| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| platform | Bot Sso Code | https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/how-to/authentication/bot-sso-code.md | zone_pivot_groups: enable-sso # Add code to enable SSO in your bot app -Before you add code to enable SSO, ensure that you've configured your app and bot resource in Azure AD portal. +Before you add code to enable single sign-on (SSO), ensure that you've configured your app and bot resource in Azure AD portal. > [!div class="nextstepaction"] > [Configure bot app in Azure AD](bot-sso-register-aad.md) To update your app's code: 1. Add code snippet for `TeamsSSOTokenExchangeMiddleware`. - # [C#](#tab/cs1) +# [C#](#tab/cs1) - Add the following code snippet to `AdapterWithErrorHandler.cs` (or the equivalent class in your app's code): +Add the following code snippet to `AdapterWithErrorHandler.cs` (or the equivalent class in your app's code): - ```csharp - base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"])); - ``` +```csharp +base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"])); +``` - # [JavaScript](#tab/js1) +# [JavaScript](#tab/js1) - Add the following code snippet to `index.js` (or the equivalent class in your app's code): +Add the following code snippet to `index.js` (or the equivalent class in your app's code): - ```JavaScript - const {TeamsSSOTokenExchangeMiddleware} = require('botbuilder'); - const tokenExchangeMiddleware = new TeamsSSOTokenExchangeMiddleware(memoryStorage, env.connectionName); - adapter.use(tokenExchangeMiddleware); - ``` +```JavaScript +const {TeamsSSOTokenExchangeMiddleware} = require('botbuilder'); +const tokenExchangeMiddleware = new TeamsSSOTokenExchangeMiddleware(memoryStorage, env.connectionName); +adapter.use(tokenExchangeMiddleware); +``` - + - > [!NOTE] - > You might receive multiple responses for a given request if the user has multiple active endpoints. You must eliminate all duplicate or redundant responses with the token. For more information about signin/tokenExchange, see [TeamsSSOTokenExchangeMiddleware Class](/python/api/botbuilder-core/botbuilder.core.teams.teams_sso_token_exchange_middleware.teamsssotokenexchangemiddleware?view=botbuilder-py-latest#remarks&preserve-view=true). +> [!NOTE] +> You might receive multiple responses for a given request if the user has multiple active endpoints. You must eliminate all duplicate or redundant responses with the token. For more information about signin/tokenExchange, see [TeamsSSOTokenExchangeMiddleware Class](/python/api/botbuilder-core/botbuilder.core.teams.teams_sso_token_exchange_middleware.teamsssotokenexchangemiddleware?view=botbuilder-py-latest#remarks&preserve-view=true). 1. Use the following code snippet for requesting a token. - # [C#](#tab/cs2) +# [C#](#tab/cs2) - After you add the `AdapterWithErrorHandler.cs`, your code should be as shown below: +After you add the `AdapterWithErrorHandler.cs`, your code should be as shown below: - ```csharp +```csharp public class AdapterWithErrorHandler : CloudAdapter { public AdapterWithErrorHandler( To update your app's code: }; } }- ``` +``` - # [JavaScript](#tab/js2) +# [JavaScript](#tab/js2) - After you add the code snippet for `TeamsSSOTokenExchangeMiddleware`, your code should be as shown below: +After you add the code snippet for `TeamsSSOTokenExchangeMiddleware`, your code should be as shown below: - ```JavaScript +```JavaScript // index.js is used to setup and configure your bot. // Import required packages To update your app's code: // Route received a request to adapter for processing. await adapter.process(req, res, (context) => bot.run(context)); });- ``` +``` - + ### Consent dialog for getting access token Use the following code snippet to handle the access token in case the app user l | **Sample name** | **Description** | **C#** | **Node.js** | | | | | |-| Bot framework SDK | This sample code shows how to get started with authentication in a bot for Microsoft Teams. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/bot-conversation-sso-quickstart/csharp_dotnetcore/BotConversationSsoQuickstart) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/bot-conversation-sso-quickstart/js) | +| Bot conversation SSO quick start | This sample code shows how to get started with SSO in a bot for Microsoft Teams. | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/bot-conversation-sso-quickstart/csharp_dotnetcore/BotConversationSsoQuickstart) | [View](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/bot-conversation-sso-quickstart/js) | ::: zone-end |
| platform | Bot Sso Manifest | https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/how-to/authentication/bot-sso-manifest.md | For more information, see [webApplicationInfo](../../../resources/schema/manifes > - For more information on learning how to create a manifest.json, see [Reference: Manifest schema for Microsoft Teams](../../../resources/schem). 1. Open the `manifest.json` file.-1. Add one of the following code snippets to the manifest file to add the new property. +1. Add one of the following code snippets to the manifest file to add the new property: - If your app has a standalone bot, add the following code snippet: ```json "webApplicationInfo": {- "id": "00000000-0000-0000-0000-000000000000", - "resource": "api://botid-00000000-0000-0000-0000-000000000000" + "id": "{Azure AD AppId}", + "resource": "api://botid-{Azure AD AppId}" } ``` For more information, see [webApplicationInfo](../../../resources/schema/manifes ```json "webApplicationInfo": {- "id": "00000000-0000-0000-0000-000000000000", - "resource": "api://subdomain.example.com/botid-00000000-0000-0000-0000-000000000000" + "id": "{Azure AD AppId}", + "resource": "api://subdomain.example.com/botid-{Azure AD AppId}" } ``` where,- - {Azure AD AppId} is the app ID you created when you registered your app in Azure AD. It's the GUID. - - {{Subdomain}.app ID URI} is the application ID URI that you registered when creating scope in Azure AD. + - `{Azure AD AppId}` is the app ID you created when you registered your app in Azure AD. It's the GUID. + - `subdomain.example.com` is the application ID URI that you registered when creating scope in Azure AD. 4. Update the app ID from Azure AD in the **id** property. 5. Update the subdomain URL in the following properties: |
| platform | Bot Sso Register Aad | https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md | The scope and permissions are now configured. Next, you must configure the autho > - The Microsoft 365 client IDs for mobile, desktop, and web applications for Teams, Microsoft 365 app, and Outlook are the actual IDs that you must add. > - If your app has a tab app, you'll need either web or SPA, as you can't have a mobile or desktop client application in Teams. -1. Choose one of the following client IDs: +1. Select one of the following client IDs: | Use client ID | For authorizing... | | | | The scope and permissions are now configured. Next, you must configure the autho | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 | Teams web application | | 4765445b-32c6-49b0-83e6-1d93765276ca | Microsoft 365 web application | | 0ec893e0-5785-4de6-99da-4ed124e5296c | Microsoft 365 desktop application |- | d3590ed6-52b3-4102-aeff-aad2292ab01c | Outlook desktop and mobile application | + | d3590ed6-52b3-4102-aeff-aad2292ab01c | Microsoft 365 mobile application | + | d3590ed6-52b3-4102-aeff-aad2292ab01c | Outlook desktop application | | bc59ab01-8403-45c6-8796-ac3ef710b3e3 | Outlook web application |+ | 27922004-5251-4030-b22d-91ecd9a37ea4 | Outlook mobile application | 1. Select the application ID URI you created for your app in **Authorized scopes** to add the scope to the web API you exposed. You can configure authentication for multiple platforms as long as the URL is un The **Configure platforms** page appears. -1. Select the platform that you want to configure for your app. You can choose the platform type from Web or SPA. +1. Select the platform that you want to configure for your app. You can select the platform type from Web or SPA. :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/configure-platform.png" alt-text="Screenshot shows the selection of web platform." ::: The scope and permissions are now configured. Next, you must configure the autho > - The Microsoft 365 client IDs for mobile, desktop, and web applications for Teams, Microsoft 365 app, and Outlook are the actual IDs that you must add. > - If your app has a tab app, you'll need either web or SPA, as you can't have a mobile or desktop client application in Teams. -1. Choose one of the following client IDs: +1. Select one of the following client