Hello,
I've built a Microsoft Teams bot with the SSO feature.
When I try the app with a user from the same tenant as the app, everything works fine.
If I try to use the app with a user from a different tenant, I have an error inside the Microsoft Teams client (web app).
The client makes the following request:
https://login.microsoftonline.com/caafef10-9d12-4668-a0d6-268b71695e1a/oauth2/v2.0/token
Response
{
"error": "invalid_resource",
"error_description": "AADSTS500011: The resource principal named api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7 was not found in the tenant named xxwdq. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: fe76faf9-ad64-4402-b218-71758e6d0f00\r\nCorrelation ID: e87f1725-20ce-451a-9bd9-e30edc54dd0c\r\nTimestamp: 2023-04-25 11:08:22Z",
"error_codes": [
500011
],
"timestamp": "2023-04-25 11:08:22Z",
"trace_id": "fe76faf9-ad64-4402-b218-71758e6d0f00",
"correlation_id": "e87f1725-20ce-451a-9bd9-e30edc54dd0c",
"error_uri": "https://login.microsoftonline.com/error?code=500011"
}
Payload
scope: api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7/.default openid profile offline_access
grant_type: refresh_token
client_info: 1
x-client-SKU: msal.js.browser
x-client-VER: 2.19.0
x-client-OS:
x-client-CPU:
x-ms-lib-capability: retry-after, h429
x-client-current-telemetry: 5|61,0,,,|,
x-client-last-telemetry: 5|0|||0,0
client-request-id: e2394ee3-a7ba-4474-bf37-f2b2ab8fed09
refresh_token: 0.AX0AEO-vyhKdaEag1iaLcWleGsDmPF4fK4VCjUt17nh4c0aaALk.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P9Qx0uidigBPai887IaRi6KKlnX95SzA3ljXFIDhzTdEoK0aW4SzwzaCKMdRALXBYicBgLeRZ-Dxf11uNNbq7UX5v4qTOwndtzs-O85CilWnKanp4P222oxDmUNG-3y-aDzIfuA2ZndlLVjPx6KPcuLfTa5YJUJRzEJuYwXXgQWT5JBtx84MfQ-vsAi_se5_8qgDBQZlyqtqabk2cSio0GXiJuoFbYcIgXJf8uD3hs0HU25zEkqGq0bHs_Klte81Q96H39DFas6cmihEh9kN3xMYe-ss7KVg7KORpw5bq8BaCeCueMj0qO1iXoT58HsKrjG5iEWXmT7jLOX0nNwY5OkskCmiPtVARxDMD-euvqSZTlcFhjcCCDXBwYRCoY6LddnFnq5xaMdiPGvqhez3lD1g3T7Pk1EYouZser0Jw8LHgyoUbdT8q91a0yt_NMN7ApWabDGNZ-0rrD9mTWPsuo6qDST6PuIYh0kZc7hDfwjeIGRHKY78bYYoty4_zqArVEbbCaYRQOS6zsmqf8cedF-26AnvzLfw37Ax5Ge5Hn9c2dE6Cb9zHa_FQ5fNCGZ3sOfxRAVYKvBiVt3YDyUC4joHxqPju7SVhR2ZhNfAvDTXteMSDSxIYFC1GTran2Qshy-exTrDVdxi7uHT5ZhmCfvfIpW0HX91hmLufVFCP19kCmHGbSIUA1EULvGlif4fII9MnDI2HLFqoiH5gbzBiKa3teBQqcP4E6GwFS7fNo_r-uJkVnk8rz2Yl1mizvMhxr8HzvwFI_ltPcDiq02_nEuRbnIxHwjKrs9acasU6SkUaorYPjkc0xELfVVyOwks6FkVEfZHR864ASXTpRu498iihg_OR8Emzep4AufYvxOTWgEbHOt7r7quCXZnj8E0deqgq2j_ZHE3wIoapa71Gn_yrfZBFrdKxHiiK1StLDBMRKKe-iMFTwb2aw6WJX0tOzmozh849EpGd08vq25J7AaTtqF9ozxDCVNoPvg
X-AnchorMailbox: Oid:af24b8a2-cfe8-453a-a9b4-4a917b1534ae@caafef10-9d12-4668-a0d6-268b71695e1a
The UUID in the URL is from the user's tenant.
Not from the Azure tenant where the app is registered.
Is this normal?
I'm sending an OAuth card to Microsoft Teams client.
I don't explicitly tell what tenant to call so I don't know where the URL comes from.
This is the OAuth card
{
"localeAsLangCode": "en",
"type": "message",
"serviceUrl": "https://smba.trafficmanager.net/amer/",
"conversation": {
"group": false,
"isGroup": false,
"conversationType": "personal",
"tenantId": "10a18477-d533-4ecd-a78d-916dbd849d7c",
"id": "a:1lG_WjgWXz8ET5chVyPuniVUrHMUrHVKFC9qlGtjJxEhgJoEBgsnpODsHpC-Cp8j1qK5S9ZY65rclZkDdb3QwU_NaxKZm_8HnAQhpNhUnwxhuXDb65IlKibVt8TODnB0n"
},
"from": {
"id": "28:aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7",
"name": "XM Fax US "
},
"recipient": {
"id": "29:1LfAQgXGkyg13jUpApdDZQIJg47jMpEIsct0EMQkOHGzSeifFefAbJeaStEu2xwg3OcBr8rzPlgClDigo5HunBA",
"name": "Benoit Dupont",
"aadObjectId": "af24b8a2-cfe8-453a-a9b4-4a917b1534ae"
},
"replyToId": "1682420900124",
"attachments": [
{
"fileDownloadInfo": false,
"contentType": "application/vnd.microsoft.card.oauth",
"content": {
"tokenExchangeResource": {
"id": "67a04b68-e9cd-4f98-918d-ef18ddb80c79",
"uri": "api://botid-aa4bd2b6-8e67-4a8a-875e-2d5c97cfecd7",
"providerId": "30dd229c-58e3-4a48-bdfd-91ec48eb906c"
},
"text": "Please sign in to your Microsoft Microsoft Teams account.",
"connectionName": "teams-sso",
"buttons": [
{
"type": "signin",
"title": "Click to sign in.",
"value": "https://token.botframework.com/api/oauth/signin?signin=39781268f7d349d7b2ba3834a9a914f5"
}
]
}
}
],
"suggestedActions": {
"actions": [
{
"type": "signin",
"title": "Click to sign in.",
"value": "https://token.botframework.com/api/oauth/signin?signin=39781268f7d349d7b2ba3834a9a914f5"
}
]
},
"inputHint": "acceptingInput"
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 71%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 85%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)