Teams Bot Multi tenant SSO

Benoit Dupont 61 Reputation points
2023-04-25T11:20:44.4566667+00:00

Hello,

I've built a Microsoft Teams bot with the SSO feature. When I try the app with a user from the same tenant as the app, everything works fine. If I try to use the app with a user from a different tenant, I have an error inside the Microsoft Teams client (web app).

The client makes the following request:

https://login.microsoftonline.com/caafef10-9d12-4668-a0d6-268b71695e1a/oauth2/v2.0/token

Response

{
    "error": "invalid_resource",
    "error_description": "AADSTS500011: The resource principal named api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7 was not found in the tenant named xxwdq. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: fe76faf9-ad64-4402-b218-71758e6d0f00\r\nCorrelation ID: e87f1725-20ce-451a-9bd9-e30edc54dd0c\r\nTimestamp: 2023-04-25 11:08:22Z",
    "error_codes": [
        500011
    ],
    "timestamp": "2023-04-25 11:08:22Z",
    "trace_id": "fe76faf9-ad64-4402-b218-71758e6d0f00",
    "correlation_id": "e87f1725-20ce-451a-9bd9-e30edc54dd0c",
    "error_uri": "https://login.microsoftonline.com/error?code=500011"
}

Payload

scope: api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7/.default openid profile offline_access
grant_type: refresh_token
client_info: 1
x-client-SKU: msal.js.browser
x-client-VER: 2.19.0
x-client-OS: 
x-client-CPU: 
x-ms-lib-capability: retry-after, h429
x-client-current-telemetry: 5|61,0,,,|,
x-client-last-telemetry: 5|0|||0,0
client-request-id: e2394ee3-a7ba-4474-bf37-f2b2ab8fed09
refresh_token: 0.AX0AEO-vyhKdaEag1iaLcWleGsDmPF4fK4VCjUt17nh4c0aaALk.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P9Qx0uidigBPai887IaRi6KKlnX95SzA3ljXFIDhzTdEoK0aW4SzwzaCKMdRALXBYicBgLeRZ-Dxf11uNNbq7UX5v4qTOwndtzs-O85CilWnKanp4P222oxDmUNG-3y-aDzIfuA2ZndlLVjPx6KPcuLfTa5YJUJRzEJuYwXXgQWT5JBtx84MfQ-vsAi_se5_8qgDBQZlyqtqabk2cSio0GXiJuoFbYcIgXJf8uD3hs0HU25zEkqGq0bHs_Klte81Q96H39DFas6cmihEh9kN3xMYe-ss7KVg7KORpw5bq8BaCeCueMj0qO1iXoT58HsKrjG5iEWXmT7jLOX0nNwY5OkskCmiPtVARxDMD-euvqSZTlcFhjcCCDXBwYRCoY6LddnFnq5xaMdiPGvqhez3lD1g3T7Pk1EYouZser0Jw8LHgyoUbdT8q91a0yt_NMN7ApWabDGNZ-0rrD9mTWPsuo6qDST6PuIYh0kZc7hDfwjeIGRHKY78bYYoty4_zqArVEbbCaYRQOS6zsmqf8cedF-26AnvzLfw37Ax5Ge5Hn9c2dE6Cb9zHa_FQ5fNCGZ3sOfxRAVYKvBiVt3YDyUC4joHxqPju7SVhR2ZhNfAvDTXteMSDSxIYFC1GTran2Qshy-exTrDVdxi7uHT5ZhmCfvfIpW0HX91hmLufVFCP19kCmHGbSIUA1EULvGlif4fII9MnDI2HLFqoiH5gbzBiKa3teBQqcP4E6GwFS7fNo_r-uJkVnk8rz2Yl1mizvMhxr8HzvwFI_ltPcDiq02_nEuRbnIxHwjKrs9acasU6SkUaorYPjkc0xELfVVyOwks6FkVEfZHR864ASXTpRu498iihg_OR8Emzep4AufYvxOTWgEbHOt7r7quCXZnj8E0deqgq2j_ZHE3wIoapa71Gn_yrfZBFrdKxHiiK1StLDBMRKKe-iMFTwb2aw6WJX0tOzmozh849EpGd08vq25J7AaTtqF9ozxDCVNoPvg
X-AnchorMailbox: Oid:af24b8a2-cfe8-453a-a9b4-4a917b1534ae@caafef10-9d12-4668-a0d6-268b71695e1a

The UUID in the URL is from the user's tenant. Not from the Azure tenant where the app is registered. Is this normal?

