Unable to get ADO user_impersonation scope access token using Azure Bot's OauthConnection to AAD

Santhosh Lakkanpalli 0 Reputation points Microsoft Employee
2023-08-30T08:57:17.3066667+00:00

Hi,

I am trying to develop a Teams Message Extensions app which can unfurl Azure Devops (ADO) urls in to Adaptive Cards (AC). For this, referred this doc Add authentication to your Teams bot .

For this, I have a bot registered and setup the OauthConnection to connect to an AAD app. This AAD app has the permissions to ADO user_impersonation api.

I have added relevant screenshots which depict the same.

I added Azure Dev ops user_impersonation permissions in API Permissions pane of AAD registration. Added an Oauth connection in the bot service pointing to this AAD registration.

But when I test the connection using Test Connection , it always fails to generate the access token.

Instead of looking for that scope in ADO's registration, it always looks for that scope in Microsoft Graph app.

Following is the error:

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27bot-teams-authentication-aad%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+7cae0886-06d9-4685-a21b-03d28a080200%0d%0aCorrelation+ID%3a+974d834f-1216-48bd-b72a-f278cb284da7%0d%0aTimestamp%3a+2023-08-29+09%3a31%3a03Z&state=518c5d86f0574d48a8df99e9c02d02f4"
  }
}

Error excerpt below from above full error log:

The+application+%27bot-teams-authentication-aad%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.

It should be looking for user_impersonation scope in ADO app (499b84ac-1321-427f-aa17-267ca6975798) but it is looking in MS Graph app (00000003-0000-0000-c000-000000000000).

Following is my test AAD app registration manifest info requiredResourceAccess content:

	"requiredResourceAccess": [
		{
			"resourceAppId": "499b84ac-1321-427f-aa17-267ca6975798",
			"resourceAccess": [
				{
					"id": "ee69721e-6c3a-468f-a9ec-302d16a4c599",
					"type": "Scope"
				}
			]
		}
	],


Following are the images of the setup:

Screenshot 2023-08-30 at 2.11.44 PM

Screenshot 2023-08-29 at 3.01.22 PM

Can you please help why it is not working?

What can be done to get access token with ADO app audience and scope user_impersonation?

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,949 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
3,201 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.