SSO Authentication without user interaction in Teams with Bot Framework / Azure Bot

Jasper Baetslé 60 Reputation points

I am trying to find a good solution to ensuring a call from the bot framework / azure bot service to my API has a correct user so I can use the graph API to perform some actions. I have followed several intructions and tutorials but haven't been able to get it working. It also seems like the tutorials are all outdated and made for the bot framework and not the new teams sdk and azure bot service. What tutorial is the most up to date that I should follow?

I want it to work without much hassle (since the application runs on the teams app, so I should be able to easily get the user?) and without the user having to click or do anything except ask questions. I know I can use SSO and grant admin privileges but I could not get it working.


The main problem I am working with is that I am using a Microsoft 365 sandbox to host the teams environment but the azure bot is working on the main tenant since I cannot add an azure bot to the sandbox.

This has been fixed now, everything is moved to the main tenant and a OAuth connection is added and working.

Edit #2

Got the previous working but I am still having a lot of troubles understanding everything.

In the tutorials there are a lot of diffrences:

  • The app registration is set to MultiTenant although there is still a MicrosoftAppTenentId set in the appsettings.json [1]
  • No where in that tutorial is said anything about the Connection name that has to be set in bot-conversation-sso-quickstart tutorial. [2]
  • Is webApplicationInfo in the manifest.json mandatory? [1]
  • Is ValidDomains necesary? One tutorial they ask you to do it, in others, they skip it. [1]
  • In 3, they only define the token endpoint as redirect URL, while in 4, both the url/auth-end and token endpoints are defined. [3, 4]
  • What should the service endpoint be in the connection settings for OAuth, it is blurred out in the tutorial but seems like the most important information? [5]

There should really be an overview page with simple bullet points with everything that has to be done. I don't know whether or not I need a connection to OAuth, what code I need to add, what settings are obligatory etc..

I got the BotConversationSsoQuickstart working in the examples with the correct teams tenant and stuff. But I would like to add it to my existing bot code. Right now I am calling my service layer with the users question, without modifying the service layer I also want to provide the user token, how do I achieve this since it is different callbacks that give the token.

This is my current code right now:

protected override async Task OnMessageActivityAsync(ITurnContext<IMessageActivity> turnContext, CancellationToken cancellationToken)
  // Do something with the activity text
  // Here I also want to pass in the user token somehow
  scopedService.AskQuestion(turnContext.Activity.Text, cancellationToken)
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,075 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,526 questions
{count} votes

Accepted answer
  1. Prasad-MSFT 5,051 Reputation points Microsoft Vendor

    Hi Jasper Baetslé - This tutorial is basically about sending messages in Microsoft Teams, and it doesn't involve implementing SSO, so guidance related to SSO is missing here. You should refer this guide:

    1.If your app is meant to work in Multi-Tenant, then in appSettings.json Set "MicrosoftAppType"to Multitenant and Set your "MicrosoftAppTenantId" to common or to your tenant ID (if your intent to use the app in your tenant only)

    If your app is meant to work in Single-Tenant, then in appSettings.json Set "MicrosoftAppType"to Singletenant and Set your "MicrosoftAppTenantId" to your tenant ID only

    2.Mentioned here:

    3.Yes, webApplicationInfo in the manifest.json is mandatory. If you aren't using SSO, ensure that you enter a dummy string value in this field to your app manifest, for example, https://example to avoid an error response. For more info please refer:


    5.You should provide a Redirect URI that is unique to your application as it will return to this URI when authentication is complete.

    Set a redirect URI:

    • Select Add a platform.
    • Select Single-page application.
    • Enter the redirect URI for the app in the following format:

    Set another redirect URI:

    6.In the connection settings for OAuth, the details would be as mentioned in this doc:
    You can also refer:


    Prasad Das


    If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful