeting-app-extensibility.md
A meeting lifecycle consists of pre-meeting, in-meeting, and post-meeting app ex
Tabs allow the team members to access services and content in a specific space within a meeting. The team works directly with tabs and has conversations about the tools and data available within tabs. In Teams meeting, you can add a tab by selecting <img src="~/assets/images/apps-in-meetings/plusbutton.png" alt="Plus button" width="30"/>, and select the app that you want to install. > [!IMPORTANT]
-> If you have integrated a tab with your meeting, then your app must follow the Teams [single sign-on (SSO) authentication flow for tabs](../tabs/how-to/authentication/auth-aad-sso.md).
+> If you have integrated a tab with your meeting, then your app must follow the Teams [single sign-on (SSO) authentication flow for tabs](../tabs/how-to/authentication/tab-sso-overview.md).
> [!NOTE] >
To use tabs during a meeting:
:::image type="content" source="~/assets/images/apps-in-meetings/desktop-in-meeting-dialog-view.png" alt-text="Desktop view"::: - # [Mobile](#tab/mobile) After entering the meeting and adding the app from desktop or web, the app is visible in mobile Teams meeting under the **Apps** section. Select **Apps** to show the list of apps. User can launch any of the apps as an in-meeting side panel of the app.
platform Add Authentication https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/how-to/authentication/add-authentication.md
Within the following dialog step, check for the presence of a token in the resul
+## Code sample
+
+This section provides Bot authentication v3 SDK sample.
+
+| **Sample name** | **Description** | **.NET** | **Node.js** | **Python** |
+||||-||
+| Bot authentication | This sample shows how to get started with authentication in a bot for Microsoft Teams. | [View](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore/46.teams-auth) | [View](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/javascript_nodejs/46.teams-auth) | [View](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/python/46.teams-auth) |
+| Tab, Bot and Message Extension (ME) SSO | This sample shows SSO for Tab, Bot and ME - search, action, linkunfurl. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/nodejs) | Not available |
+ ## See also [Add authentication through Azure Bot Service](https://aka.ms/azure-bot-add-authentication)
platform Auth Aad Sso Bots https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/how-to/authentication/auth-aad-sso-bots.md
The following steps guide you to develop SSO Teams bot:
### Register your app through the Azure AD portal
-The steps to register your app through the Azure AD portal are similar to the [tab SSO flow](../../../tabs/how-to/authentication/auth-aad-sso.md). The following steps guide you to register your app:
+The steps to register your app through the Azure AD portal are similar to the [tab SSO flow](../../../tabs/how-to/authentication/tab-sso-overview.md). The following steps guide you to register your app:
1. Register a new application in the [Azure Active Directory ΓÇô App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
The steps to register your app through the Azure AD portal are similar to the [t
> > You must be aware of the following important restrictions: >
- > * Only user-level Microsoft Graph API permissions, such as email, profile, offline_access, and OpenId are supported. If you need access to other Microsoft Graph scopes, such as `User.Read` or `Mail.Read`, see [Get an access token with Graph permissions](../../../tabs/how-to/authentication/auth-aad-sso.md#get-an-access-token-with-graph-permissions).
+ > * Only user-level Microsoft Graph API permissions, such as email, profile, offline_access, and OpenId are supported. If you need access to other Microsoft Graph scopes, such as `User.Read` or `Mail.Read`, see [Extend tab app with Microsoft Graph permissions and scope](../../../tabs/how-to/authentication/tab-sso-graph-api.md).
> * Your application's domain name must be same as the domain name that you have registered for your Azure AD application. > * Multiple domains per app are currently not supported. > * Applications that use the `azurewebsites.net` domain are not supported because it is common and may be a security risk.
platform Authentication https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/authentication/authentication.md
keywords: teams authentication OAuth SSO Microsoft Azure Active Directory (Azure
# Authenticate users in Microsoft Teams
-> [!Note]
-> Web-based authentication on mobile clients requires version 1.4.1 or later of the Teams JavaScript client SDK.
-
-To access user information protected by Azure AD and to access data from services like Facebook and Twitter, the app establishes a trusted connection with those providers. If the app uses Microsoft Graph APIs in the user scope, authenticate the user to retrieve the appropriate authentication tokens.
-
-In Teams, there are two different authentication flows for the app. Perform a traditional web-based authentication flow in a [content page](~/tabs/how-to/create-tab-pages/content-page.md) embedded in a tab, a configuration page, or a task module. If the app contains a conversational bot, use the OAuthPrompt flow and optionally the Azure Bot Framework's token service to authenticate a user as part of a conversation.
-
-## Web-based authentication flow
-
-Use the web-based authentication flow for [tabs](~/tabs/what-are-tabs.md) and choose to use it with [conversational bots](~/bots/what-are-bots.md) or [message extensions](~/messaging-extensions/what-are-messaging-extensions.md). Use the [Microsoft Teams JavaScript client SDK](/javascript/api/overview/msteams-client) in a web content page to enable authentication. After enabling authentication, embed the content page in a tab, a configuration page, or a task module. For more information on web-based authentication flow, see:
-
-* [Add authentication to the Teams bot](~/bots/how-to/authentication/add-authentication.md) describes how to use web-based authentication flow with a conversational bot.
-* [Authentication flow in tabs](~/tabs/how-to/authentication/auth-flow-tab.md) describes how tab authentication works in Teams, which shows a typical web-based authentication flow used for tabs.
-* [Azure AD authentication in tabs](~/tabs/how-to/authentication/auth-tab-AAD.md) describes how to connect to Azure AD from within a tab in the app in Teams.
-* [Silent authentication Azure AD](~/tabs/how-to/authentication/auth-silent-AAD.md) describes how to reduce sign-in or consent prompts in the app using Azure AD.
-* [.Net or C#](https://github.com/OfficeDev/microsoft-teams-sample-complete-csharp) or [JavaScript or Node.js](https://github.com/OfficeDev/microsoft-teams-sample-complete-node) provides samples for web-based authentication.
-
-## The OAuthPrompt flow for conversational bots
-
-The Azure Bot FrameworkΓÇÖs OAuthPrompt makes authentication easier for apps using conversational bots. Use Azure Bot Framework's token service to assist with token caching.
-
-For more information on using OAuthPrompt, see:
-
-* [Bot authentication flow overview](~/bots/how-to/authentication/auth-flow-bot.md) describes how authentication works within a bot in the app in Teams, which shows a non-web-based authentication flow used for bots on Teams web, desktop app, and mobile apps.
-* [Bot authentication](~/bots/how-to/authentication/add-authentication.md) describes how to add OAuth authentication to the Teams bot.
-
-## Code sample
-
-provides Bot authentication v3 SDK sample.
-
-| **Sample name** | **Description** | **.NET** | **Node.js** | **Python** |
-||||-||
-| Bot authentication | This sample shows how to get started with authentication in a bot for Microsoft Teams. | [View](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore/46.teams-auth) | [View](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/javascript_nodejs/46.teams-auth) | [View](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/python/46.teams-auth) |
-| Tab, Bot and Message Extension (ME) SSO | This sample shows SSO for Tab, Bot and ME - search, action, link unfurl. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/nodejs) | Not available |
-
-## Configure the identity provider
-
-Regardless of the app's authentication flow, configure the identity provider to communicate with the Teams app. Most samples and walk throughs primarily deal with using Azure AD as the identity provider. The concepts however, apply regardless of the identity provider.
-
-For more information, see [configuring an identity provider](~/concepts/authentication/configure-identity-provider.md).
-
-## Third-party cookies on iOS
-
-After the iOS 14 update, Apple has blocked the [third-party cookie](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/) access for all the apps by default. Therefore, the apps that leverage third-party cookies for authentication in their Channel or Chat tabs and Personal apps won't be able to complete their authentication workflows on Teams iOS clients. To conform with Privacy and Security requirements, you must move to a token-based system or use first-party cookies for the user authentication workflows.
+Authentication is all about validating app users, and securing the app and app users against unwarranted access. You can use an authentication method suitable for your app to validate app users who want to use the Teams app.
+
+Choose to add authentication for your app in one of the two ways:
+
+- **Enable single sign-on (SSO) in a Teams app**:
+ SSO within Teams is an authentication method that uses an app user's Teams identity to provide them access to your app. A user who has logged into Teams doesn't need to log in again to your app within the Teams environment. With only a consent required from the app user, the Teams app retrieves access details for them from Azure Active Directory (AD). After the app user has given consent, they can access the app even from other devices without having to be validated again.
+
+- **Enable authentication using third-party OAuth provider**:
+ You can use a third-party OAuth Identity Provider (IdP) to authenticate your app users. The app user is registered with the identity provider, which has a trust relationship with your app. When the user attempts to log in, the identity provider validates the app user and provides them access to your app. Azure AD is one such third party OAuth provider. You can use other providers, such as Google, Facebook, GitHub, or any other provider.
+
+## Select authentication method
+
+Enable authentication with SSO or third party OAuth IdPs in your tab app, bot app, and messaging extension app. Select one of the two methods for adding authentication in your app:
+
+ :::column span="1":::
+ SSO
+ :::column-end:::
+ :::column span="1":::
+ &nbsp;
+ :::column-end:::
+ :::column span="1":::
+ OAuth
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../../assets/images/authentication/tab-sso-icon.png" alt-text="SSO for tab app" link="../../tabs/how-to/authentication/tab-sso-overview.md" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ <br>
+
+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; **Tab app**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../../assets/images/authentication/tab-app-idp.png" alt-text="Authentication with third-party OAuth provider for tab app." link="../../tabs/how-to/authentication/auth-tab-aad.md" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../../assets/images/authentication/bot-sso-icon.png" alt-text="SSO for bot app" link="../../bots/how-to/authentication/auth-aad-sso-bots.md" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ <br>
+
+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; **Bot app**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../../assets/images/authentication/bot-app-idp.png" alt-text="Authentication with third-party OAuth provider for bot app." link="../../bots/how-to/authentication/add-authentication.md" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../../assets/images/authentication/mex-sso-icon.png" alt-text="SSO for messaging extension app" link="../../messaging-extensions/how-to/enable-SSO-auth-me.md" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ <br>
+
+ &nbsp; &nbsp; &nbsp; **Message extension app**
+
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../../assets/images/authentication/mex-app-idp.png" alt-text="Authentication with third-party oAuth IdPs for messaging extension app." link="../../messaging-extensions/how-to/add-authentication.md" border="false":::
+ :::column-end:::
+
+> [!NOTE]
+> The Silent authentication page is moved to the Resources module. For more information, see [Silent authentication](../../tabs/how-to/authentication/auth-silent-aad.md).
## See also
-* [Microsoft Teams authentication flow for tabs](~/tabs/how-to/authentication/auth-flow-tab.md)
-* [Single sign-on support for bots](~/bots/how-to/authentication/auth-aad-sso-bots.md)
-* [Add authentication to your message extension](~/messaging-extensions/how-to/add-authentication.md)
+- [Enable single sign-on in a tab app](../../tabs/how-to/authentication/tab-sso-overview.md)
+- [Microsoft Teams authentication flow for tabs](~/tabs/how-to/authentication/auth-flow-tab.md)
+- [Single sign-on support for bots](~/bots/how-to/authentication/auth-aad-sso-bots.md)
+- [Add authentication to your message extension](~/messaging-extensions/how-to/add-authentication.md)
platform Configure Identity Provider https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/concepts/authentication/configure-identity-provider.md
Replace `<hostname>` with your actual host, which might be a dedicated hosting s
## See also * [Authenticate a user in a Microsoft Teams bot](../../resources/bot-v3/bot-authentication/auth-bot-AAD.md)
-* [Single sign-on (SSO) support for tabs](../../tabs/how-to/authentication/auth-aad-sso.md)
+* [Single sign-on (SSO) support for tabs](../../tabs/how-to/authentication/tab-sso-overview.md)
* [Authenticate a user in a Microsoft Teams tab](../../tabs/how-to/authentication/auth-tab-aad.md)
platform Glossary https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/get-started/glossary.md
Common terms and definitions used in Teams developer documentation.
| [Azure resource](../toolkit/provision.md) | A service that is available through Azure that your Teams app can use for Azure deployment. It could be storage accounts, web apps, databases, and more. | | [Azure Active Directory](../tabs/how-to/authentication/auth-tab-aad.md) | MicrosoftΓÇÖs cloud-based identity and access management service. It helps authenticated users access internal and external Azure resources. | | [Authentication](../concepts/authentication/authentication.md) | A process to validate user access for your app's usage. It can be done using Microsoft Graph APIs or web-based authentication. <br> **See also**: [Identity providers](#i); [SSO](#s) |
-| [Authentication flow](../concepts/authentication/authentication.md#web-based-authentication-flow) | In Teams, there are two authentication flows to authenticate a user for using an app: web-based authentication and OAuthPrompt flow. |
+| [Authentication flow](../concepts/authentication/authentication.md) | In Teams, there are two authentication flows to authenticate a user for using an app: web-based authentication and OAuthPrompt flow. |
## B
platform Extend M365 Teams Personal Tab https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/m365-apps/extend-m365-teams-personal-tab.md
You can use Teams Toolkit to help identify and automate the required code change
Upon completion, your *package.json* file will reference `@microsoft/teams-js@2.0.0` (or higher) and your `*.js/.ts` and `*.jsx/.tsx` files will be updated with: > [!div class="checklist"]
+>
> * Import statements for teams-js@2.0.0 > * [Function, Enum, and Interface calls](../tabs/how-to/using-teams-client-sdk.md#whats-new-in-teamsjs-version-20) for teams-js@2.0.0 > * `TODO` comment reminders flagging areas that might be impacted by [Context](../tabs/how-to/using-teams-client-sdk.md#updates-to-the-context-interface) interface changes
If your app makes use of [Content Security Policy](https://developer.mozilla.org
## Update Azure AD app registration for SSO
-[Azure Active Directory (AD) Single-sign on (SSO)](../tabs/how-to/authentication/auth-aad-sso.md) for personal tabs works the same way in Office and Outlook as it does in Teams. However you'll need to add several client application identifiers to the Azure AD app registration of your tab app in your tenant's *App registrations* portal.
+[Azure Active Directory (AD) Single-sign on (SSO)](../tabs/how-to/authentication/tab-sso-overview.md) for personal tabs works the same way in Office and Outlook as it does in Teams. However you'll need to add several client application identifiers to the Azure AD app registration of your tab app in your tenant's *App registrations* portal.
1. Sign in to [Microsoft Azure portal](https://portal.azure.com) with your sandbox tenant account. 1. Open the **App registrations** blade.
platform Enable SSO Auth Me https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/messaging-extensions/how-to/enable-SSO-auth-me.md
To enable SSO:
```
+## Code sample
+
+This section provides Bot authentication v3 SDK sample.
+
+| **Sample name** | **Description** | **.NET** | **Node.js** | **Python** |
+||||-||
+| Bot authentication | This sample shows how to get started with authentication in a bot for Microsoft Teams. | [View](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore/46.teams-auth) | [View](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/javascript_nodejs/46.teams-auth) | [View](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/python/46.teams-auth) |
+| Tab, Bot and Message Extension (ME) SSO | This sample shows SSO for Tab, Bot and ME - search, action, linkunfurl. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/nodejs) | Not available |
+ ## See also * [Add authentication to your message extensions](add-authentication.md)
platform Create Messaging Extension Using Appstudio https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/resources/create-messaging-extension-using-appstudio.md
At a high level, you'll need to complete the following steps to create a messagi
4. Create your app package 5. Upload your package to Microsoft Teams
-Creating your web service, creating your app package, and registering your web service with the Bot Framework can be done in any order. Because those three pieces are so intertwined, no matter which order you do them in you'll need return to update the others. Your registration needs the messaging endpoint from your deployed web service, and your web service needs the Id and password created from your registration. Your app manifest also needs that Id to connect Teams to your web service.
+Creating your web service, creating your app package, and registering your web service with the Bot Framework can be done in any order. Because those three pieces are so intertwined, no matter which order you do them in you'll need return to update the others. Your registration needs the messaging endpoint from your deployed web service, and your web service needs the ID and password created from your registration. Your app manifest also needs that ID to connect Teams to your web service.
As you're building your messaging extension, you'll regularly be moving between changing your app manifest, and deploying code to your web service. When working with the app manifest, keep in mind that you can either manually manipulate the JSON file, or make changes through App Studio. Either way, you'll need to re-deploy (upload) your app in Teams when you make a change to the manifest, but there's no need to do so when you deploy changes to your web service.
The heart of your messaging extension is your web service. It will define a sing
## Register your web service with the Bot Framework
-Messaging extensions take advantage of the Bot Framework's messaging schema and secure communication protocol; if you don't already have one you'll need to register your web service on the Bot Framework. The Microsoft App Id (we'll refer to this as your Bot Id from inside of Teams, to identify it from other App Id's you might be working with) and the messaging endpoint your register with the Bot Framework will be used in your messaging extension to receive and respond to requests. If you're using an existing registration, make sure you [enable the Microsoft Teams channel](/azure/bot-service/bot-service-manage-channels?preserve-view=true&view=azure-bot-service-4.0).
