![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 74%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
Hi Anand,
I ran into the same questions when I first tried to move a bot to federated credentials. A couple of clarifications that are easy to miss in the docs.
- What is
{unique-identifier-for-projected-identity}?
That value is not something magical coming from Microsoft, it is a string that you choose and then reuse in two places:
In the Entra federated credential subject, as the last segment:
/eid1/c/pub/t/{base64 customer tenant ID}/a/{base64 first-party app client ID}/{unique-identifier-for-projected-identity}
In the Azure Bot OAuth Connection Setting, in the field called Unique Identifier.
Per the federated-credential docs, “Unique-identifier-for-projected-identity” must be the same value that is configured as the Unique Identifier on the bot’s OAuth connection.
So you can pick any stable string, for example:
Unique Identifier on the bot connection: teams-bot-sso-01
Subject identifier: /eid1/c/pub/t/{base64 tenant}/a/{base64 first-party app}/{teams-bot-sso-01}
No extra encoding on that last segment, it just has to match exactly.
Can I do “UAMI + federated credentials only” without an app registration?
For Teams bot SSO, the supported pattern today is:
You can run the bot itself under a User Assigned Managed Identity (that is now a supported bot type).
OAuth / SSO is still provisioned on an Azure Bot resource and a corresponding Entra app registration. That app registration is where you configure the federated credential, and it is what the OAuth connection uses for token exchange.
In other words:
The UAMI gives the bot a credential to talk to Bot Service and other Azure resources.
The app registration with a federated credential is still required for the Bot Framework SSO and token-exchange flow. The newer docs even call out the FederatedClientId setting that points to the managed identity’s client ID, but the FIC itself lives on the app registration.
The “Federated credentials” blade that you see directly on the managed identity is for general workload identity federation scenarios; it is not (yet) wired into the Bot OAuth connection flow, and there is no guidance that says UAMI+FIC alone is supported for Teams bot SSO.
So, practically:
Yes, you can avoid client secrets and certificates by using federated credentials,
but you still need an Entra app registration + Azure Bot + UAMI, with the FIC defined on the app registration and the unique-identifier-for-projected-identity matching the bot connection’s Unique Identifier.
That is the only pattern I have seen documented and working for Teams bot SSO with federated credentials today.Hi Anand,
I ran into the same questions when I first tried to move a bot to federated credentials. A couple of clarifications that are easy to miss in the docs.
What is {unique-identifier-for-projected-identity}?
That value is not something magical coming from Microsoft, it is a string that you choose and then reuse in two places:
In the Entra federated credential subject, as the last segment:
/eid1/c/pub/t/{base64 customer tenant ID}/a/{base64 first-party app client ID}/{unique-identifier-for-projected-identity}
In the Azure Bot OAuth Connection Setting, in the field called Unique Identifier.
Per the federated-credential docs, “Unique-identifier-for-projected-identity” must be the same value that is configured as the Unique Identifier on the bot’s OAuth connection.
So you can pick any stable string, for example:
Unique Identifier on the bot connection: teams-bot-sso-01
Subject identifier: /eid1/c/pub/t/{base64 tenant}/a/{base64 first-party app}/{teams-bot-sso-01}
No extra encoding on that last segment, it just has to match exactly.
Can I do “UAMI + federated credentials only” without an app registration?
For Teams bot SSO, the supported pattern today is:
You can run the bot itself under a User Assigned Managed Identity (that is now a supported bot type).
OAuth / SSO is still provisioned on an Azure Bot resource and a corresponding Entra app registration. That app registration is where you configure the federated credential, and it is what the OAuth connection uses for token exchange.
In other words:
The UAMI gives the bot a credential to talk to Bot Service and other Azure resources.
The app registration with a federated credential is still required for the Bot Framework SSO and token-exchange flow. The newer docs even call out the FederatedClientId setting that points to the managed identity’s client ID, but the FIC itself lives on the app registration.
The “Federated credentials” blade that you see directly on the managed identity is for general workload identity federation scenarios; it is not (yet) wired into the Bot OAuth connection flow, and there is no guidance that says UAMI+FIC alone is supported for Teams bot SSO.
So, practically:
Yes, you can avoid client secrets and certificates by using federated credentials,
but you still need an Entra app registration + Azure Bot + UAMI, with the FIC defined on the app registration and the unique-identifier-for-projected-identity matching the bot connection’s Unique Identifier.
That is the only pattern I have seen documented and working for Teams bot SSO with federated credentials today.