IDs: | Use client ID | For authorizing... | | | | The scope and permissions are now configured. Next, you must configure the autho | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 | Teams web application | | 4765445b-32c6-49b0-83e6-1d93765276ca | Microsoft 365 web application | | 0ec893e0-5785-4de6-99da-4ed124e5296c | Microsoft 365 desktop application |- | d3590ed6-52b3-4102-aeff-aad2292ab01c | Outlook desktop and mobile application | + | d3590ed6-52b3-4102-aeff-aad2292ab01c | Microsoft 365 mobile application | + | d3590ed6-52b3-4102-aeff-aad2292ab01c | Outlook desktop application | | bc59ab01-8403-45c6-8796-ac3ef710b3e3 | Outlook web application |+ | 27922004-5251-4030-b22d-91ecd9a37ea4 | Outlook mobile application | 1. Select the application ID URI you created for your app in **Authorized scopes** to add the scope to the web API you exposed. You can configure authentication for multiple platforms as long as the URL is un The **Configure platforms** page appears. -1. Select the platform that you want to configure for your app. You can choose the platform type from web or SPA. +1. Select the platform that you want to configure for your app. You can select the platform type from web or SPA. :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/configure-platform.png" alt-text="Screenshot shows the selection of web platform." ::: |
| platform | Tab Sso Manifest | https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-manifest.md | For more information, see [webApplicationInfo](../../../resources/schema/manifes > - For more information on learning how to create a manifest.json, see [Reference: Manifest schema for Microsoft Teams](../../../resources/schem). 1. Open the `manifest.json` file-1. Append the following code snippet to the manifest file to add the new property: +1. Add the following code snippet to the manifest file to add the new property: ```json- "webApplicationInfo": { + "webApplicationInfo": + { "id": "{Azure AD AppId}",- "resource": "api://{Subdomain}.example.com/{Azure AD AppId}" + "resource": "api://subdomain.example.com/{Azure AD AppId}" } ``` where,- - {Azure AD AppId} is the app ID you created when you registered your app in Azure AD. It's the GUID. - - {{Subdomain}.app ID URI} is the application ID URI that you registered when creating scope in Azure AD. + - `{Azure AD AppId}` is the app ID you created when you registered your app in Azure AD. It's the GUID. + - `subdomain.example.com` is the application ID URI that you registered when creating scope in Azure AD. 4. Update the app ID from Azure AD in the **id** property. 5. Update the subdomain URL in the following properties: |
| platform | Tab Sso Register Aad | https://github.com/MicrosoftDocs/msteams-docs/commits/main/msteams-platform/tabs/how-to/authentication/tab-sso-register-aad.md | Title: Register your tab app with Azure AD -description: Configure Single sign-on (SSO) with Azure AD by configuring App ID URI, scope for access token, and pre-authorize trusted clients. +description: Configure Single sign-on (SSO) with Azure AD by configuring App ID URI, scope for access token, and preauthorize trusted clients. ms.localizationpriority: high keywords: teams authentication tabs Microsoft Azure Active Directory (Azure AD) access token SSO tenancy scope Last updated 02/01/2023 Azure Active Directory (Azure AD) provides access to your tab app based on the app user's Teams identity. You'll need to register your tab app with Azure AD so that the app user who has signed into Teams can be given access to your tab app. -## Enabling SSO in Azure AD +## Enable SSO in Azure AD -Register your tab app in Azure AD and enable it for SSO requires making app configurations, such as generating app ID, defining API scope, and pre-authorize client IDs for trusted applications. +Register your tab app in Azure AD and enable it for SSO requires making app configurations, such as generating app ID, defining API scope, and preauthorize client IDs for trusted applications. :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/register-azure-ad.png" alt-text="Configure Azure AD to send access token to Teams Client app"::: -Create a new app registration in Azure AD, and expose its (web) API using scopes (permissions). Configure a trust relationship between the exposed API on Azure AD and your app. It allows