+Messaging extensions take advantage of the Bot Framework's messaging schema and secure communication protocol; if you don't already have one you'll need to register your web service on the Bot Framework. The Microsoft App ID (we'll refer to this ID as your Bot ID from inside of Teams, to identify it from other App ID's you might be working with) and the messaging endpoint your register with the Bot Framework will be used in your messaging extension to receive and respond to requests. If you're using an existing registration, make sure you [enable the Microsoft Teams channel](/azure/bot-service/bot-service-manage-channels?preserve-view=true&view=azure-bot-service-4.0).
-If you follow one of the quickstarts or start from one of the available samples you'll be guided through registering your web service. If you want to manually register your service you have three options to do so. If you choose to register without using an Azure subscription you will not be able to take advantage of the simplified OAuth authentication flow provided by the Bot Framework. You will be able to migrate your registration to Azure after creation.
+If you follow one of the quickstarts or start from one of the available samples you'll be guided through registering your web service. If you want to manually register your service you have three options to do so. If you choose to register without using an Azure subscription you won't be able to take advantage of the simplified OAuth authentication flow provided by the Bot Framework. You'll be able to migrate your registration to Azure after creation.
-* If you have an Azure subscription (or want to create a new one), you can register your web service manually using the Microsoft Azure portal. Create a "Bot Channels Registration" resource. You can choose the free pricing tier, as messages from Microsoft Teams do not count towards your total allowable messages per month.
-* If you do not wish to use an Azure subscription, you can use the [legacy registration portal](https://dev.botframework.com/bots/new).
+* If you have an Azure subscription (or want to create a new one), you can register your web service manually using the Microsoft Azure portal. Create a "Bot Channels Registration" resource. You can choose the free pricing tier, as messages from Microsoft Teams don't count towards your total allowable messages per month.
+* If you don't wish to use an Azure subscription, you can use the [legacy registration portal](https://dev.botframework.com/bots/new).
* App Studio can also help you register your web service (bot). Web services registered through App Studio are not registered in Azure. You can use the [legacy portal](https://dev.botframework.com/bots) to view, manage, and migrate your registrations. ## Create your app manifest
You can use the App Studio app from within the Microsoft Teams client to help cr
1. In the Teams client, open App Studio from the **...** overflow menu on the left navigation rail. If it isn't already installed, you can do so by searching for it. 2. On the **Manifest editor** tab select **Create a new app** (or if you're adding a messaging extension to an existing app, you can import your app package) 3. Add your app details (see [manifest schema definition](~/resources/schem) for full descriptions of each field).
-4. On the **Messaging extensions** tab click the **Setup** button.
+4. On the **Messaging extensions** tab, select the **Setup** button.
5. You can either create a new web service (bot) for your messaging extension to use, or if you've already registered one select/add it here. 6. If necessary, update your bot endpoint address to point to your bot. It should look something like `https://someplace.com/api/messages`. 7. The **Add** button in the **Command** section will guide you through adding commands to your messaging extension. See the [Learn more](#learn-more) section for links to more information on adding commands. Remember you can define up to 10 commands for your messaging extension.
The extension definition is an object that has the following structure:
|||| | `botId` | The unique Microsoft app ID for the bot as registered with the Bot Framework. This should typically be the same as the ID for your overall Teams app. | Yes | | `canUpdateConfiguration` | Enables **Settings** menu item. | No |
-| `commands` | Array of commands that this messaging extension supports. You are limited to 10 commands. | Yes |
+| `commands` | Array of commands that this messaging extension supports. You're limited to 10 commands. | Yes |
#### Define your commands
Once a meeting begins, Teams participants can interact directly with your messag
1. **Metadata**. When your messaging extension is invoked it can identify the user and tenant from `userId` and `tenantId`. The `meetingId` can be found as part of the `channelData` object. Your app can use the `userId` and `meetingId` for the `GetParticipant` API request to retrieve user roles.
-1. **Command type**. If your message extension uses [action-based commands](../messaging-extensions/what-are-messaging-extensions.md#action-commands), it should follow tabs [single sign-on](../tabs/how-to/authentication/auth-aad-sso.md) authentication.
+1. **Command type**. If your message extension uses [action-based commands](../messaging-extensions/what-are-messaging-extensions.md#action-commands), it should follow tabs [single sign-on](../tabs/how-to/authentication/tab-sso-overview.md) authentication.
1. **User experience**. You messaging extension should look and behave the same as it would outside a meeting.
platform Manifest Schema https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/resources/schema/manifest-schema.md
Provide your Azure Active Directory App ID and Microsoft Graph information to he
|Name| Type| Maximum size | Required | Description| |||||| |`id`|string|36 characters|Γ£ö|Azure AD application ID of the app. This ID must be a GUID.|
-|`resource`|string|2048 characters|Γ£ö|Resource URL of app for acquiring auth token for SSO. </br> **NOTE:** If you are not using SSO, ensure that you enter a dummy string value in this field to your app manifest, for example, https://notapplicable to avoid an error response. |
+|`resource`|string|2048 characters|Γ£ö|Resource URL of app for acquiring auth token for SSO. </br> **NOTE:** If you are not using SSO, ensure that you enter a dummy string value in this field to your app manifest, for example, <https://notapplicable> to avoid an error response. |
## graphConnector
Delegated permissions allow the app to access data on behalf of the signed-in us
||| |`InAppPurchase.Allow.User`|Allows the app to show the user marketplace offers and complete the user's purchases within the app, on behalf of the signed-in user.|
+## Create a manifest file
+
+If your app doesn't have a Teams app manifest file, you'll need to create it.
+
+To create a Teams app manifest file:
+
+1. Use the [sample manifest schema](#sample-full-manifest) to create a .json file.
+1. Save it in the root of your project folder as `manifest.json`.
+
+<br>
+<details>
+<summary>Here's an example of a example of manifest schema for a tab app with SSO enabled:</summary>
+<br>
+
+> [!NOTE]
+> The manifest example content shown here is only for a tab app. It uses example values for subdomain URI and package name. For more information, see [sample manifest schema](#sample-full-manifest).
+
+ ```json
+{
+ "$schema": "https://developer.microsoft.com/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
+ "manifestVersion": "1.12",
+ "version": "1.0.0",
+ "id": "{new GUID for this Teams app - not the Azure AD App ID}",
+ "packageName": "com.contoso.teamsauthsso",
+ "developer": {
+ "name": "Microsoft",
+ "websiteUrl": "https://www.microsoft.com",
+ "privacyUrl": "https://www.microsoft.com/privacy",
+ "termsOfUseUrl": "https://www.microsoft.com/termsofuse"
+ },
+
+ "name": {
+ "short": "Teams Auth SSO",
+ "full": "Teams Auth SSO"
+ },
++
+ "description": {
+ "short": "Teams Auth SSO app",
+ "full": "The Teams Auth SSO app"
+ },
+
+ "icons": {
+ "outline": "outline.png",
+ "color": "color.png"
+ },
+
+ "accentColor": "#60A18E",
+ "staticTabs": [
+ {
+ "entityId": "auth",
+ "name": "Auth",
+ "contentUrl": "https://https://subdomain.example.com/Home/Index",
+ "scopes": [ "personal" ]
+ }
+ ],
+
+ "configurableTabs": [
+ {
+ "configurationUrl": "https://subdomain.example.com/Home/Configure",
+ "canUpdateConfiguration": true,
+ "scopes": [
+ "team"
+ ]
+ }
+ ],
+ "permissions": [ "identity", "messageTeamMembers" ],
+ "validDomains": [
+ "{subdomain or ngrok url}"
+ ],
+ "webApplicationInfo": {
+ "id": "{Azure AD AppId}",
+ "resource": "api://subdomain.example.com/{Azure AD AppId}"
+ }
+}
+```
+
+</details>
+ ## See also * [Understand the Microsoft Teams app structure](~/concepts/design/app-structure.md)
platform Auth Aad Sso https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-aad-sso.md
- Title: Single sign-on support for tabs
-description: Describes single sign-on (SSO)
-
-keywords: teams authentication SSO Microsoft Azure Active Directory (Azure AD) single sign-on api
--
-# Single sign-on (SSO) support for tabs
-
-Users sign in to Microsoft Teams through their work, school, or Microsoft account that is Office 365, Outlook, you can take the advantage by allowing a single sign on to authorize your Teams tab or task module on desktop or mobile clients. If a user sign in once, they don't have to sign in again on another device as they're signed in automatically. Also, your access token is prefetched to improve performance and load times.
-
-> [!NOTE]
-> **Teams mobile client versions supporting SSO**
->
-> Γ£öTeams for Android (1416/1.0.0.2020073101 and later)
->
-> Γ£öTeams for iOS (_Version_: 2.0.18 and later)
->
-> Γ£öTeams JavaScript SDK (_Version_: 1.11 and later) for SSO to work in meeting side panel.
->
-> For the best experience with Teams, use the latest version of iOS and Android.
-> [!NOTE]
-> **Quickstart**
->
-> The simplest path to get started with tab SSO is with the Teams toolkit for Microsoft Visual Studio Code. For more information, see [SSO with Teams toolkit and Visual Studio Code for tabs](../../../toolkit/visual-studio-code-tab-sso.md)
-
-<! TBD: Edit this article.
-* Admonitions/alerts seem to be overused.
-* Don't add note for a list of items.
-* Don't add numbers to headings.
-* Don't copy-paste superscript characters as is. Use HTML entities. See https://sitefarm.ucdavis.edu/training/all/using-wysiwyg/special-characters for the values.
-* Same for the check marks added in the content in the note above. The content should not be in a note anyway.
->
-
-## How SSO works at runtime
-
-The following image shows how the SSO process works:
-
-<!-- markdownlint-disable MD033 -->
-<img src="~/assets/images/tabs/tabs-sso-diagram.png" alt="Tab single sign-on SSO diagram" width="75%"/>
-
-1. In the tab, a JavaScript call is made to `getAuthToken()`. `getAuthToken()` tells Teams to obtain an access token for the tab application.
-2. If the current user is using your tab application for the first time, there's a request prompt to consent if consent is required. Alternately, there's a request prompt to handle step-up authentication such as two-factor authentication.
-3. Teams requests the tab access token from the Azure AD endpoint for the current user.
-4. Azure AD sends the tab access token to the Teams application.
-5. Teams sends the tab access token to the tab as part of the result object returned by the `getAuthToken()` call.
-6. The token is parsed in the tab application using JavaScript, to extract required information, such as the user's email address.
-
-> [!NOTE]
-> The `getAuthToken()` is only valid for consenting to a limited set of user-level APIs that is email, profile, offline_access, and OpenId. It is not used for further Graph scopes such as `User.Read` or `Mail.Read`. For suggested workarounds, see [Get an access token with Graph permissions](#get-an-access-token-with-graph-permissions).
-
-The SSO API also works in [task modules](../../../task-modules-and-cards/what-are-task-modules.md) that embed web content.
-
-## Develop an SSO Microsoft Teams tab
-
-This section describes the tasks involved in creating a Teams tab that uses SSO. These tasks are language- and framework-agnostic.
-
-### 1. Create your Azure AD application
-
-> [!NOTE]
-> There are some important restrictions that you must know:
->
-> * Only user-level Graph API permissions are supported that is, email, profile, offline_access, OpenId. If you must have access to other Graph scopes such as `User.Read` or `Mail.Read`, see [Get an access token with Graph permissions](#get-an-access-token-with-graph-permissions).
-> * It is important that your application's domain name is the same as the domain name you have registered for your Azure AD application.
-> * Currently multiple domains per app are not supported.
-> * The user must set `accessTokenAcceptedVersion` to `2` for a new application.
-
-To register your app through the Azure AD portal, follow these steps:
-
-1. Register a new application in the [Azure AD App Registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.
-1. Select **New Registration**. The **Register an application** page appears.
-1. In the **Register an application** page, enter the following values:
- 1. Enter a **Name** for your app.
- 2. Choose the **Supported account types**, select single tenant or multitenant account type. ┬╣
- * Leave **Redirect URI** empty.
- 3. Choose **Register**.
-1. On the overview page, copy and save the **Application (client) ID**. You must have it later when updating your Teams application manifest.
-1. Under **Manage**, select **Expose an API**.
-
- > [!NOTE]
- >
- > * If you are building an app with a bot and a tab, enter the Application ID URI as `api://fully-qualified-domain-name.com/botid-{YourBotId}`.
- >
- > * Use lower case letters for domain name, don't use upper case. For example, to create an app service or web app, enter base resource name as `demoapplication`, then the URL will be `https://demoapplication.azurewebsites.net`. But if you use base resource name as `DemoApplication`, then the URL will be `https://DemoApplication.azurewebsites.net` and this supports in desktop, web, and iOS, but not in android.
-
-1. Select the **Set** link to generate the Application ID URI in the form of `api://{AppID}`. Insert your fully qualified domain name with a forward slash "/" appended to the end, between the double forward slashes and the GUID. The entire ID must have the form of `api://fully-qualified-domain-name.com/{AppID}`. ┬▓ For example, `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`. The fully qualified domain name is the human readable domain name from which your app is served. If you're using a tunneling service such as ngrok, you must update this value whenever your ngrok subdomain changes.
-1. Select **Add a scope**. In the panel that opens, enter **access_as_user** as the **Scope name**.
-1. In the **Who can consent?** box, enter **Admins and users**.
-1. Enter the details in the boxes for configuring the admin and user consent prompts with values that are appropriate for the `access_as_user` scope:
- * **Admin consent Title: ** Teams can access the userΓÇÖs profile.
- * **Admin consent description**: Teams can call the appΓÇÖs web APIs as the current user.
- * **User consent title**: Teams can access your profile and make requests on your behalf.
- * **User consent description:** Teams can call this appΓÇÖs APIs with the same rights as you have.
-1. Ensure that **State** is set to **Enabled**.
-1. Select **Add scope** to save the details. The domain part of the **Scope name** displayed below the text field must automatically match the **Application ID** URI set in the previous step, with `/access_as_user` appended to the end `api://subdomain.example.com/00000000-0000-0000-0000-000000000000/access_as_user`.
-1. In the **Authorized client applications** section, identify the applications that you want to authorize for your appΓÇÖs web application. Select **Add a client application**. Enter each of the following client IDs and select the authorized scope you created in the previous step:
- * `1fec8e78-bce4-4aaf-ab1b-5451cc387264` for Teams mobile or desktop application.
- * `5e3ce6c0-2b1f-4285-8d4b-75ee78787346` for Teams web application.
-1. Navigate to **API Permissions**. Select **Add a permission** > **Microsoft Graph** > **Delegated permissions**, then add the following permissions from Graph API:
- * User.Read enabled by default
- * email
- * offline_access
- * OpenId
- * profile
-
-1. Navigate to **Authentication**.
-
- > [!IMPORTANT]
- > If an app hasn't been granted IT admin consent, users have to provide consent the first time they use an app.
-
- To enter a redirect URI:
- * Select **Add a platform**.
- * Select **web**.
- * Enter the **redirect URI** for your app. This URI is the same fully qualified domain name that you entered in step 5. It's also followed by the API route where an authentication response is sent. If you're following any of the Teams samples, the URI is `https://subdomain.example.com/auth-end`. For more information, see [OAuth 2.0 authorization code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow).
-
- > [!NOTE]
- > Implicit grant is not required for tab SSO.
-
-Congratulations! You've completed the app registration prerequisites to continue with your tab SSO app.
-
-> [!NOTE]
->
-> * ┬╣ If your Azure AD app is registered in the same tenant where you are making an authentication request in Teams, the user cannot be asked to consent and is granted an access token right away. Users only consent to these permissions if the Azure AD app is registered in a different tenant.
-> * ┬▓ If the custom domain is not added to Azure AD, you get an error stating that the host name must not be based on an already owned domain. To add custom domain to Azure AD and register it, follow the [add a custom domain name to Azure AD](/azure/active-directory/fundamentals/add-custom-domain) procedure, and then repeat step 5. You can also get this error if you are not signed in with Admin credentials in the Office 365 tenancy.
-> * If you are not receiving the user principal name (UPN) in the returned access token, you can add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Azure AD.
-
-### 2. Update your Teams application manifest
-
-Use the following code to add new properties to your Teams manifest:
-
-```json
-"webApplicationInfo": {
- "id": "00000000-0000-0000-0000-000000000000",
- "resource": "api://subdomain.example.com/00000000-0000-0000-0000-000000000000"
-}
-```
-
-* **WebApplicationInfo** is the parent of the following elements:
-
-> [!div class="checklist"]
->
-> * **id** - The client ID of the application. This is the application ID that you obtained as part of registering the application with Azure AD.
->* **resource** - The domain and subdomain of your application. This is the same URI (including the `api://` protocol) that you registered when creating your `scope` in step 6. You must not include the `access_as_user` path in your resource. The domain part of this URI must match the domain, including any subdomains, used in the URLs of your Teams application manifest.
-> [!NOTE]
->
->* The resource for an Azure AD app is usually the root of its site URL and the appID (e.g. `api://subdomain.example.com/00000000-0000-0000-0000-000000000000`). This value is also used to ensure your request is coming from the same domain. Ensure that the `contentURL` for your tab uses the same domains as your resource property.
->* You must use manifest version 1.5 or higher to implement the `webApplicationInfo` field.
-
-### 3. Get an access token from your client-side code
-
-> [!NOTE]
-> To avoid errors such as `Teams SDK Error: resourceDisabled`, ensure that Application ID URI is configured properly in Azure AD app registration and in your Teams app.
-
-Use the following authentication API:
-
-```javascript
-var authTokenRequest = {
- successCallback: function(result) { console.log("Success: " + result); },
- failureCallback: function(error) { console.log("Failure: " + error); }
-};
-microsoftTeams.authentication.getAuthToken(authTokenRequest);
-```
-
-When you call `getAuthToken` and user consent is required for user-level permissions, a dialog is shown to the user to grant consent.
-
-After you receive access token in success callback, decode access token to view claims for that token. Optionally, manually copy and paste access token into a tool, such as [jwt.ms](https://jwt.ms/). If you aren't receiving the UPN in the returned access token, add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Azure AD. For more information, see [access tokens](/azure/active-directory/develop/access-tokens).
-
-<p>
- <img src="~/assets/images/tabs/tabs-sso-prompt.png" alt="Tab single sign-on SSO dialog prompt" width="75%"/>
-</p>
-
-## Code snippets
-
-The following code provides an example of on-behalf-of flow to fetch access token using MSAL library :
-
-### [C#](#tab/dotnet)
-
-```csharp
-
-IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(<"Client id">)
- .WithClientSecret(<"Client secret">)
- .WithAuthority($"https://login.microsoftonline.com/<"Tenant id">")
- .Build();
-
- try
- {
- var idToken = <"Client side token">;
- UserAssertion assert = new UserAssertion(idToken);
- List<string> scopes = new List<string>();
- scopes.Add("https://graph.microsoft.com/User.Read");
- var responseToken = await app.AcquireTokenOnBehalfOf(scopes, assert).ExecuteAsync();
- return responseToken.AccessToken.ToString();
- }
- catch (Exception ex)
- {
- return ex.Message;
- }
- }
-```
-
-### [Node.js](#tab/nodejs)
-
-```javascript
-
-// Exchange cliend side token with server token
- app.post('/getProfileOnBehalfOf', function(req, res) {
- var tid = < "Tenand id" >
- var token = < "Client side token" >
- var scopes = ["https://graph.microsoft.com/User.Read"];
-
- // Creating MSAL client
- const msalClient = new msal.ConfidentialClientApplication({
- auth: {
- clientId: < "Client ID" >,
- clientSecret: < "Client Secret" >
- }
- });
-
- var oboPromise = new Promise((resolve, reject) => {
- msalClient.acquireTokenOnBehalfOf({
- authority: `https://login.microsoftonline.com/${tid}`,
- oboAssertion: token,
- scopes: scopes,
- skipCache: true
- }).then(result => {
- console.log("Token is: " + result.accessToken);
- }).catch(error => {
- reject({ "error": error.errorCode });
- });
- });
-```
---
-## Code sample
-
-|**Sample name**|**Description**|**C#**|**Node.js**|
-||||--|
-| Tab SSO |Microsoft Teams sample app for tabs Azure AD SSO| [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp)|[View](https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/tab-sso/nodejs), </br>[Teams Toolkit](../../../toolkit/visual-studio-code-tab-sso.md)|
-
-## Known limitations
-
-### Get an access token with Graph permissions
-
-Our current implementation for SSO only grants consent for user-level permissions that are not usable for making Graph calls. To get the permissions (scopes) needed to make a Graph call, SSO solutions must implement a custom web service to exchange the token received from the Teams JavaScript SDK for a token that includes the needed scopes. This is accomplished using Azure AD [on-behalf-of flow](/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow).
-
-### Tenant Admin Consent
-
-A simple way of consenting on behalf of an organization as a tenant admin is to refer to `https://login.microsoftonline.com/common/adminconsent?client_id=<AAD_App_ID>`.
-
-#### Ask for consent using the Auth API
-
-Another approach for getting Graph scopes is to present a consent dialog using our existing [web-based Azure AD authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-pop-up-page). This approach involves popping up an Azure AD consent dialog box.
-
-To ask for additional consent using the Auth API, follow these steps:
-
-1. The token retrieved using `getAuthToken()` must be exchanged server-side using Azure AD [on-behalf-of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those other Graph APIs. Ensure you use the v2 Graph endpoint for this exchange.
-2. If the exchange fails, Azure AD returns an invalid grant exception. There are usually one of two error messages, `invalid_grant` or `interaction_required`.
-3. When the exchange fails, you must ask for consent. Show some user interface (UI) asking the user to grant other consent. This UI must include a button that triggers an Azure AD consent dialog box using our [Azure AD authentication API](~/concepts/authentication/auth-silent-aad.md).
-4. When asking for more consent from Azure AD, you must include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to Azure AD, otherwise Azure AD doesn't ask for the other scopes.
- * Instead of `?scope={scopes}`
- * Use this `?prompt=consent&scope={scopes}`
- * Ensure that `{scopes}` includes all the scopes you're prompting the user for, for example, Mail.Read or User.Read.
-5. Once the user has granted more permission, retry the on-behalf-of-flow to get access to these other APIs.
-
-### Non-Azure AD authentication
-
-The above-described authentication solution only works for apps and services that support Azure AD as an identity provider. Apps that want to authenticate using non-Azure AD based services must continue using the pop-up-based [web authentication flow](~/concepts/authentication.md).
-
-> [!NOTE]
-> SSO is supported for customer owned apps within the Azure AD B2C tenants.
-
-## Step-by-step guides
-
-* Follow the [step-by-step guide](../../../sbs-tabs-and-messaging-extensions-with-sso.yml) to authenticate tabs and message extensions.
-* Follow the [step-by-step guide](../../../sbs-tab-with-adaptive-cards.yml) to create tab with adaptive cards.
-
-## See also
-
-[Teams Bot with Single sign-on](../../../sbs-bots-with-sso.yml)
platform Auth Flow Tab https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-flow-tab.md
Title: Authentication flow for tabs
+ Title: Enable authentication using third-party OAuth provider
description: Describes authentication flow in tabs, OAuth by Azure AD, and provides code sample
-keywords: teams authentication flow tabs
+ms.localizationpriority: high
+keywords: teams authentication flow tabs third party OAuth provider
-# Microsoft Teams authentication flow for tabs
+# Enable authentication using third-party OAuth provider
+
+You can enable authentication in your tab app using third party OAuth Identity Providers (IdP). In this method, the app user identity is validated and granted access by an OAuth IdP, such as Azure AD, Google, Facebook, GitHub, or any other provider. You'll need to configure a trust relationship with the IdP, and your app users should also be registered with it.
> [!NOTE] > For authentication to work for your tab on mobile clients, you need to ensure that you're using at least 1.4.1 version of the Microsoft Teams JavaScript SDK. > Teams SDK launches separate window for authentication flow. Set the `SameSite` attribute to **Lax**. Teams desktop client or older versions of Chrome or Safari do not support `SameSite`=None.
+## Use OAuth IdP to enable authentication
+ OAuth 2.0 is an open standard for authentication and authorization used by Microsoft Azure Active Directory (Azure AD) and many other identity providers. A basic understanding of OAuth 2.0 is a prerequisite for working with authentication in Teams. For more information, see [OAuth 2 simplified](https://aaronparecki.com/oauth-2-simplified/) that is easier to follow than the [formal specification](https://oauth.net/2/). Authentication flow for tabs and bots are different because tabs are similar to websites so they can use OAuth 2.0 directly. Bots do a few things differently, but the core concepts are identical. For example, the authentication flow for tabs and bots using Node and the [OAuth 2.0 implicit grant type](https://oauth.net/2/grant-types/implicit/), see [initiate authentication flow for tabs](~/tabs/how-to/authentication/auth-tab-aad.md#initiate-authentication-flow).
+This section uses Azure AD as an example of a third party OAuth provider for enabling authentication in a tab app.
+ > [!NOTE] > Before showing a **Login** button to the user and calling the `microsoftTeams.authentication.authenticate` API in response to selecting the button, you must wait for the SDK initialization to complete. You can pass a callback to the `microsoftTeams.initialize` API that is called when initialization completes.
platform Auth Silent Aad https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-silent-aad.md
keywords: teams authentication SSO silent Azure AD tab
> [!NOTE] > For authentication to work for your tab on mobile clients, ensure that you're using Teams JavaScript SDK version 1.4.1 or later.
-Silent authentication in Azure AD minimizes the number of times a user enters their credentials by silently refreshing the authentication token. For true single sign-on support, see [SSO documentation](~/tabs/how-to/authentication/auth-aad-sso.md).
+Silent authentication in Azure AD minimizes the number of times a user enters their credentials by silently refreshing the authentication token. For true single sign-on support, see [SSO documentation](~/tabs/how-to/authentication/tab-sso-overview.md).
To keep your code client-side, use the [Azure AD authentication library](/azure/active-directory/develop/active-directory-authentication-libraries) for JavaScript to get an Microsoft Azure Active Directory (Azure AD) access token silently. If the user has signed in recently, they do not see a popup dialog box.
platform Auth Tab Aad https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/auth-tab-aad.md
Title: Authentication for tabs using Azure Active Directory
+ Title: Configure third party OAuth authentication
description: Describes authentication in Teams and how to use it in tabs ms.localizationpriority: medium keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD)
-# Authenticate a user in a Microsoft Teams tab
+# Configure third party OAuth authentication
> [!Note]
-> For authentication to work for your tab on mobile clients, you need to ensure that you're using version 1.4.1 or later of the Teams JavaScript SDK.
+> For authentication to work for your tab on mobile clients, ensure that you're using version 1.4.1 or later of the Teams JavaScript SDK.
-There are many services that you may want to consume inside your Teams app, and most of those services require authentication and authorization to get access to the service. Services includes Facebook, Twitter, and Teams.
+There are many services that you may want to consume inside your Teams app, and most of those services require authentication and authorization to get access to the service. Services includes Facebook, Twitter, and Teams.
Teams user profile information is stored in Azure AD using Microsoft Graph and this article will focus on authentication using Azure AD to get access to this information.
-OAuth 2.0 is an open standard for authentication used by Azure AD and many other service providers. Understanding OAuth 2.0 is a prerequisite for working with authentication in Teams and Azure AD. The examples below use the OAuth 2.0 Implicit Grant flow with the goal of eventually reading the user's profile information from Azure AD and Microsoft Graph.
+OAuth 2.0 is an open standard for authentication used by Azure AD and many other service providers. Understanding OAuth 2.0 is a prerequisite for working with authentication in Teams and Azure AD. The examples below use the OAuth 2.0 Implicit Grant flow. It reads the user's profile information from Azure AD and Microsoft Graph.
-The code in the article comes from the Teams sample app [Microsoft Teams tab authentication sample (Node)](https://github.com/OfficeDev/microsoft-teams-sample-complete-node). It contains a static tab that requests an access token for Microsoft Graph and shows the current user's basic profile information from Azure AD.
+The code in this article comes from the Teams sample app [Microsoft Teams tab authentication sample (Node)](https://github.com/OfficeDev/microsoft-teams-sample-complete-node). It contains a static tab that requests an access token for Microsoft Graph, and shows the current user's basic profile information from Azure AD.
-For general overview of authentication flow for tabs, see [Authentication flow in tabs](~/tabs/how-to/authentication/auth-flow-tab.md).
+For overview of authentication flow for tabs, see [Authentication flow in tabs](~/tabs/how-to/authentication/auth-flow-tab.md).
-Authentication flow in tabs differs slightly from authentication flow in bots.
+Authentication flow in tabs differs from authentication flow in bots.
-## Configuring identity providers
+## Configure your app to use Azure AD as an identity provider
-See the topic [Configure identity providers](~/concepts/authentication/configure-identity-provider.md) for detailed steps on configuring OAuth 2.0 callback redirect URL(s) when using Azure AD as an identity provider.
+Identity providers that support OAuth 2.0 don't authenticate requests from unknown applications. You must register the applications ahead of time. To do this with Azure AD, follow these steps:
+
+1. Open the [Application Registration Portal](https://ms.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).
+
+2. Select your app to view its properties, or select the "New Registration" button. Find the **Redirect URI** section for the app.
+
+3. Select **Web** from the drop down menu. Update the URL to your authentication endpoint. For the TypeScript/Node.js and C# sample apps on GitHub, the redirect URLs will be similar to the following:
+
+ Redirect URLs: `https://<hostname>/bot-auth/simple-start`
+
+Replace `<hostname>` with your actual host. This host can be a dedicated hosting site such as Azure, Glitch, or a ngrok tunnel to localhost on your development machine, such as `abcd1234.ngrok.io`. If you don't have this information, ensure that you've completed or hosted your app (or the sample app). Resume this process when you have this information.
+
+> [!NOTE]
+> You can choose any third party OAuth provider, such as LinkedIn, Google, and others. The process to enable authentication for these providers is similar to using Azure AD as a third party OAuth provider. For more information on using any third party OAuth provider, please visit the website of the particular provider.
## Initiate authentication flow
Authentication flow should be triggered by a user action. You shouldn't open the
Add a button to your configuration or content page to enable the user to sign in when needed. This can be done in the tab [configuration](~/tabs/how-to/create-tab-pages/configuration-page.md) page or any [content](~/tabs/how-to/create-tab-pages/content-page.md) page.
-Azure AD, like most identity providers, doesn't allow its content to be placed in an iframe. This means that you'll need to add a pop-up page to host the identity provider. In the following example, this page is `/tab-auth/simple-start`. Use the `microsoftTeams.authenticate()` function of the Microsoft Teams client SDK to launch this page when your button is selected.
+Azure AD, like most identity providers, doesn't allow its content to be placed in an `iframe`. This means that you'll need to add a pop-up page to host the identity provider. In the following example, this page is `/tab-auth/simple-start`. Use the `microsoftTeams.authenticate()` function of the Microsoft Teams client SDK to launch this page when the button is selected.
```javascript microsoftTeams.authentication.authenticate({
microsoftTeams.authentication.authenticate({
* Authentication flow must start on a page that's on your domain. This domain should also be listed in the [`validDomains`](~/resources/schem#validdomains) section of the manifest. Failure to do so will result in an empty pop-up.
-* Failing to use `microsoftTeams.authentication.authenticate()` will cause a problem with the pop-up not closing at the end of the sign in process.
+* Failing to use `microsoftTeams.authentication.authenticate()` will cause a problem with the pop-up not closing at the end of the sign-in process.
## Navigate to the authorization page from your pop-up page
-When your pop-up page (`/tab-auth/simple-start`) is displayed, the following code is run. The main goal of this page is to redirect to your identity provider so the user can sign in. This redirection could be done on the server side using HTTP 302, but in this case it's done on the client side using with a call to `window.location.assign()`. This also allows `microsoftTeams.getContext()` to be used to retrieve hinting information, which can be passed to Azure AD.
+When your pop-up page (`/tab-auth/simple-start`) is displayed the following code is run. The main goal of this page is to redirect to your identity provider so the user can sign-in. This redirection could be done on the server side using HTTP 302, but in this case it's done on the client side using with a call to `window.location.assign()`. This also allows `microsoftTeams.getContext()` to be used to retrieve hinting information, which can be passed to Azure AD.
```javascript microsoftTeams.getContext(function (context) {
platform Tab Sso Admin Consent https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-admin-consent.md
+
+ Title: Configure Admin consent
+description: Describes configuring Admin consent
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) Graph API
+
+# Configure admin consent
+
+You can define app scope for an exposed API and determine if users can consent to this scope in directories where user consent is enabled. You can let only admins provide consent for higher-privileged permissions.
+
+## To expose an API
+
+1. Select **Manage** > **Expose an API** from the left pane.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/expose-api-menu.png" alt-text="Expose an API menu option." border="false":::
+
+ The **Expose an API** page appears.
+
+1. Select **Set** to generate app ID URI.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/expose-an-api.png" alt-text="Set app ID URI" border="false":::
+
+ The section for setting app ID URI appears.
+
+1. Enter the app ID URI, and then select **Save**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/set-app-id-uri.png" alt-text="App ID URI" border="true":::
+
+ A message pops up on the browser stating that the app ID URI was updated.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-id-uri-msg.png" alt-text="App ID URI message" border="false":::
+
+ The app ID URI displays on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-id-uri-added.png" alt-text="App ID URI updated" border="false":::
+
+## To configure API scope
+
+1. Select **+ Add a scope** in the **Scopes defined by this API** section.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/select-scope.png" alt-text="Select scope" border="true":::
+
+ The **Add a scope** page appears.
+
+1. Enter the app details for your app scope.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/add-scope.png" alt-text="Add scope details" border="true":::
+
+ 1. Enter the scope name. This is a mandatory field.
+ 1. Select **Admins and users** to configure the users who can give consent to use user's login credentials. The default option is **Admins only**.
+ 1. Enter the **Admin consent display name**. This is a mandatory field.
+ 1. Enter the description for admin consent. This is a mandatory field.
+ 1. Enter the **User consent display name**.
+ 1. Enter the description for user consent description.
+ 1. Select the **Enabled** option for state.
+ 1. Select **Add scope**.
+
+ A message pops up on the browser stating that the scope was added.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/scope-added-msg.png" alt-text="Scope added message" border="false":::
+
+ The app ID URI displays on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/scope-added.png" alt-text="Scope added and displayed" border="false":::
+
+## To configure authorized client application
+
+1. Move through the **Expose an API** page to the **Authorized client application** section, and select **+ Add a client application**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/auth-client-apps.png" alt-text="Authorized client application" border="true":::
+
+ The **Add a client application** page appears.
+
+1. Enter the details for adding a client application. For this section, you'll add two client applications.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/add-client-app.png" alt-text="Add a client application" border="true":::
+
+ 1. Enter **1fec8e78-bce4-4aaf-ab1b-5451cc387264** as client ID for Teams mobile or desktop application.
+ 1. Select the app ID you created for your app for the **Authorized scopes**.
+ 1. Select **Add application**.
+
+ A message pops up on the browser stating that the client app was added.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-app-auth-msg.png" alt-text="Client application added message" border="false":::
+
+ The client app IDs display on the page.
+
+1. Repeat the previous step to add client app for Teams web application.
+
+ 1. Enter **5e3ce6c0-2b1f-4285-8d4b-75ee78787346** as client ID for web app.
+ 1. Select the app ID you created for your app for the **Authorized scopes**.
+ 1. Select **Add application**.
+
+ A message pops up on the browser stating that the client app was added.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-app-auth-msg.png" alt-text="Client application added message for web app" border="false":::
+
+ The client app IDs display on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/client-app-added.png" alt-text="Client app added and displayed" border="true":::
platform Tab Sso Client Secret https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-client-secret.md
+
+ Title: Create client secret
+description: Describes creating client secret
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) Graph API
+
+# Create client secret
+
+A client secret is a string that the application uses to prove its identity when requesting a token.
+
+1. Select **Manage** > **Certificates & secrets**.
+
+2. Select **+ New client secret**.
+
+ :::image type="content" source="../../../assets/images/adaptive-cards/client-secret.png" alt-text="Client secret page":::
+
+ The **Add a client secret** page appears.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/add-client-secret.png" alt-text="Add a client secret page" border="true":::
+
+3. Enter the description.
+4. Select the duration of validity for the secret.
+5. Select **Add**.
+
+ A message pops up on the browser stating that the client secret was updated, and the client secret displays on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/client-secret-added.png" alt-text="Client secret added":::
+
+6. Select the copy button next to the **Value** of client secret.
+7. Save the value that you copied for later use.
+
+ > [!NOTE]
+ > Ensure that you copy the value of client secret right after you create it. The value is visible only at the time when the client secret is created, and can't be viewed after that.
platform Tab Sso Code https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-code.md
+
+ Title: Code configuration for enabling SSO for tabs
+description: Describes code configuration for enabling SSO for tabs
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) Graph API
+
+# Add code to enable SSO
+
+Before you add code to enable SSO, ensure that you've registered your app with Azure AD.
+
+> [!div class="nextstepaction"]
+> [Register with Azure AD](tab-sso-register-aad.md)
+
+You need to configure your tab app's client-side code to obtain an access token from Azure AD. The access token is issued on behalf of the tab app. If your tab app requires additional Microsoft Graph permissions, you'll need to pass the access token to the server-side, and exchange it for Microsoft Graph token.
++
+This section covers:
+
+- [Add client-side code](#add-client-side-code)
+- [Pass the access token to server-side code](#pass-the-access-token-to-server-side-code)
+- [Validate the access token](#validate-the-access-token)
+
+## Add client-side code
+
+To obtain app access for the current app user, your client-side code must make a call to Teams for getting an access token. You need to update client-side code for using `getAuthToken()` to initiate the validation process.
+
+<br>
+<details>
+<summary>Learn more about getAuthToken()</summary>
+<br>
+`getAuthToken()` is a method in Microsoft Teams JavaScript SDK. It requests an Azure AD access token to be issued on behalf of app. The token is acquired from the cache, if it is not expired. If it's expired, a request is sent to Azure AD to obtain a new access token.
+
+ For more information, see [getAuthToken](/javascript/api/@microsoft/teams-js/microsoftteams.authentication?view=msteams-client-js-latest#@microsoft-teams-js-microsoftteams-authentication-getauthtoken&preserve-view=true).
+</details>
+
+### When to call getAuthToken
+
+Use `getAuthToken()` at the time when you need access token for the current app user:
+
+| If access token is needed... | Call getAuthToken()... |
+| | |
+| When app user accesses the app | From inside `microsoftTeams.initialize()`. |
+| To use a particular functionality of the app | When the app user takes an action that requires signing in. |
+
+### Add code for getAuthToken
+
+Add JavaScript code snippet to the tab app to:
+
+- Call `getAuthToken()`.
+- Parse the access token or pass it to the server-side code.
+
+The following code snippet shows an example of calling `getAuthToken()`.
+
+```javascript
+microsoftTeams.initialize();
+var authTokenRequest = {
+ successCallback: function(result) { console.log("Success: " + result); },
+ failureCallback: function(error) { console.log("Error getting token: " + error); }
+};
+microsoftTeams.authentication.getAuthToken(authTokenRequest);
+```
+
+You can add calls of `getAuthToken()` to all functions and handlers that initiate an action where the token is needed.
+
+<br>
+<details>
+<summary>Here's an example of the client-side code:</summary>
++
+</details>
+
+When Teams receives the access token, it's cached and reused as needed. This token can be used whenever `getAuthToken()` is called, until it expires, without making another call to Azure AD.
+
+> [!IMPORTANT]
+> As a best practice for security of access token:
+>
+> - Always call `getAuthToken()` only when you need an access token.
+> - Teams will cache the access token for you. Don't cache or store it in your app's code.
+
+### Consent dialog for getting access token
+
+When you call `getAuthToken()` and app user's consent is required for user-level permissions, an Azure AD dialog is shown to the app user who is currently signed in.
++
+The consent dialog that appears is for open-id scopes defined in Azure AD. The app user must give consent only once. After consenting, the app user can access and use your tab app for the granted permissions and scopes.
+
+> [!IMPORTANT]
+> Scenarios where consent dialogs are not needed:
+>
+> - If the tenant administrator has granted consent on behalf of the tenant, app users don't need to be prompted for consent at all. This means that the app users don't see the consent dialogs, and can access the app seamlessly.
+> - If your Azure AD app is registered in the same tenant from which you're requesting an authentication in Teams, the app user can't be asked to consent, and is granted an access token right away. App users consent to these permissions only if the Azure AD app is registered in a different tenant.
+
+If you encounter any errors, see [Troubleshooting SSO authentication in Teams](tab-sso-troubleshooting.md).
+
+### Use the access token as an identity token
+
+The token returned to the tab app is both an access token and an ID token. The tab app can use the token as an access token to make authenticated HTTPS requests to APIs on the server-side.
+
+The access token returned from `getAuthToken()` can be used to establish the app user's identity using the following claims in the token:
+
+- `name`: The app user's display name.
+- `preferred_username`: The app user's email address.
+- `oid`: A GUID representing the ID of the app user.
+- `tid`: A GUID representing the tenant that the app user is signing in to.
+
+Teams can cache this information associated with the app user's identity, such as the user's preferences.
+
+> [!NOTE]
+> If you need to construct a unique ID to represent the app user in your system, see [Using claims to reliably identify a user](/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id).
+
+## Pass the access token to server-side code
+
+If you need to access web APIs on your server, you'll need to pass the access token to your server-side code. The web APIs must decode access token to view claims for that token.
+
+> [!NOTE]
+> If you don't receive User Principal Name (UPN) in the returned access token, add it as an [optional claim](/azure/active-directory/develop/active-directory-optional-claims) in Azure AD.
+> For more information, see [Access tokens](/azure/active-directory/develop/access-tokens).
+
+The access token received in success callback of `getAuthToken()` provides access (for the authenticated app user) to your web APIs. The server-side code can also parse the token for [identity information](#use-the-access-token-as-an-identity-token), if needed.
+
+If you need to pass the access token to get Microsoft Graph data, see [Extend tab app with Microsoft Graph permissions](tab-sso-graph-api.md).
+
+### Code for passing access token to server-side
+
+The following code shows an example of passing the access token to the server-side. The token is passed in an `Authorization` header when sending a request to a server-side web API. This example sends JSON data, so it uses the `POST` method. The `GET` is sufficient to send the access token when you're not writing to the server.
+
+```javascript
+$.ajax({
+ type: "POST",
+ url: "/api/DoSomething",
+ headers: {
+ "Authorization": "Bearer " + accessToken
+ },
+ data: { /* some JSON payload */ },
+ contentType: "application/json; charset=utf-8"
+}).done(function (data) {
+ // Handle success
+}).fail(function (error) {
+ // Handle error
+}).always(function () {
+ // Cleanup
+});
+```
+
+### Validate the access token
+
+Web APIs on your server must decode the access token, and verify if it's sent from the client. The token is a JSON Web Token (JWT), which means that validation works just like token validation in most standard OAuth flows. The web APIs must decode access token. Optionally, you can copy and paste access token manually into a tool, such as jwt.ms.
+
+There are a number of libraries available that can handle JWT validation. Basic validation includes:
+
+- Checking that the token is well-formed
+- Checking that the token was issued by the intended authority
+- Checking that the token is targeted to the web API
+
+Keep in mind the following guidelines when validating the token:
+
+- Valid SSO tokens are issued by Azure AD. The `iss` claim in the token should start with this value.
+- The token's `aud1` parameter will be set to the app ID generated during Azure AD app registration.
+- The token's `scp` parameter will be set to `access_as_user`.
+
+#### Example access token
+
+The following is a typical decoded payload of an access token.
+
+```javascript
+{
+ aud: "2c3caa80-93f9-425e-8b85-0745f50c0d24",
+ iss: "https://login.microsoftonline.com/fec4f964-8bc9-4fac-b972-1c1da35adbcd/v2.0",
+ iat: 1521143967,
+ nbf: 1521143967,
+ exp: 1521147867,
+ aio: "ATQAy/8GAAAA0agfnU4DTJUlEqGLisMtBk5q6z+6DB+sgiRjB/Ni73q83y0B86yBHU/WFJnlMQJ8",
+ azp: "e4590ed6-62b3-5102-beff-bad2292ab01c",
+ azpacr: "0",
+ e_exp: 262800,
+ name: "Mila Nikolova",
+ oid: "6467882c-fdfd-4354-a1ed-4e13f064be25",
+ preferred_username: "milan@contoso.com",
+ scp: "access_as_user",
+ sub: "XkjgWjdmaZ-_xDmhgN1BMP2vL2YOfeVxfPT_o8GRWaw",
+ tid: "fec4f964-8bc9-4fac-b972-1c1da35adbcd",
+ uti: "MICAQyhrH02ov54bCtIDAA",
+ ver: "2.0"
+}
+```
+
+## Code samples
+
+| Sample name | Description | C#/.NET| Node.js |
+||||--|
+| Tab SSO |Microsoft Teams sample app for tabs Azure AD SSO| [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp)|[View](https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/tab-sso/nodejs), </br>[Teams Toolkit](../../../toolkit/visual-studio-code-tab-sso.md)|
+| Tab, Bot and Message Extension (ME) SSO | This sample shows SSO for Tab, Bot and ME - search, action, linkunfurl. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/csharp) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/nodejs) |
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Update Teams app manifest and preview the app](tab-sso-manifest.md)
+
+## See also
+
+- [jwt.ms](https://jwt.ms/)
+- [Active directory optional claim](/azure/active-directory/develop/active-directory-optional-claims)
+- [Access tokens](/azure/active-directory/develop/access-tokens)
+- [Overview of the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview)
+- [Microsoft identity platform ID tokens](/azure/active-directory/develop/id-tokens)
+- [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#validating-tokens)
platform Tab Sso Graph Api https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-graph-api.md
+
+ Title: Extend tab app with Microsoft Graph permissions
+description: Describes configuring API permissions with Microsoft Graph
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) Graph API Delegated permission access token scope
+
+# Extend tab app with Microsoft Graph permissions and scope
+
+You can extend your tab app by using Microsoft Graph to allow users additional permissions, such as to view app user profile, to read mail, and more. Your app must ask for specific permission scopes to obtain the access tokens on app user's consent.
+
+Graph scopes, such as `User.Read` or `Mail.Read`, lets you specify how your app accesses a Teams user's account. You need to specify your scopes in the authorization request.
+
+In this section, you'll learn to:
+
+- [Configure API permissions in Azure AD](#configure-api-permissions-in-azure-ad)
+- [Configure authentication for different platforms](#configure-authentication-for-different-platforms)
+- [Acquire access token for MS Graph](#acquire-access-token-for-ms-graph)
+
+## Configure API permissions in Azure AD
+
+You can configure additional Graph scopes in Azure AD for your app. These are delegated permissions, which are used by apps that require signed-in access. A signed-in app user or administrator must consent to them. Your tab app can consent on behalf of the signed-in user when it calls Microsoft Graph.
+
+### To configure API permissions
+
+1. Open the app you registered in the [Azure portal](https://ms.portal.azure.com/).
+
+2. Select **Manage** > **API permission** from the left pane.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/api-permission-menu.png" alt-text="App permissions menu option." border="true":::
+
+ The **API permissions** page appears.
+
+3. Select **+ Add permissions** to add Microsoft Graph API permissions.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-permission.png" alt-text="App permissions page." border="true":::
+
+ The **Request API permissions** page appears.
+
+4. Select **Microsoft Graph**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/request-api-permission.png" alt-text="Request API permissions page." border="true":::
+
+ The options for Graph permissions display.
+
+5. Select **Delegated permissions** to view the list of permissions.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/delegated-permission.png" alt-text="Delegated permissions." border="true":::
+
+6. Select relevant permissions for your app, and then select **Add permissions**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/select-permission.png" alt-text="Select permissions." border="true":::
+
+ You can also enter the permission name in the search box to find it.
+
+ A message pops up on the browser stating that the permissions were updated.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/updated-permission-msg.png" alt-text="Permissions updated message." border="false":::
+
+ The added permissions are displayed in the **API permissions** page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/configured-permissions.png" alt-text="API permissions are configured." border="true":::
+
+ You've configured your app with Microsoft Graph permissions.
+
+## Configure authentication for different platforms
+
+Depending on the platform or device where you want to target your app, additional configuration may be required such as redirect URIs, specific authentication settings, or details specific to the platform.
+
+> [!NOTE]
+>
+> - If your tab app hasn't been granted IT admin consent, app users have to provide consent the first time they use your app on a different platform.
+> - Implicit grant is not required if SSO is enabled on a tab app.
+
+You can configure authentication for multiple platforms as long as the URL is unique.
+
+### To configure authentication for a platform
+
+1. Open the app you registered in the the [Azure portal](https://ms.portal.azure.com/).
+
+1. Select **Manage** > **Authentication** from the left pane.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-portal-platform.png" alt-text="Authenticate for platforms" border="true":::
+
+ The **Platform configurations** page appears.
+
+1. Select **+ Add a platform**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/add-platform.png" alt-text="Add a platforms" border="true":::
+
+ The **Configure platforms** page appears.
+
+1. Select the platform that you want to configure for your tab app. You can choose the platform type from web or SPA.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/configure-platform.png" alt-text="Select web platform" border="true":::
+
+ You can configure multiple platforms for a particular platform type. Ensure that the redirect URI is unique for every platform you configure.
+
+ The Configure Web page appears.
+
+ > [!NOTE]
+ > The configurations will be different based on the platform you select.
+
+1. Enter the configuration details for the platform.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/config-web-platform.png" alt-text="Configure web platform" border="true":::
+
+ 1. Enter the redirect URI. The URI should be unique.
+ 2. Enter the front-channel logout URL.
+ 3. Select the tokens you want Azure AD to send for your app.
+
+1. Select **Configure**.
+
+ The platform is configured and displayed in the **Platform configurations** page.
+
+## Acquire access token for MS Graph
+
+You'll need to acquire access token for Microsoft Graph. You can do so by using Azure AD OBO flow.
+
+The current implementation for SSO grants consent for only user-level permissions that are not usable for making Graph calls. To get the permissions (scopes) needed to make a Graph call, SSO apps must implement a custom web service to exchange the token received from the Teams JavaScript SDK for a token that includes the needed scopes. You can use Microsoft Authentication Library (MSAL) for fetching the token from the client side.
+
+After you've configured Graph permissions in Azure AD:
+
+- [Configure your client-side code to fetch access token using MSAL](#configure-code-to-fetch-access-token-using-msal)
+- [Pass the access token to server-side code](#pass-the-access-token-to-server-side-code)
+
+### Configure code to fetch access token using MSAL
+
+The following code provides an example of OBO flow to fetch access token from the Teams client using MSAL.