I'm sending an OAuth card to Microsoft Teams client. I don't explicitly tell what tenant to call so I don't know where the URL comes from.

This is the OAuth card

{
  "localeAsLangCode": "en",
  "type": "message",
  "serviceUrl": "https://smba.trafficmanager.net/amer/",
  "conversation": {
    "group": false,
    "isGroup": false,
    "conversationType": "personal",
    "tenantId": "10a18477-d533-4ecd-a78d-916dbd849d7c",
    "id": "a:1lG_WjgWXz8ET5chVyPuniVUrHMUrHVKFC9qlGtjJxEhgJoEBgsnpODsHpC-Cp8j1qK5S9ZY65rclZkDdb3QwU_NaxKZm_8HnAQhpNhUnwxhuXDb65IlKibVt8TODnB0n"
  },
  "from": {
    "id": "28:aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7",
    "name": "XM Fax  US "
  },
  "recipient": {
    "id": "29:1LfAQgXGkyg13jUpApdDZQIJg47jMpEIsct0EMQkOHGzSeifFefAbJeaStEu2xwg3OcBr8rzPlgClDigo5HunBA",
    "name": "Benoit Dupont",
    "aadObjectId": "af24b8a2-cfe8-453a-a9b4-4a917b1534ae"
  },
  "replyToId": "1682420900124",
  "attachments": [
    {
      "fileDownloadInfo": false,
      "contentType": "application/vnd.microsoft.card.oauth",
      "content": {
        "tokenExchangeResource": {
          "id": "67a04b68-e9cd-4f98-918d-ef18ddb80c79",
          "uri": "api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7",
          "providerId": "30dd229c-58e3-4a48-bdfd-91ec48eb906c"
        },
        "text": "Please sign in to your Microsoft Microsoft Teams account.",
        "connectionName": "teams-sso",
        "buttons": [
          {
            "type": "signin",
            "title": "Click to sign in.",
            "value": "https://token.botframework.com/api/oauth/signin?signin=39781268f7d349d7b2ba3834a9a914f5"
          }
        ]
      }
    }
  ],
  "suggestedActions": {
    "actions": [
      {
        "type": "signin",
        "title": "Click to sign in.",
        "value": "https://token.botframework.com/api/oauth/signin?signin=39781268f7d349d7b2ba3834a9a914f5"
      }
    ]
  },
  "inputHint": "acceptingInput"
}
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,963 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,706 questions
{count} votes

Accepted answer
  1. Givary-MSFT 29,351 Reputation points Microsoft Employee
    2023-04-27T08:46:22.0766667+00:00

    Hi @Benoit Dupont I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Built a Microsoft Teams bot with the SSO feature. When I try the app with a user from the same tenant as the app, everything works fine. If I try to use the app with a user from a different tenant, I have an error inside the Microsoft Teams client (web app).

    The client makes the following request:

    https://login.microsoftonline.com/caafef10-9d12-4668-a0d6-268b71695e1a/oauth2/v2.0/token

    Solution: (Resolved by @Benoit Dupont In my Azure App Registration configuration. The manifest was wrong for the value of "identifierUris".

    The value was "api://aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7" instead of "api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7"

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Benoit Dupont 61 Reputation points
    2023-04-25T14:52:01.1966667+00:00

    So I found the issue.

    In my Azure App Registration configuration. The manifest was wrong for the value of "identifierUris".

    The value was "api://aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7" instead of "api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7"

    1 person found this answer helpful.
    0 comments No comments