Teams Client to obtain an access token on behalf of your application and the logged-in user. You can add client IDs for the trusted mobile, desktop, and web applications that you want to pre-authorize. +Create a new app registration in Azure AD, and expose its (web) API using scopes (permissions). Configure a trust relationship between the exposed API on Azure AD and your app. It allows Teams Client to obtain an access token on behalf of your application and the logged-in user. You can add client IDs for the trusted mobile, desktop, and web applications that you want to preauthorize. You may also need to configure additional details, such as authenticating app users on the platform or device where you want to target your tab app. -User-level Graph API permissions are supported, that is, email, profile, offline_access, and OpenId. If you require access to additional Graph scopes, such as `User.Read` or `Mail.Read`, see [Get an access token with Graph permissions](tab-sso-graph-api.md). +User-level Graph API permissions are supported, that is, email, profile, offline_access, and OpenId. If you require access to additional Graph scopes, such as `User.Read` or `Mail.Read`, see [get an access token with Graph permissions](tab-sso-graph-api.md#acquire-access-token-for-ms-graph). Azure AD configuration enables SSO for your tab app in Teams. It responds with an access token for validating the app user. You'll need to register your app in Azure AD and configure the tenancy and app's :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/register-app.png" alt-text="App registration page on Azure AD Portal."::: -5. Select the type of user account that can access your app. You can choose from single- or multi-tenant options, or Private Microsoft account. +5. Select the type of user account that can access your app. You can select from single- or multi-tenant options, or Private Microsoft account. <details> <summary><b>Options for supported account types</b></summary> To configure scope and authorize trusted client applications, you'll need: - [To expose an API](#to-expose-an-api): Configure scope (permission) options for your app. You'll expose a web API, and configure the application ID URI. - [To configure API scope](#to-configure-api-scope): Define scope for the API, and the users who can consent for a scope. You can let only admins provide consent for higher-privileged permissions.-- [To configure authorized client application](#to-configure-authorized-client-application): Create authorized client IDs for applications that you want to pre-authorize. It allows the app user to access the app scopes (permissions) you've configured, without requiring any further consent. Pre-authorize only those client applications you trust as your app users won't have the opportunity to decline consent.+- [To configure authorized client application](#to-configure-authorized-client-application): Create authorized client IDs for applications that you want to preauthorize. It allows the app user to access the app scopes (permissions) you've configured, without requiring any further consent. Preauthorize only those client applications you trust as your app users won't have the opportunity to decline consent. #### To expose an API To configure scope and authorize trusted client applications, you'll need: > - The Microsoft 365 client IDs for mobile, desktop, and web applications for Teams, Microsoft 365 app, and Outlook are the actual IDs that you must add. > - For a Teams tab app, you'll need either Web or SPA, as you can't have a mobile or desktop client application in Teams. - 1. Choose one of the following client IDs: + 1. Select one of the following client IDs: | Use client ID | For authorizing... | | | | To configure scope and authorize trusted client applications, you'll need: | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 | Teams web application | | 4765445b-32c6-49b0-83e6-1d93765276ca | Microsoft 365 web application | | 0ec893e0-5785-4de6-99da-4ed124e5296c | Microsoft 365 desktop application |+ | d3590ed6-52b3-4102-aeff-aad2292ab01c | Microsoft 365 mobile application | | d3590ed6-52b3-4102-aeff-aad2292ab01c | Outlook desktop application | | bc59ab01-8403-45c6-8796-ac3ef710b3e3 | Outlook web application | | 27922004-5251-4030-b22d-91ecd9a37ea4 | Outlook mobile application | |