+
+### [C#](#tab/dotnet)
+
+```csharp
+
+IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(<"Client id">)
+ .WithClientSecret(<"Client secret">)
+ .WithAuthority($"https://login.microsoftonline.com/<"Tenant id">")
+ .Build();
+
+ try
+ {
+ var idToken = <"Client side token">;
+ UserAssertion assert = new UserAssertion(idToken);
+ List<string> scopes = new List<string>();
+ scopes.Add("https://graph.microsoft.com/User.Read");
+ var responseToken = await app.AcquireTokenOnBehalfOf(scopes, assert).ExecuteAsync();
+ return responseToken.AccessToken.ToString();
+ }
+ catch (Exception ex)
+ {
+ return ex.Message;
+ }
+ }
+```
+
+### [Node.js](#tab/nodejs)
+
+```Node.js
+
+// Exchange client Id side token with server token
+ app.post('/getProfileOnBehalfOf', function(req, res) {
+ var tid = < "Tenant id" >
+ var token = < "Client side token" >
+ var scopes = ["https://graph.microsoft.com/User.Read"];
+
+ // Creating MSAL client
+ const msalClient = new msal.ConfidentialClientApplication({
+ auth: {
+ clientId: < "Client ID" >,
+ clientSecret: < "Client Secret" >
+ }
+ });
+
+ var oboPromise = new Promise((resolve, reject) => {
+ msalClient.acquireTokenOnBehalfOf({
+ authority: `https://login.microsoftonline.com/${tid}`,
+ oboAssertion: token,
+ scopes: scopes,
+ skipCache: true
+ }).then(result => {
+ console.log("Token is: " + result.accessToken);
+ }).catch(error => {
+ reject({ "error": error.errorCode });
+ });
+ });
+```
+++
+### Pass the access token to server-side code
+
+If you need to access Microsoft Graph data, configure your server-side code to:
+
+1. Validate the access token. For more information, see [Validate the access token](tab-sso-code.md#validate-the-access-token).
+1. Initiate the OAuth 2.0 OBO flow with a call to the Microsoft identity platform that includes the access token, some metadata about the user, and the credentials of the tab app (its app ID and client secret). The Microsoft identity platform will return a new access token that can be used to access Microsoft Graph.
+1. Get data from Microsoft Graph by using the new token.
+1. Use token cache serialization in MSAL.NET to cache the new access token for multiple, if required.
+
+> [!IMPORTANT]
+> As a best practice for security, always use the server-side code to make Microsoft Graph calls, or other calls that require passing an access token. Never return the OBO token to the client to enable the client to make direct calls to Microsoft Graph. This helps protect the token from being intercepted or leaked.
+
+## Known limitations
+
+Tenant admin consent: A simple way of [consenting on behalf of an organization as a tenant admin](/azure/active-directory/manage-apps/consent-and-permissions-overview#admin-consent) is by getting [consent from admin](/azure/active-directory/manage-apps/grant-admin-consent).
+
+You can ask for consent using the Auth API. Another approach for getting Graph scopes is to present a consent dialog using our existing [third party OAuth provider authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-pop-up-page). This approach involves popping up an Azure AD consent dialog box.
+
+<details>
+<summary>To ask for additional consent using the Auth API, follow these steps:</summary>
+
+1. The token retrieved using `getAuthToken()` must be exchanged on the server-side using Azure AD [on-behalf-of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those other Graph APIs. Ensure you use the v2 Graph endpoint for this exchange.
+2. If the exchange fails, Azure AD returns an invalid grant exception. It usually responds with one of the two error messages, `invalid_grant` or `interaction_required`.
+3. When the exchange fails, you must ask for consent. Use the user interface (UI) to ask the app user to grant other consent. This UI must include a button that triggers an Azure AD consent dialog using [Silent authentication](~/concepts/authentication/auth-silent-aad.md).
+4. When asking for more consent from Azure AD, you must include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to Azure AD, otherwise Azure AD wouldn't ask for other scopes.
+ - Instead of `?scope={scopes}`, use `?prompt=consent&scope={scopes}`
+ - Ensure that `{scopes}` includes all the scopes you're prompting the user for, for example, `Mail.Read` or `User.Read`.
+5. After the app user has granted more permissions, retry the OBO flow to get access to these other APIs.
+
+ </details>
+
+## See also
+
+- [OAuth 2.0 On-Behalf-Of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)
+- [Get access for MS Graph](/graph/auth-v2-user)
+- [Token cache serialization in MSAL.NET](/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet)
platform Tab Sso Manifest https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-manifest.md
+
+ Title: Update manifest for enabling SSO for tabs
+description: Describes updating manifest for enabling SSO for tabs
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) Graph API
+
+# Update app manifest for SSO and preview app
+
+Before you update Teams app manifest, ensure that you've configure code to enable SSO in your tab app.
+
+> [!div class="nextstepaction"]
+> [Configure code](tab-sso-code.md)
+
+You've registered your tab app in Azure AD, and obtained an app ID. You've also configured your code to call `getAuthToken()` and handle the access token. Now, you must update the Teams app manifest to enable SSO for your tab app. The Teams app manifest describes how an app integrates into Teams.
+
+## webApplicationInfo property
+
+Configure the `webApplicationInfo` property in the Teams app manifest file. This property enables SSO for your app to help app users access your tab app seamlessly.
+
+&nbsp;&nbsp;:::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/sso-manifest.png" alt-text="Teams app manifest configuration" border="false":::
+
+`webApplicationInfo` has two elements, `id` and `resource`.
+
+| Element | Description |
+| | |
+| id | Enter the app ID (GUID) that you created in Azure AD. |
+| resource | Enter your app's subdomain URI and the application ID URI that you created in Azure AD when creating scope. You can copy it from the **Azure AD** > **Expose an API** section. |
+
+> [!NOTE]
+> Use manifest version 1.5 or higher to implement the `webApplicationInfo` property.
+
+The application ID URI that you registered in Azure AD is configured with the scope of the API you exposed. Configure your app's subdomain URI in `resource` to ensure that the authentication request using `getAuthToken()` is from the domain given in Teams app manifest.
+
+For more information, see [webApplicationInfo](../../../resources/schem#webapplicationinfo).
+
+## To configure Teams app manifest
+
+1. Open the tab app project.
+2. Open the manifest folder.
+
+ > [!NOTE]
+ >
+ > - The manifest folder should be at the root of your project. For more information, see [Create a Microsoft Teams app package](../../../concepts/build-and-test/apps-package.md).
+ > - For more information on learning how to create a manifest.json, see [Reference: Manifest schema for Microsoft Teams](../../../resources/schem).
+
+1. Open the manifest.json file
+1. Append the following code snippet to the manifest file to add the new property:
+
+ ```json
+ "webApplicationInfo": {
+ "id": "{Azure AD AppId}",
+ "resource": "api://{Subdomain}.example.com/{Azure AD AppId}"
+ }
+ ```
+
+ where,
+ - {Azure AD AppId} is the app ID you created when you registered your app in Azure AD. It's the GUID.
+ - {{Subdomain}.app ID URI} is the application ID URI that you registered when creating scope in Azure AD.
+
+4. Update the app ID from Azure AD in the **id** property.
+5. Update the subdomain URL in the following properties:
+ 1. `contentUrl`
+ 2. `configurationUrl`
+ 3. `validDomains`
+6. Save the Teams app manifest file.
+
+<br>
+<details>
+<summary>Here's an example of app manifest after it's updated</summary>
+
+```json
+{
+ "$schema": "https://developer.microsoft.com/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
+ "manifestVersion": "1.11",
+ "version": "1.0.0",
+ "id": "bccfbe67-e08b-4ec1-a7fd-e0aaf41a097c",
+ "packageName": "com.contoso.teamsauthsso",
+ "developer": {
+ "name": "Microsoft",
+ "websiteUrl": "https://www.microsoft.com",
+ "privacyUrl": "https://www.microsoft.com/privacy",
+ "termsOfUseUrl": "https://www.microsoft.com/termsofuse"
+ },
+ "name": {
+ "short": "Teams Auth SSO",
+ "full": "Teams Auth SSO"
+ },
+ "description": {
+ "short": "Teams Auth SSO app",
+ "full": "The Teams Auth SSO app"
+ },
+ "icons": {
+ "outline": "outline.png",
+ "color": "color.png"
+ },
+ "accentColor": "#60A18E",
+ "staticTabs": [
+ {
+ "entityId": "auth",
+ "name": "Auth",
+ "contentUrl": "https://contoso.com/Home/Index",
+ "scopes": [ "personal" ]
+ }
+ ],
+ "configurableTabs": [
+ {
+ "configurationUrl": "https://contoso.com/Home/Configure",
+ "canUpdateConfiguration": true,
+ "scopes": [
+ "team"
+ ]
+ }
+ ],
+ "permissions": [ "identity", "messageTeamMembers" ],
+ "validDomains": [
+ "contoso.com"
+ ],
+ "webApplicationInfo": {
+ "id": "bccfbe67-e08b-4ec1-a7fd-e0aaf41a097c",
+ "resource": "api://contoso.com/bccfbe67-e08b-4ec1-a7fd-e0aaf41a097c"
+ }
+}
+```
+
+</details>
+
+> [!NOTE]
+> During debug, you can use ngrok to test your app in Azure AD. In that case, you need to replace the subdomain in `api://subdomain.example.com/00000000-0000-0000-0000-000000000000` with the ngrok url. You'll need to update the url whenever your ngrok subdomain changes For example, api://23c3-103-50-148-128.ngrok.io/bccfbe67-e08b-4ec1-a7fd-e0aaf41a097c.
+
+## Sideload and Preview in Teams
+
+You've configured the tab app to enable SSO in Azure AD, in app code, and in Teams manifest file. You can now sideload your tab app in Teams, and preview it in Teams environment.
++
+To preview your tab app in Teams:
+
+1. Create an app package.
+
+ The app package is a zip file that contains the app manifest file and app icons.
+
+1. Open Teams.
+
+1. Select **Apps** > **Manage your apps** > **Upload an app**.
+
+ The options to upload an app appear.
+
+1. Select **Upload a custom app** to sideload the tab app to Teams.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/sideload-tab-app.png" alt-text="Sideload tab app into Teams":::
+
+1. Select your app package zip file, and then select **Add**.
+
+ The tab app is sideloaded and the dialog appears to inform you of the additional permissions that may be required.
+
+1. Select **Continue**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/teams-sso-consent.png" alt-text="Teams dialog box informing about additional permissions required" border="true":::
+
+ The Azure AD consent dialog appears.
+
+1. Select **Accept** to give consent for open-id scopes.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/aad-sso-consent.png" alt-text="Azure AD consent dialog" border="true":::
+
+ Teams opens the tab app and you can use it.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/teams-sso-app.png" alt-text="Example of Teams tab app with SSO enabled" border="false":::
+
+ Congratulations! You've enabled SSO for your tab app.
+
+## See also
+
+- [Manifest schema for Microsoft Teams](../../../resources/schem)
+- [Manifest schema format](https://developer.microsoft.com/json-schemas/teams/v1.12/MicrosoftTeams.schema.json)
+- [Create a Microsoft Teams app package](../../../concepts/build-and-test/apps-package.md)
platform Tab Sso Overview https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-overview.md
+
+ Title: Overview to authentication for tabs using SSO in Teams with Azure AD
+description: Overview to SSO authentication in Teams and how to use it in tabs
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) SSO access token app manifest
+
+# Enable single sign-on in a tab app
+
+<!--Single sign-on (SSO) allows a user to access an application or a web service after signing-in only once. The app users never have to go through authentication again.-->
+
+With SSO in Teams, app users have the advantage of using Teams to access apps. After logging into Teams using Microsoft or Microsoft 365 account, app users can use your app without needing to sign in again. Your app is available to app users on any device with access granted through Azure AD.
+
+Here's what you'll learn in this section:
+
+1. **SSO user experience**: Teams offers your app users a true SSO experience. App users can use your app without signing in again.
+2. **SSO in Teams at runtime**: Your tab app interacts with Azure AD at runtime for one-time authentication and authorization for your app users.
+3. **Enable SSO for your tab app**: Implement the tasks involved to implement SSO in your tab app.
+
+## SSO user experience in Teams
+
+App users sign in to Teams using either personal Microsoft account or Microsoft 365 account. You can take advantage of this, and use SSO to authenticate and authorize the app users.
+
+&nbsp;&nbsp;&nbsp;&nbsp; :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/teams-sso-ux.png" alt-text="SSO user experience in a Teams tab app" border="false":::
+
+- Teams authenticates and stores the identity of its app user.
+- Your tab app uses the stored identity of the app user who is already validated by Teams.
+- The app user needs to give consent to Teams for using the identity to access for using your tab app.
+- The app user can access the app on web, desktop, or mobile client.
+
+You can view here an example of user experience with SSO in a tab app:
++
+### Enhance user experience with SSO
+
+Here's what your app users get with SSO experience:
+
+- Teams gets the access token for the current app user from Azure AD. This interaction with Azure AD is invisible to the app user. It translates to getting app access without having to leave Teams environment.
+- An app user needs to consent only in a multi-tenant environment. If the app user and the app reside in the same tenant, the app user doesn't need to give consent for using the app.
+- After consenting to Teams the first time, the app user can use your app with no further need of consent, even on any other device. For this reason, it offers a better user experience.
+ - Alternatively, the tenant administrator can grant consent on behalf of the app users. In this scenario, when the tenant administrator consents for app users in the tenant, the app users don't need to be prompted for consent at all. This means that the app users don't see the consent dialogs, and can access the app seamlessly.
+- The access token is pre-fetched by Teams to improve performance and load time of the app in Teams environment.
+- App users don't need to memorize or record several passwords to access and use apps in Teams environment.
+
+> [!NOTE]
+> App users can't give permission to some permission scopes, such as `Sites.ReadWrite.All`, which allows the app user to read and write to all SharePoint and OneDrive assets in the tenant. For such scopes, only the tenant administrator than grant consent on an app user's behalf.
+
+Now, let's see what happens at the backend during runtime to achieve SSO experience within Teams.
+
+## SSO in Teams at runtime
+
+Achieve SSO in a tab app by obtaining access token for the Teams app user who's currently logged in. This process involves the tab app client and server, Teams client, and Azure AD. During this interaction, the app user must give consent for using Teams identity to obtain the access token in a multi-tenant environment.
+
+The following image shows how SSO works when a Teams app user attempts to access the tab app:
++
+| # | Interaction | What's going on |
+| | | |
+| 1 | Tab app → Teams Client | The tab app makes a JavaScript call to `getAuthToken()`, which tells Teams to obtain an access token. |
+| 2 | Teams Client → Azure AD | Teams requests Azure AD endpoint for the access token for the current app user based on Teams identity. |
+| 3 | Azure AD → Consent form | If the current app user is using your tab app for the first time, Teams displays request prompt to consent, if the app needs to access some protected data. The app user (or the administrator) must give consent to Teams for using the app user's Teams identity to obtain access token from Azure AD. <br> Alternately, there's a request prompt to handle step-up authentication such as two-factor authentication. |
+| 4 | Azure AD → Teams Client | Azure AD sends the access token to the Teams Client. The token is a JSON Web Token (JWT), and it's validation works just like token validation in most standard OAuth flows. Teams caches the token on your behalf so that future calls to `getAuthToken()` return the cached token. |
+| 5 | Teams Client → Tab app client | Teams sends the access token to the tab app as part of the result object returned by the `getAuthToken()` call. |
+| 6 | Tab app (between client & server) | The tab app parses the access token using JavaScript to extract required information, such as the app user's email address. The token returned to the tab app is both an access token and an identity token. |
+
+For more information, see [Update code to enable SSO](tab-sso-code.md).
+
+> [!IMPORTANT]
+> The `getAuthToken()` is valid only for consenting to a limited set of user-level APIs, such as email, profile, offline_access, and OpenId. It isn't used for other Graph scopes such as `User.Read` or `Mail.Read`. For suggested workarounds, see [Extend your app with Microsoft Graph permissions](tab-sso-graph-api.md).
+
+Tabs are Teams-aware web pages. To enable SSO in a web-page hosted inside a tab app, add [Teams Javascript client SDK](/javascript/api/overview/msteams-client?view=msteams-client-js-latest&preserve-view=true), and call `microsoftTeams.initialize()`. After initialization, call `microsoftTeams.getAuthToken()` to get the access token for your app.
+
+### Use cases for enabling SSO
+
+You can enable SSO in Teams for all apps that support Azure AD as an identity provider. In addition to using SSO for authenticating app users in a tab app, you can also use it to enable seamless access across Teams.
+
+Some scenarios where you can use the SSO API to authenticate your app users are:
+
+- If you want to authenticate your app users within a Teams tab app, the SSO API allows app users to use your app in Teams with no additional authentication needed. Based on the app user's Teams identity, you can obtain access token for them from Azure AD.
+- If your app uses task module from within a bot, a tab, a message extension, or Adaptive Cards, then you can use the SSO API to authenticate your app users.
+- You can also use the SSO API for authenticating your app users who want to access to Stage view without need to be validated again.
+
+> [!TIP]
+> You can also use the SSO API to authenticate app users in [task modules](../../../task-modules-and-cards/what-are-task-modules.md) that embed web content.
+
+To achieve SSO at runtime, configure your app to enable SSO for authenticating and authorizing app users.
+
+## Enable SSO for a tab app
+
+This section describes the tasks involved in implementing SSO for a tab app. These tasks are language- and framework-agnostic.
+
+To enable SSO for a tab app:
+
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/enable-sso.png" alt-text="Steps to enable SSO for tab" border="false" lightbox="../../../assets/images/authentication/teams-sso-tabs/enable-sso.png":::
+
+1. **Register with Azure AD**: Create an Azure AD app to generate an app ID and application ID URI. For generating access token, you configure scopes and authorize trusted client applications.
+2. **Update code**: Add the code to handle access token, calling `getAuthToken()` when an app user accesses your tab app, sending this token to your app's server code in the Authorization header, and validating the access token when it's received.
+3. **Update Teams app manifest**: Update your Teams Client app manifest with the app ID and application ID URI generated on Azure AD to allow Teams to request access tokens on behalf of your app.
+
+## Third-party cookies on iOS
+
+After the iOS 14 update, Apple has blocked the [third-party cookie](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/) access for all apps by default. Therefore, the apps that leverage third-party cookies for authentication in their Channel or Chat tabs and Personal apps won't be able to complete their authentication workflows on Teams iOS clients. To conform with Privacy and Security requirements, you must move to a token-based system or use first-party cookies for the user authentication workflows.
+
+### Teams mobile client support
+
+For Teams mobile, client versions that support SSO are:
+
+- Teams for Android (1416/1.0.0.2020073101 and later)
+- Teams for iOS (version: 2.0.18 and later)
+- Teams JavaScript SDK (version: 1.11 and later) for SSO to work in meeting side panel
+
+For the best experience with Teams, use the latest version of iOS and Android.
+
+## Best practices
+
+Here's a list of best practices:
+
+- **Call access token only when you need it**: Call `getAuthToken()` only when you need an access token. You can call it when an app user accesses your tab app, or for using a particular function that requires app user validation.
+- **Don't store access token on client-side code**: DonΓÇÖt cache or store the access token in your app's client-side code. Teams Client caches the access token (or request a new one if it expires). This ensures that there's no accidental leak of your token from your web app.
+- **Use server-side code for Microsoft Graph calls**: Always use the server-side code to make Microsoft Graph calls, or other calls that require passing an access token. Never return the OBO token to the client to enable the client to make direct calls to Microsoft Graph. This helps protect the token from being intercepted or leaked. For more information, see [Extend tab app with Microsoft Graph permissions and scope](tab-sso-graph-api.md).
+
+## Known limitations
+
+- Currently, SSO in Teams supports only OAuth 2.0 token. It doesn't support SAML token.
+- Multiple domains per app are not supported. For more information, see [LOB apps](tab-sso-register-aad.md#before-you-register-with-azure-ad).
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Register your tab application in Azure AD](tab-sso-register-aad.md)
+
+## See also
+
+[Configure code to enable SSO in a tab app](tab-sso-code.md)
+
+<!--
+### Use cases for enabling SSO for tab app
+
+Here are some use cases where enabling SSO is beneficial. Call `getAuthToken()` in these scenarios to use Teams identity for obtaining access token for your app users:
+
+- To get an app userΓÇÖs identity from Teams if you have an existing app that you want to be available within a tab app in Teams.
+
+- To authenticate an app user by reusing the TeamΓÇÖs identity inside your tab app.
+
+- To authenticate and get an app userΓÇÖs Teams identity inside configurable tabs. The app users don't need to sign in again. It's applicable to some settings that need to be configured at a configuration stage.
+
+- To obtain an access token inside a task module, when it's invoked from a tab app, a bot app, a messaging extension app, or adaptive cards.
+
+- To authenticate an app user in Stage view.
+
+- To authenticate users for [task modules](../../../task-modules-and-cards/what-are-task-modules.md) that embed web content.
+-->
+
+<!--
+```mermaid
+sequenceDiagram
+ User->>Tab app: Opens Teams app
+ Tab app->>Teams Client: 1. Call getAuthToken()
+ Teams Client->>Sign-in and Consent: 2. Check if consent is required
+ Sign-in and Consent->>Teams Client: Prompt for consent from new user
+ Teams Client->>Azure AD: 3. Request access token from Azure AD
+ Azure AD->>Teams Client: 4. Send access token to Teams Client
+ Teams Client->>Tab app: 5. Respond to getAuthToken() with access token
+ Tab app->>Tab app: 6. Parse access token to give access to user
+```
+-->
+
+<!--
+- Tenant admin consent: A simple way of [consenting on behalf of an organization as a tenant admin](/azure/active-directory/develop/v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant) is by getting [consent from admin](/azure/active-directory/manage-apps/grant-admin-consent).
+
+ You can ask for consent using the Auth API. Another approach for getting Graph scopes is to present a consent dialog using our existing [third party OAuth provider authentication approach](~/tabs/how-to/authentication/auth-tab-aad.md#navigate-to-the-authorization-page-from-your-pop-up-page). This approach involves popping up an Azure AD consent dialog box.
+
+ <details>
+ <summary>To ask for additional consent using the Auth API, follow these steps:</summary>
+
+ 1. The token retrieved using `getAuthToken()` must be exchanged on the server-side using Azure AD [on-behalf-of flow (OBO)](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to get access to those other Graph APIs. Ensure you use the v2 Graph endpoint for this exchange.
+ 2. If the exchange fails, Azure AD returns an invalid grant exception. It usually responds with one of the two error messages, `invalid_grant` or `interaction_required`.
+ 3. When the exchange fails, you must ask for consent. Use the user interface (UI) to ask the app user to grant other consent. This UI must include a button that triggers an Azure AD consent dialog using [Silent authentication](~/concepts/authentication/auth-silent-aad.md).
+ 4. When asking for more consent from Azure AD, you must include `prompt=consent` in your [query-string-parameter](~/tabs/how-to/authentication/auth-silent-aad.md#get-the-user-context) to Azure AD, otherwise Azure AD wouldn't ask for other scopes.
+
+ - Instead of `?scope={scopes}`, use `?prompt=consent&scope={scopes}`
+ - Ensure that `{scopes}` includes all the scopes you're prompting the user for, for example, `Mail.Read` or `User.Read`.
+ 5. After the app user has granted more permissions, retry the OBO flow to get access to these other APIs.
+
+ </details>
+-->
+<!--
+- If you want your existing app to be available within a Teams tab app, the SSO API allows your signed-in app users to use your app in Teams with no additional authentication needed. Based on the app user's Teams identity, you can obtain access token for them from Azure AD.
+- If your app has configurable tabs, you can use `getAuthToken()` to allow app users into the tab app without signing in again. SSO is applicable to some settings that need to be configured at a configuration stage.
+- Your app may have a bot, a tab, a message extension, or Adaptive Cards, and allows your app users to invoke task module from within a tab or a bot. The SSO API will authenticate your app users who attempt to access the task module. Teams can use the app user's Teams identity and obtain an access token from Azure AD.
+
+- You can also use the SSO API for authenticating your app users who want to access to Stage view without need to be validated again. The access token obtained for the app user when they first used your app can be used to allow them to use Stage view. -->
platform Tab Sso Register Aad https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-register-aad.md
+
+ Title: Register your tab app with Azure AD
+description: Describes registering your tab app with Azure AD
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) access token SSO tenancy scope
+
+# Register your app in Azure AD
+
+Azure AD provides access to your tab app based on the app user's Teams identity. You'll need to register your tab app with Azure AD so that the app user who has signed into Teams can be given access to your tab app.
+
+## Enabling SSO on Azure AD
+
+Registering your tab app in Azure AD and enabling it for SSO requires making app configurations, such as generating app ID, defining API scope, and pre-authorize client IDs for trusted applications.
++
+Create a new app registration in Azure AD, and expose its (web) API using scopes (permissions). Configure a trust relationship between the exposed API on Azure AD and your app. This allows Teams Client to obtain an access token on behalf of your application and the logged-in user. You can add client IDs for the trusted mobile, desktop, and web applications that you want to pre-authorize.
+
+You may also need to configure additional details, such as authenticating app users on the platform or device where you want to target your tab app.
+
+User-level Graph API permissions are supported, that is, email, profile, offline_access, and OpenId. If you require access to additional Graph scopes, such as `User.Read` or `Mail.Read`, see [Get an access token with Graph permissions](tab-sso-graph-api.md).
+
+Azure AD configuration enables SSO for your tab app in Teams. It responds with an access token for validating the app user.
+
+> [!NOTE]
+> Microsoft Teams Toolkit registers the Azure AD application in an SSO project.
+
+### Before you register with Azure AD
+
+It's helpful if you learn about the configuration for registering your app on Azure AD beforehand. Ensure that you've prepared to configure the following details prior to registering your app:
+
+- **Single- or multi-tenant options**: Will your application be used in only the Microsoft 365 tenant where it is registered, or will many Microsoft 365 tenants use it? Applications written for one enterprise are typically single-tenant; applications written by an independent software vendor and used by many customers need to be multi-tenant so each customer's tenant can access the application.
+- **Application ID URI**: It's a globally unique URI that identifies the web API you expose for your app's access through scopes. It's also referred to as an identifier URI. The application ID URI includes the app ID and the subdomain where your app is hosted. Your application's domain name and the domain name you register for your Azure AD application should be the same. Currently, multiple domains per app aren't supported.
+- **Scope**: It's the permission that an authorized app user or your app can be granted for accessing a resource exposed by the API.
+
+> [!NOTE]
+>
+> - **LOB applications**: Your organization can make LOB applications available through Microsoft Store. These apps are custom to your organization. They are internal or specific within your organization or business.
+> - **Customer-owned apps**: SSO is also supported for customer-owned apps within the Azure AD B2C tenants.
+
+To create and configure your app in Azure AD for enabling SSO:
+
+- [Register and configure the Azure AD app.](#create-an-app-registration-in-azure-ad)
+- [Configure scope for access token.](#configure-scope-for-access-token)
+- [Configure access token version.](#configure-access-token-version)
+
+## Create an app registration in Azure AD
+
+Register a new app in Azure AD, and configure the tenancy and app's platform. You'll generate a new app ID that will be updated later in your Teams app manifest file.
+
+### To register a new app in Azure AD
+
+1. Open the [Azure portal](https://ms.portal.azure.com/) on your web browser.
+ The Microsoft Azure AD Portal page opens.
+
+2. Select the **App registrations** icon.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-portal.png" alt-text="Azure AD Portal page." border="true":::
+
+ The **App registrations** page appears.
+
+3. Select **+ New registration** icon.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-registrations.png" alt-text="New registration page on Azure AD Portal." border="true":::
+
+ The **Register an application** page appears.
+
+4. Enter the name of your app that you want to be displayed to the app user. You can change this name at a later stage, if you want to.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/register-app.png" alt-text="App registration page on Azure AD Portal." border="true":::
+
+5. Select the type of user account that can access your app. You can choose from single- or multi-tenant options, or Private Microsoft account.
+
+ <details>
+ <summary><b>Options for supported account types</b></summary>
+
+ | Option | Select this to... |
+ | | |
+ | Accounts in this organizational directory only (Microsoft only - Single tenant) | Build an application for use only by users (or guests) in your tenant. <br> Often called LOB application, this app is a single-tenant application in the Microsoft identity platform. |
+ | Accounts in any organizational directory (Any Azure AD directory - Multi-tenant) | Let users in any Azure AD tenant use your application. This option is appropriate if, for example, you're building a SaaS application, and you intend make it available to multiple organizations. <br> This type of app is known as a multi-tenant application in the Microsoft identity platform.|
+ | Accounts in any organizational directory (Any Azure AD directory - Multi-tenant) and personal Microsoft accounts | Target the widest set of customers. <br> By selecting this option, you're registering a multi-tenant application that can support app users who have personal Microsoft accounts also. |
+ | Personal Microsoft accounts only | Build an application only for users who have personal Microsoft accounts. |
+
+ </details>
+
+ > [!NOTE]
+ > You don't need to enter **Redirect URI** for enabling SSO for a tab app.
+
+7. Select **Register**.
+ A message pops up on the browser stating that the app was created.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-created-msg.png" alt-text="Register app on Azure AD Portal." border="true":::
+
+ The page with app ID and other configurations is displayed.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/tab-app-created.png" alt-text="App registration is successful." border="true":::
+
+8. Note and save the app ID from **Application (client) ID**. You'll need it for updating the Teams app manifest later.
+
+ Your app is registered in Azure AD. You should now have app ID for your tab app.
+
+## Configure scope for access token
+
+After you've created a new app registration, configure scope (permission) options for sending access token to Teams Client, and authorizing trusted client applications to enable SSO.
+
+To configure scope and authorize trusted client applications, you'll need:
+
+- [To expose an API](#to-expose-an-api): Configure scope (permission) options for your app. You'll expose a web API, and configure the application ID URI.
+- [To configure API scope](#to-configure-api-scope): Define scope for the API, and the users who can consent for a scope. You can let only admins provide consent for higher-privileged permissions.
+- [To configure authorized client application](#to-configure-authorized-client-application): Create authorized client IDs for applications that you want to pre-authorize. It allows the app user to access the app scopes (permissions) you've configured, without requiring any further consent. Pre-authorize only those client applications you trust as your app users won't have the opportunity to decline consent.
+
+### To expose an API
+
+1. Select **Manage** > **Expose an API** from the left pane.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/expose-api-menu.png" alt-text="Expose an API menu option." border="true":::
+
+ The **Expose an API** page appears.
+
+1. Select **Set** to generate application ID URI in the form of `api://{AppID}`.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/expose-an-api.png" alt-text="Set app ID URI" border="true":::
+
+ The section for setting application ID URI appears.
+
+1. Enter the application ID URI in the format explained here.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/set-app-id-uri.png" alt-text="Application ID URI" border="true":::
+
+ - The **Application ID URI** is pre-filled with app ID (GUID) in the format `api://{AppID}`.
+ - The application ID URI format should be: `api://fully-qualified-domain-name.com/{AppID}`.
+ - Insert the `fully-qualified-domain-name.com` between `api://` and `{AppID}` (which is, GUID). For example, api://example.com/{AppID}.
+
+ where,
+ - `fully-qualified-domain-name.com` is the human-readable domain name from which your tab app is served. Your application's domain name and the domain name you register for your Azure AD application should be the same.
+
+ If you're using a tunneling service, such as ngrok, you must update this value whenever your ngrok subdomain changes.
+ - `AppID` is the app ID (GUID) that was generated when you registered your app. You can view it in the **Overview** section.
+
+ > [!IMPORTANT]
+ >
+ > - **Application ID URI for app with multiple capabilities**: If you're building an app with a bot, a messaging extension, and a tab, enter the application ID URI as `api://fully-qualified-domain-name.com/BotId-{YourClientId}`, where the BotID is your bot app ID.
+ >
+ > - **Format for domain name**: Use lower case letters for domain name. Don't use upper case.
+ >
+ > For example, to create an app service or web app with resource name, 'demoapplication':
+ >
+ > | If base resource name used is | URL will be... | Format is supported on... |
+ > | | | |
+ > | *demoapplication* | **<https://demoapplication.example.net>** | All platforms.|
+ > | *DemoApplication* | **<https://DemoApplication.example.net>** | Desktop, web, and iOS only. It isn't supported in Android. |
+ >
+ > Use the lower case option *demoapplication* as base resource name.
+
+1. Select **Save**.
+
+ A message pops up on the browser stating that the application ID URI was updated.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-id-uri-msg.png" alt-text="Application ID URI message" border="true":::
+
+ The application ID URI displays on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/app-id-uri-added.png" alt-text="Application ID URI updated" border="true":::
+
+1. Note and save the Application ID URI. You'll need it for updating the Teams app manifest later.
+
+### To configure API scope
+
+1. Select **+ Add a scope** in the **Scopes defined by this API** section.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/select-scope.png" alt-text="Select scope" border="true":::
+
+ The **Add a scope** page appears.
+
+1. Enter the details for configuring scope.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/add-scope.png" alt-text="Add scope details" border="true":::
+
+ 1. Enter the scope name. This is a mandatory field.
+ 2. Select the user who can give consent for this scope. The default option is **Admins only**.
+ 3. Enter the **Admin consent display name**. This is a mandatory field.
+ 4. Enter the description for admin consent. This is a mandatory field.
+ 5. Enter the **User consent display name**.
+ 6. Enter the description for user consent description.
+ 7. Select the **Enabled** option for state.
+ 8. Select **Add scope**.
+
+ A message pops up on the browser stating that the scope was added.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/scope-added-msg.png" alt-text="Scope added message" border="true":::
+
+ The new scope you defined displays on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/scope-added.png" alt-text="Scope added and displayed" border="true":::
+
+### To configure authorized client application
+
+1. Move through the **Expose an API** page to the **Authorized client application** section, and select **+ Add a client application**.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/auth-client-apps.png" alt-text="Authorized client application" border="true":::
+
+ The **Add a client application** page appears.
+
+1. Enter the appropriate client ID for the Teams Client for the applications that you want to authorize for your appΓÇÖs web application.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/add-client-app.png" alt-text="Add a client application" border="true":::
+
+ > [!NOTE]
+ >
+ > - The client IDs for Teams mobile, desktop, and web application are the actual IDs that you should add.
+ > - For a Teams tab app, you'll need either Web or SPA, as you can't have a mobile or desktop client application in Teams.
+
+ 1. Choose one of the following client IDs:
+
+ | Use client ID | For authorizing... |
+ | | |
+ | 1fec8e78-bce4-4aaf-ab1b-5451cc387264 | Teams mobile or desktop application |
+ | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 | Teams web application |
+
+ 1. Select the application ID URI you created for your app in **Authorized scopes** to add the scope to the web API you exposed.
+
+ 1. Select **Add application**.
+
+ A message pops up on the browser stating that the authorized client app was added.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-app-auth-msg.png" alt-text="Client application added message" border="true":::
+
+ The client ID displays on the page.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/client-app-added.png" alt-text="Client app added and displayed" border="true":::
+
+> [!NOTE]
+> You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application.
+
+## Configure access token version
+
+You must define the access token version that is acceptable for your app. This configuration is made in the Azure AD application manifest.
+
+### To define the access token version
+
+1. Select **Manage** > **Manifest** from the left pane.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-portal-manifest.png" alt-text="Azure AD portal Manifest" border="true":::
+
+ The Azure AD application manifest appears.
+
+1. Enter **2** as the value for the `accessTokenAcceptedVersion` property.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-manifest-value.png" alt-text="Value for accepted access token version" border="true":::
+
+1. Select **Save**
+
+ A message pops up on the browser stating that the manifest was updated successfully.
+
+ :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Manifest updated message":::
+
+Congratulations! You've completed the app configuration in Azure AD required to enable SSO for your tab app.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Configure code to enable SSO](tab-sso-code.md)
+
+## See also
+
+- [Tenancy in Azure Active Directory](/azure/active-directory/develop/single-and-multi-tenant-apps)
+- [Extend tab app with Microsoft Graph permissions and scope](tab-sso-graph-api.md)
+- [Quickstart - Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app)
+- [Quickstart: Configure an application to expose a web API](/azure/active-directory/develop/quickstart-configure-app-expose-web-apis)
+- [OAuth 2.0 authorization code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow)
platform Tab Sso Troubleshooting https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-troubleshooting.md
+
+ Title: Troubleshooting authentication for tabs using SSO in Teams
+description: Troubleshooting SSO authentication in Teams and how to use it in tabs
+
+ms.localizationpriority: medium
+keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) SSO errors questions
+
+# Troubleshooting SSO authentication in Teams
+
+Here's a list of issues and questions about SSO, and how you can fix them.
+<br>
+
+## Support for Microsoft Graph
+
+<br>
+<details>
+<summary>1. Does Graph API work in Postman?</summary>
+<br>
+You can use the Microsoft Graph Postman collection with Microsoft Graph APIs.
+
+For more information, see [Use Postman with the Microsoft Graph API](/graph/use-postman).
+</details>
+<br>
+<details>
+<summary>2. Does Graph API work in Microsoft Graph explorer?</summary>
+<br>
+Yes, Graph API works in Microsoft Graph explorer.
+
+For more information, see [Graph explorer](https://developer.microsoft.com/graph/graph-explorer).
+
+</details>
+<br>
+
+## Error messages and how to handle them
+
+<br>
+<details>
+<summary>1. Error: consent missing.</summary>
+<br>
+When Azure AD receives a request for accessing a Microsoft Graph resource, it checks if the user (or tenant administrator) have given consent for this resource. If there's no record of consent from the user or administrator, Azure AD sends an error message to your web service.
+
+Your code must tell the client (for example, in the body of a 403 Forbidden response) how to handle the error:
+
+- If the tab app needs Microsoft Graph scopes for which only an administrator can give consent, your code should throw an error.
+- If the only scopes that are needed can be consented to by the user, then your code should fall back to an alternate system of user authentication.
+
+</details>
+<br>
+<details>
+<summary>2. Error: Missing scope (permission).</summary>
+<br>
+This error is seen only during development.
+
+To handle this error, your server-side code should send a 403 Forbidden response to the client. It should log the error to the console or record it in a log.
+</details>
+<br>
+<details>
+<summary>3. Error: Invalid Audience in the access token for Microsoft Graph.</summary>
+<br>
+The server-side code should send a 403 Forbidden response to the client to show a message to the user. It is recommended that it should also log the error to the console, or record it in a log.
+</details>
+<br>
+<details>
+<summary>4. Error: Host name must not be based on an already owned domain.</summary>
+<br>
+You can get this error in one of the two scenarios:
+
+1. The custom domain is not added to Azure AD. To add custom domain to Azure AD and register it, follow the [add a custom domain name to Azure AD](/azure/active-directory/fundamentals/add-custom-domain) procedure, and then follow the steps to [Configure scope for access token](tab-sso-register-aad.md#configure-scope-for-access-token) again.
+1. You are not signed in with Administrator credentials in the Microsoft 365 tenancy. Sign-in to Microsoft 365 as an administrator.
+
+</details>
+<br>
+<details>
+<summary>5. Error: User Principal Name (UPN) not received in the returned access token.</summary>
+<br>
+You can add UPN as an optional claim in Azure AD.
+
+For more information, see [Provide optional claims to your app](/azure/active-directory/develop/active-directory-optional-claims) and [access tokens](/azure/active-directory/develop/access-tokens).
+</details>
+<br>
+<details>
+<summary>6. Error: Teams SDK Error: resourceDisabled.</summary>
+<br>
+To avoid this error, ensure that application ID URI is configured properly in Azure AD app registration and in your Teams Client.
+
+For more information on application ID URI, see [To expose an API](tab-sso-register-aad.md#to-expose-an-api).
+
+</details>
+<br>
+
+<details>
+<summary>7. Error: Generic error when running the tab app.</summary>
+<br>
+A generic error may show up when one or more of app configurations made in Azure AD are incorrect. To resolve this error, check if the app details configured in your code and Teams manifest matches the values in Azure AD.
+
+The following image shows an example of the app details configured in Azure AD.
++
+Check that the following values match between Azure AD, client-side code, and Teams app manifest:
+
+- **App ID**: The app ID you generated in Azure AD should be the same in the code and in Teams manifest file. Check the app ID in Teams manifest matches the **Application (client) ID** in Azure AD.
+
+- **App secret**: The app secret configured in the backend of your app should match the **Client credentials** in Azure AD.
+ You should also check if the client secret is expired.
+
+- **Application ID URI**: The app ID URI in the code and in Teams app manifest file should match the **Application ID URI** in Azure AD.
+
+- **App permissions**: Check if the permissions you defined in the scope are as per your app requirement. If so, check if they were granted to the user in the access token.
+
+- **Admin consent**: If any scope requires admin consent, check if the consent was granted for the particular scope to the user.
+
+In addition, inspect the access token that was sent to the tab app to verify if the following values are correct:
+
+- **Audience (aud)**: Check if the app ID in the token is correct as given in Azure AD.
+- **Tenant Id(tid)**: Check if the tenant mentioned in the token is correct.
+- **User identity (preferred_username)**: Check if the user identity matches the username in the request for access token for the scope that the current user wants to access.
+- **Scopes (scp)**: Check if the scope for which the access token is requested is correct, and as defined in Azure AD.
+- **Azure AD version 1.0 or 2.0 (ver)**: Check if Azure AD version is correct.
+
+You can use [JWT](https://jwt.ms) for inspecting the token.
+
+</details>
platform Create Personal Tab https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/create-personal-tab.md
Following are the steps to create a personal tab:
1. In Visual Studio, select **F5** or choose **Start Debugging** from your application's **Debug** menu to verify if the application has loaded properly. In a browser, go to the following URLs:
- * <http://localhost:3978/>
- * <http://localhost:3978/personalTab>
- * <http://localhost:3978/privacy>
- * <http://localhost:3978/tou>
+ * `<http://localhost:3978/>`
+ * `<http://localhost:3978/personalTab>`
+ * `<http://localhost:3978/privacy>`
+ * `<http://localhost:3978/tou>`
<details> <summary><b>Review the source code</b></summary>
Following are the steps to create a personal tab:
1. In Visual Studio, select **F5** or choose **Start Debugging** from your application's **Debug** menu to verify if the application has loaded properly. In a browser, go to the following URLs:
- * <http://localhost:3978>
- * <http://localhost:3978/personalTab>
- * <http://localhost:3978/privacy>
- * <http://localhost:3978/tou>
+ * `<http://localhost:3978>`
+ * `<http://localhost:3978/personalTab>`
+ * `<http://localhost:3978/privacy>`
+ * `<http://localhost:3978/tou>`
<details> <summary><b>Review the source code</b></summary>
platform Configuration Page https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/create-tab-pages/configuration-page.md
document.write(getId());
### Use the `getContext()` function to retrieve context
-The `app.getContext()` function returns a promise that resolves with the [context interface](/javascript/api/@microsoft/teams-js/app.context?view=msteams-client-js-latest&preserve-view=true) object.
+The `app.getContext()` function returns a promise that resolves with the [context interface](/javascript/api/@microsoft/teams-js/pages?view=msteams-client-js-latest&preserve-view=true) object.
The following code provides an example of adding this function to the configuration page to retrieve context values:
platform Add Single Sign On https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/toolkit/add-single-sign-on.md
The following steps helps you to enable SSO in your application.
} ```+ </details> <details> <summary><b>Add a new command to the bot
export async function showUserImage(context, ssoToken, param) {
} ```+ </details> <br>
Press F5 to debug your application. Teams Toolkit uses the Azure AD manifest fil
## Customize Azure AD application registration The [Azure AD app manifest](/azure/active-directory/develop/reference-app-manifest) allows you to customize various aspects of application registration. You can update the manifest as needed. If you need to include additional API permissions to access your desired APIs, see [API permissions to access your desired APIs](https://github.com/OfficeDev/TeamsFx/wiki/#customize-aad-manifest-template).
-To view your Azure AD application in Azure Portal, see [View Azure AD application in Azure portal](https://github.com/OfficeDev/TeamsFx/wiki/Manage-AAD-application-in-Teams-Toolkit#How-to-view-the-AAD-app-on-the-Azure-portal).
+To view your Azure AD application in Azure Portal, see [View Azure AD application in Azure portal](https://github.com/OfficeDev/TeamsFx/wiki/Manage-AAD-application-in-Teams-Toolkit#How-to-view-the-AAD-app-on-the-Azure-portal).
## SSO authentication concepts
Single sign-on (SSO) authentication in Microsoft Azure Active Directory (Azure A
Teams tabs and bots have similar flow for SSO support, for more information, see:
-1. [Single sign-on (SSO) authentication in Tabs](../tabs/how-to/authentication/auth-aad-sso.md)
+1. [Single sign-on (SSO) authentication in Tabs](../tabs/how-to/authentication/tab-sso-overview.md)
2. [Single sign-on (SSO) authentication in Bots](../bots/how-to/authentication/auth-aad-sso-bots.md) ### Simplified SSO with TeamsFx
platform Visual Studio Code Tab Sso https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/toolkit/visual-studio-code-tab-sso.md
The Microsoft Teams Toolkit enables you to create single sign-on (SSO) authentic
1. Enter the URL where your app will be hosted and select **next**. Your app registration will be configured using the provided URL. 1. The app registration's configuration details will be stored in the `.env` files in your project's source code.
-If you would like to learn more about how your Azure app registration will be provisioned, *see* our [single sign-on (SSO) support for tabs](../tabs/how-to/authentication/auth-aad-sso.md) documentation.
+If you would like to learn more about how your Azure app registration will be provisioned, *see* our [single sign-on (SSO) support for tabs](../tabs/how-to/authentication/tab-sso-overview.md) documentation.
> [!TIP] > You will need to go to **Azure App Registrations** and update your *API URI* and *redirect URLs* whenever you change this URL.
platform Whats New https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/whats-new.md
ms.localizationpriority: high
Discover Microsoft Teams platform features that are generally available (GA) and in developer preview. You can now get latest Teams platform updates by subscribing to the RSS feed [![download feed](~/assets/images/RSSfeeds.png)](https://aka.ms/TeamsPlatformUpdates). For more information, see [configure RSS feed](#get-latest-updates).
-## Microsoft Build 2022 :::image type="icon" source="assets/images/bullhorn.png" border="false":::
+## Microsoft Build 2022 :::image type="icon" source="assets/images/bullhorn.png" border="false"
| Date | Feature | Find it here | | | | |
Discover Microsoft Teams platform features that are generally available (GA) and
|05/24/2022| Submit your Outlook- and Office-enabled apps to the Teams store | Extend your app across Microsoft 365 > [Overview](m365-apps/overview.md) | |05/24/2022| App guidance and what's new in TeamsJS version 2.0.0| Tools and SDKs > [Teams JavaScript client SDK](tabs/how-to/using-teams-client-sdk.md) | |05/19/2022|Bots and Message extensions in GCC and GCCH| ΓÇó Plan your app > [Overview](concepts/app-fundamentals-overview.md#government-community-cloud) </br> ΓÇó Build bots > [Overview](bots/what-are-bots.md) </br> ΓÇó Build message extensions > [Overview](messaging-extensions/what-are-messaging-extensions.md) |
-|04/28/2022| Common reasons for app validation failure | Distribute your app > Publish to the Teams store > [Common reasons for app validation failure](concepts/deploy-and-publish/appsource/common-reasons-for-app-validation-failure.md)|
-|04/20/2022 | Set up CI/CD pipelines | Tools and SDKs > Teams Toolkit for Visual Studio Code > [Set up CI/CD pipelines](toolkit/use-CICD-template.md)|
-|04/19/2022 | Upload your app in Microsoft Teams | Distribute your app > [Upload your app](concepts/deploy-and-publish/apps-upload.md)|
-|04/06/2022| Share to Teams from personal app or tab (developer preview) | Integrate with Teams > Share to Teams > [Share to Teams from personal app or tab](concepts/build-and-test/share-to-teams-from-personal-app-or-tab.md) |
-|04/01/2022| Introduced step-by-step guide to create Teams conversational bot| Build bots > Bot conversations > Channel and group conversations > [Step-by-step guide to create Teams conversational bot](sbs-teams-conversation-bot.yml) |
-|03/30/2022| Updated the Get started module with Blazor app using tabs and bots| Get started > [Build your first app using Blazor](sbs-gs-blazorupdate.yml)|
-|03/30/2022|Device permissions for the browser | Integrate device capabilities > [Device permissions for the browser](concepts/device-capabilities/browser-device-permissions.md) |
-|03/29/2022 | Integrate People Picker | Integrate with Teams > [Integrate People Picker](concepts/device-capabilities/people-picker-capability.md)|
-|03/23/2022| Introduced step-by-step guide to unfurl links in Teams using bot | Build message extensions > Add link unfurling > [Unfurl links in Teams using bot](sbs-botbuilder-linkunfurling.yml)|
-|03/22/2022| Added information on debug process| ΓÇó Tools and SDKs> Teams Toolkit for Visual Studio Code > [Debug your Teams app locally](toolkit/debug-local.md) </br> ΓÇó Tools and SDKs> Teams Toolkit for Visual Studio Code > [Debug background process](toolkit/debug-background-process.md)|
-|03/14/2022| Introduced step-by-step guide to build and test a connector in Microsoft Teams | Build webhooks and connectors > Create Office 365 Connectors > [Build Teams connectors](sbs-teams-connectors.yml)|
-|03/10/2022| Added information on Moodle LMS and Microsoft 365 plugins | Integrate with Teams > Moodle LMS > [Moodle learning management system](resources/moodle-overview.md)|
-|03/03/2022 | How to add authentication using external OAuth provider| Add authentication > Tabs > [Use external OAuth providers](tabs/how-to/authentication/auth-oauth-provider.md) |
-|02/25/2022| Introduced step-by-step guide to invoke task modules in Teams| Build cards and task modules > Build task modules > Use task modules from bots > [Invoke task module from Teams](sbs-botbuilder-taskmodule.yml)|
-|02/24/2022| Introduced step-by-step guide to build action based message extension | Build Message Extensions > Action commands > Define action commands > [Build action based message extension](sbs-meetingextension-action.yml)|
-|02/24/2022| Introduced step-by-step guide to build search based message extension | Build message extensions > Search commands > Define search commands > [Build search based message extension](sbs-messagingextension-searchcommand.yml)|
-|02/24/2022| Introduced step-by-step guide to create Outgoing Webhooks | Build webhooks and connectors > Create Outgoing Webhooks > [Create Outgoing Webhooks](sbs-outgoing-webhooks.yml)|
-| 02/23/2022 |Microsoft Teams store ranking parameters| Distribute your app > Publish to the Teams store > [Microsoft Teams store ranking parameters](concepts/deploy-and-publish/appsource/post-publish/teams-store-ranking-parameters.md)|
-|02/09/2022| Introduced step-by-step guide how to upload files to Teams from a bot | Build bots > Send and receive files > [step-by-step guide how to upload files to Teams from a bot](sbs-file-handling-in-bot.yml) |
-| 02/18/2022 | Introduced extensive Glossary for the Microsoft Teams Developer Documentation to help you find the definition about a term quickly | [Glossary](~/get-started/glossary.md) |
-| 02/18/2022 | Updated the Overview module for mapping Teams app to organizational goals, user story, and exploring Teams app features | [Overview > Teams app that fits](overview.md) |
-| 02/18/2022 | Updated the App fundamentals module to Plan your app to include mapping use cases to Teams features, and app planning checklist | [Plan your app > Overview](~/concepts/app-fundamentals-overview.md) |
-|02/17/2022| What to expect after you submit your app?| Distribute your app > Publish to the Teams store > [Overview](concepts/deploy-and-publish/appsource/publish.md)|
-|02/15/2022| Introduced step-by-step guide how to upload files to Teams from a bot | Build bots > Send and receive files > [Step-by-step guide how to upload files to Teams from a bot](sbs-file-handling-in-bot.yml) |
-|02/11/2022| Shared meeting stage| ΓÇó Build apps for Teams meetings > [Shared meeting stage](apps-in-teams-meetings/enable-and-configure-your-app-for-teams-meetings.md#shared-meeting-stage) </br> ΓÇó Build apps for Teams meetings > [Meeting apps API references](apps-in-teams-meetings/API-references.md) </br> ΓÇó App manifest > Public developer preview > [Developer preview manifest schema](resources/schem)|
-|02/08/2022| Introduced step-by-step guide to create Calling and Meeting bot| Build bots > Calls and meetings bots > Register calls and meetings bot > [Step-by-step guide to create Calling and Meeting bot](sbs-calling-and-meeting.yml) |
-|02/07/2022| Tools and SDKs |Teams Toolkit for Visual Studio Code > </br> ΓÇó Add capabilities to Teams app> [Add capabilities to your Teams apps](toolkit/add-capability.md) </br> ΓÇó Add cloud resources to Teams app> [Add cloud resources to your Teams app](toolkit/add-resource.md) |
-|02/03/2022| Introduced app manifest version 1.12 | ΓÇó App manifest > [App manifest schema](resources/schem) |-->
-
+-->
## GA features
Microsoft Teams platform features that are available to all app developers.
| **Date** | **Update** | **Find here** | | -- | | -|
-|05/24/2022| Additional tips for rapid approval to publish your app linked to a SaaS offer | Publish to the Teams store > Overview > [Additional tips for rapid approval to publish your app linked to a SaaS offer](~/concepts/deploy-and-publish/appsource/publish.md#additional-tips-for-rapid-approval-to-publish-your-app-linked-to-a-saas-offer) |
-|05/24/2022| Submit your Outlook- and Office-enabled apps to the Teams store | Extend your app across Microsoft 365 > [Overview](m365-apps/overview.md) |
-|05/24/2022| App guidance and what's new in TeamsJS version 2.0.0| Tools and SDKs > [Teams JavaScript client SDK](tabs/how-to/using-teams-client-sdk.md) |
+| 06/03/2022 | Updated Add authentication module for enabling SSO for tab app with new structure and procedures | Add authentication > Tabs > [Enable single sign-on in a tab app](tabs/how-to/authentication/tab-sso-overview.md) |
+| 05/24/2022 | Additional tips for rapid approval to publish your app linked to a SaaS offer | Publish to the Teams store > Overview > [Additional tips for rapid approval to publish your app linked to a SaaS offer](~/concepts/deploy-and-publish/appsource/publish.md#additional-tips-for-rapid-approval-to-publish-your-app-linked-to-a-saas-offer) |
+| 05/24/2022 | Submit your Outlook- and Office-enabled apps to the Teams store | Extend your app across Microsoft 365 > [Overview](m365-apps/overview.md) |
+| 05/24/2022 | App guidance and what's new in TeamsJS version 2.0.0| Tools and SDKs > [Teams JavaScript client SDK](tabs/how-to/using-teams-client-sdk.md) |
| 05/24/2022 | Teams Toolkit version 4.0.0 for Visual Studio Code is now GA | Tools and SDKs > Teams Toolkit for Visual Studio Code > <br> ΓÇó [Teams Toolkit Overview](toolkit/teams-toolkit-fundamentals.md) <br> ΓÇó [Build command bot with JavaScript](toolkit/add-capability.md) <br> ΓÇó [Build notification bot with JavaScript](toolkit/add-capability.md) <br> ΓÇó [Preview and customize Teams app manifest](toolkit/TeamsFx-preview-and-customize-app-manifest.md) <br> ΓÇó [Connect to existing APIs](toolkit/add-API-connection.md) <br> ΓÇó [Add capabilities to your Teams apps](toolkit/add-capability.md) <br> ΓÇó [Add single sign-on experience](toolkit/add-single-sign-on.md) <br> ΓÇó [Add cloud resources to Teams app](toolkit/add-resource.md) | | 05/24/2022 | Introduced app manifest version 1.13 | App manifest > [Manifest schema for Microsoft Teams](resources/schem) |
-|05/24/2022|Bots and Message extensions in GCC and GCCH| ΓÇó Plan your app > [Overview](concepts/app-fundamentals-overview.md#government-community-cloud) </br> ΓÇó Build bots > [Overview](bots/what-are-bots.md) </br> ΓÇó Build message extensions > [Overview](messaging-extensions/what-are-messaging-extensions.md) |
+| 5/24/2022|Bots and Message extensions in GCC and GCCH| ΓÇó Plan your app > [Overview](concepts/app-fundamentals-overview.md#government-community-cloud) </br> ΓÇó Build bots > [Overview](bots/what-are-bots.md) </br> ΓÇó Build message extensions > [Overview](messaging-extensions/what-are-messaging-extensions.md) |
|04/26/2022|Uninstall behavior for personal app with bot | Build bots > Bot conversations > [Uninstall behavior updates in personal apps with bots](bots/how-to/conversations/subscribe-to-conversation-events.md#uninstall-behavior-for-personal-app-with-bot)|
-|04/22/2022| Test preview for monetized apps | Monetize your app > [Test preview for monetized apps](concepts/deploy-and-publish/appsource/prepare/test-preview-for-monetized-apps.md)
-|04/22/2022| In-app purchase flow for monetization of apps | Monetize your app > [In-app purchases](concepts/deploy-and-publish/appsource/prepare/in-app-purchase-flow.md)
-|04/28/2022| Common reasons for app validation failure | Distribute your app > Publish to the Teams store > [Common reasons for app validation failure](concepts/deploy-and-publish/appsource/common-reasons-for-app-validation-failure.md)|
-|04/20/2022 | Set up CI/CD pipelines | Tools and SDKs > Teams Toolkit for Visual Studio Code > [Set up CI/CD pipelines](toolkit/use-CICD-template.md)|
-|04/19/2022 | Upload your app in Microsoft Teams | Distribute your app > [Upload your app](concepts/deploy-and-publish/apps-upload.md)|
-|04/01/2022| Introduced step-by-step guide to create Teams conversational bot| Build bots > Bot conversations > Channel and group conversations > [Step-by-step guide to create Teams conversational bot](sbs-teams-conversation-bot.yml) |
-|03/30/2022| Updated the Get started module with Blazor app using tabs and bots| Get started > [Build your first app using Blazor](sbs-gs-blazorupdate.yml)|
+| 04/22/2022 | Test preview for monetized apps | Monetize your app > [Test preview for monetized apps](concepts/deploy-and-publish/appsource/prepare/test-preview-for-monetized-apps.md)
+| 04/22/2022 | In-app purchase flow for monetization of apps | Monetize your app > [In-app purchases](concepts/deploy-and-publish/appsource/prepare/in-app-purchase-flow.md)
+| 04/28/2022 | Common reasons for app validation failure | Distribute your app > Publish to the Teams store > [Common reasons for app validation failure](concepts/deploy-and-publish/appsource/common-reasons-for-app-validation-failure.md)|
+| 04/20/2022 | Set up CI/CD pipelines | Tools and SDKs > Teams Toolkit for Visual Studio Code > [Set up CI/CD pipelines](toolkit/use-CICD-template.md)|
+| 04/19/2022 | Upload your app in Microsoft Teams | Distribute your app > [Upload your app](concepts/deploy-and-publish/apps-upload.md)|
+| 04/01/2022 | Introduced step-by-step guide to create Teams conversational bot| Build bots > Bot conversations > Channel and group conversations > [Step-by-step guide to create Teams conversational bot](sbs-teams-conversation-bot.yml) |
+| 03/30/2022 | Updated the Get started module with Blazor app using tabs and bots| Get started > [Build your first app using Blazor](sbs-gs-blazorupdate.yml)|
|03/30/2022|Device permissions for the browser | Integrate device capabilities > [Device permissions for the browser](concepts/device-capabilities/browser-device-permissions.md) |
-|03/29/2022 |Integrate People Picker | Integrate with Teams > [Integrate People Picker](concepts/device-capabilities/people-picker-capability.md)
-|03/23/2022| Introduced step-by-step guide to unfurl links in Teams using bot | Build message extensions > Add link unfurling > [Unfurl links in Teams using bot](sbs-botbuilder-linkunfurling.yml)|
-|03/22/2022| Added information on debug process| ΓÇó Tools and SDKs> Teams Toolkit for Visual Studio Code > [Debug your Teams app locally](toolkit/debug-local.md) </br> ΓÇó Tools and SDKs> Teams Toolkit for Visual Studio Code > [Debug background process](toolkit/debug-background-process.md)|
-|03/14/2022| Introduced step-by-step guide to build and test a connector in Microsoft Teams | Build webhooks and connectors > Create Office 365 Connectors > [Build Teams connectors](sbs-teams-connectors.yml)|
-|03/10/2022 | Added information on Moodle LMS and Microsoft 365 plugins | Integrate with Teams > Moodle LMS > [Moodle learning management system](resources/moodle-overview.md)|
-|03/03/2022 | How to add authentication using external OAuth provider| Add authentication > Tabs > [Use external OAuth providers](tabs/how-to/authentication/auth-oauth-provider.md) |
-| 02/25/2022| Introduced step-by-step guide to invoke task modules in Teams| Build cards and task modules > Build task modules > Use task modules from bots > [Invoke task module from Teams](sbs-botbuilder-taskmodule.yml)|
+| 03/29/2022 |Integrate People Picker | Integrate with Teams > [Integrate People Picker](concepts/device-capabilities/people-picker-capability.md)
+| 03/23/2022 | Introduced step-by-step guide to unfurl links in Teams using bot | Build message extensions > Add link unfurling > [Unfurl links in Teams using bot](sbs-botbuilder-linkunfurling.yml)|
+| 03/22/2022 | Added information on debug process| ΓÇó Tools and SDKs> Teams Toolkit for Visual Studio Code > [Debug your Teams app locally](toolkit/debug-local.md) </br> ΓÇó Tools and SDKs> Teams Toolkit for Visual Studio Code > [Debug background process](toolkit/debug-background-process.md)|
+| 03/14/2022 | Introduced step-by-step guide to build and test a connector in Microsoft Teams | Build webhooks and connectors > Create Office 365 Connectors > [Build Teams connectors](sbs-teams-connectors.yml)|
+| 03/10/2022 | Added information on Moodle LMS and Microsoft 365 plugins | Integrate with Teams > Moodle LMS > [Moodle learning management system](resources/moodle-overview.md)|
+| 03/03/2022 | How to add authentication using external OAuth provider| Add authentication > Tabs > [Use external OAuth providers](tabs/how-to/authentication/auth-oauth-provider.md) |
+| 02/25/2022 | Introduced step-by-step guide to invoke task modules in Teams| Build cards and task modules > Build task modules > Use task modules from bots > [Invoke task module from Teams](sbs-botbuilder-taskmodule.yml)|
| 02/24/2022| Introduced step-by-step guide to build action based message extension | Build Message Extensions > Action commands > Define action commands > [Build action based message extension](sbs-meetingextension-action.yml)|
-| 02/24/2022| Introduced step-by-step guide to build search based message extension | Build message extensions > Search commands > Define search commands > [Build search based message extension](sbs-messagingextension-searchcommand.yml)|
-| 02/24/2022| Introduced step-by-step guide to create Outgoing Webhooks | Build webhooks and connectors > Create Outgoing Webhooks > [Create Outgoing Webhooks](sbs-outgoing-webhooks.yml)|
+| 02/24/2022 | Introduced step-by-step guide to build search based message extension | Build message extensions > Search commands > Define search commands > [Build search based message extension](sbs-messagingextension-searchcommand.yml)|
+| 02/24/2022 | Introduced step-by-step guide to create Outgoing Webhooks | Build webhooks and connectors > Create Outgoing Webhooks > [Create Outgoing Webhooks](sbs-outgoing-webhooks.yml)|
| 02/23/2022 |Microsoft Teams store ranking parameters| Distribute your app > Publish to the Teams store > [Microsoft Teams store ranking parameters](concepts/deploy-and-publish/appsource/post-publish/teams-store-ranking-parameters.md)| | 02/18/2022 | Introduced extensive Glossary for the Microsoft Teams Developer Documentation to help you find the definition about a term quickly | [Glossary](~/get-started/glossary.md) | | 02/18/2022 | Updated the Overview module for mapping Teams app to organizational goals, user story, and exploring Teams app features | [Overview > Teams app that fits](overview.md) |
Explore updates from the previous GA releases listed here.
|08/19/2020|Import Teams messages with Microsoft Graph |[Import third-party platform messages to Teams using Microsoft Graph](graph-api/import-messages/import-external-messages-to-teams.md) |08/12/2020 |Adaptive Cards support in incoming webhook moved to GA |[Send adaptive cards using an incoming webhook](~/webhooks-and-connectors/how-to/connectors-using.md#send-adaptive-cards-using-an-incoming-webhook) | |08/10/2020|Get started building Teams apps with the Visual Studio Toolkit |[Build apps with the Microsoft Teams Toolkit and Visual Studio Code](toolkit/visual-studio-overview.md) |
-|08/06/2020|Support for Tabs SSO authentication |[Develop an SSO Microsoft Teams Tab](tabs/how-to/authentication/auth-aad-sso.md#develop-an-sso-microsoft-teams-tab) |
+|08/06/2020|Support for Tabs SSO authentication |[Develop an SSO Microsoft Teams Tab](tabs/how-to/authentication/tab-sso-overview.md) |
|07/27/2020 | Graph proactive bots and messages (Public Preview) |[Enable proactive bot installation and proactive messaging in Teams with Microsoft Graph](graph-api/proactive-bots-and-messages/graph-proactive-bots-and-messages.md)| |07/22/2020 |Mobile device capability updates |[Request device permissions for your Microsoft Teams tab](concepts/device-capabilities/native-device-permissions.md) | |07/20/2020|Teams App Validation Tool for AppSource submissions |[Teams App Validation Tool](concepts/deploy-and-publish/appsource/prepare/submission-checklist.md) |07/15/2020|Create a virtual assistant for Teams |[Virtual Assistant for Microsoft Teams](samples/virtual-assistant.md)| |07/14/2020|Surfacing a native loading indicator documentation |[Showing a native loading indicator](tabs/how-to/create-tab-pages/content-page.md#show-a-native-loading-indicator) |07/01/2020|Get started building Teams apps with the Visual Studio Code Toolkit |[Build apps with the Microsoft Teams Toolkit and Visual Studio Code](toolkit/visual-studio-code-overview.md) |
-|07/01/2020|Single sign-on for tabs GA for Teams web and desktop clients |[Single Sign-On (SSO)](tabs/how-to/authentication/auth-aad-sso.md)|
+|07/01/2020|Single sign-on for tabs GA for Teams web and desktop clients |[Single Sign-On (SSO)](tabs/how-to/authentication/tab-sso-overview.md)|
|06/05/2020| Manifest schema updated to version 1.7.| [Reference: Manifest schema for Microsoft Teams](resources/schem)| |05/18/2020|Integrate Power Virtual Agents with Teams |[Integrate a Power Virtual Agents chatbot with Microsoft Teams](bots/how-to/add-power-virtual-agents-bot-to-teams.md)| |04/01/2020|Integrate WFM systems with Shifts Connector for Teams |[Microsoft Teams Shifts WFM connectors](samples/shifts-wfm-connectors.md)
Explore updates from the previous GA releases listed here.
| **Date** | **Update** | **Find here** | | -- | | | | 12/26/2019 | The `replyToId` parameter in payloads sent to a bot is no longer encrypted, allowing you to use this value to construct deeplinks to these messages. Message payloads include the encrypted values in the parameter `legacy.replyToId`. |
-| 11/05/2019 | Single sign-on using the Teams JavaScript SDK. | [Single sign-on](tabs/how-to/authentication/auth-aad-sso.md) |
+| 11/05/2019 | Single sign-on using the Teams JavaScript SDK. | [Single sign-on](tabs/how-to/authentication/tab-sso-overview.md) |
| 10/31/2019 | Conversational bots and message extension documentation updated to reflect the 4.6 Bot Framework SDK. Documentation for the v3 SDK is available in the Resources section. | All bot and message extension documentation | | 10/31/2019 | New documentation structure, and major article refactoring. Please report any dead links or 404's by creating a GitHub Issue. | All of them! | | 09/13/2019 | Request bot is installed from action-based message extension. | [Initiate actions with message extensions](resources/messaging-extension-v3/create-extensions.md#request-to-install-your-conversational-bot)