[Urgent] SignIn issues with out of organization
Hi,
Would need some support, because we are facing an issue that out of organization clients can not sign in to our MS Teams app.
They do not receive that SignIn to Continue popup at the bottom of the chat window after they type SignIn command.
I tested with an organization user and also with a dev sandbox user, and it worked for me, but not on Microsoft Teams App Submissions testing team side.
Do you have maybe an example project which has @microsoft/teams-ai with graph SignIn?
Maybe not the code but an azure resource configuration is the problem, but anyway my app example code is here:
Best regards,
Mate Varga
3-2-1-GoCheck
Microsoft Teams Development
-
Mate Varga • 0 Reputation points
2024-06-18T10:55:18.01+00:00 And this is the configuration of my azure resource.
-
Mate Varga • 0 Reputation points
2024-06-18T11:23:58.07+00:00 I saw a sample code for SSO (Bot App with SSO Enabled sample) which has no AI library used inside so it uses CloudAdapter instead of TeamsAdapter.
I'm using TeamsAdapter class as an adapter for my application, which one is the latest solution? Seems CloudAdapter contains some deprecated codes, so I guess TeamsAdapter is the up to date approach.
-
Nivedipa-MSFT • 3,076 Reputation points • Microsoft Vendor
2024-06-18T14:48:07.7766667+00:00 @Mate Varga - Thanks for reporting your issue. Could you please share the repro steps and deployed manifest to investigate further?
-
Mate Varga • 0 Reputation points
2024-06-19T10:09:18.2833333+00:00 Hy, yes I can, will share it soon, not sure why you changed your comment. I just realized that you updated it... Please next time create a new comment so I can not oversee it.
-
Mate Varga • 0 Reputation points
2024-06-19T10:11:37.76+00:00 Step is just use SignIn command to initiate sign in flow.
-
Mate Varga • 0 Reputation points
2024-06-19T10:12:58.6133333+00:00 We just got an update from Microsoft Teams App Submissions testing team.
"Thank you for providing the updated manifest. Now we are able to receive the response for providing the permission and the consent screen when providing the ‘SignIn’ command for a new user account with the updated manifest (1.1.65). But we are still able to view option button to provide the permission after approving the consent and also observe that the bot is not responding for any bot commands after giving ‘SignIn’ command (We were able to receive responses in bot for any commands even after giving the ‘SignIn’ command in the previous iterations). Refer to the video recording."
-
Mate Varga • 0 Reputation points
2024-06-19T10:52:43.6133333+00:00 In 1.1.65 I changed the sign in code in this way.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
Mate Varga • 0 Reputation points
2024-06-19T10:59:29.5833333+00:00 app.message(/^signin\s*$/i, async (context: TurnContext, state: ApplicationTurnState) => { let token = await app.getTokenOrStartSignIn(context, state, 'graph'); if (token) { await context.sendActivity(`[Already signed in]`); } });
-
Mate Varga • 0 Reputation points
2024-06-20T09:02:47+00:00 Any solution????
-
Mate Varga • 0 Reputation points
2024-06-21T08:04:35.37+00:00 Do you know why the sample deployment script I used creates two applications in azure cloud? One for bot and one for the app itself. There are other samples which creates only one app for the bot. Do not rly get the concept here. Can you please answer my questions ASAP? Thanks!
-
Mate Varga • 0 Reputation points
2024-06-24T20:31:53.1066667+00:00 Hello?
-
Nivedipa-MSFT • 3,076 Reputation points • Microsoft Vendor
2024-06-25T09:17:15.3066667+00:00 @Mate Varga - Could you please try the following sample: https://github.com/microsoft/teams-ai/blob/main/dotnet/samples/06.auth.oauth.bot/README.md
-
Mate Varga • 0 Reputation points
2024-06-25T09:46:18.1066667+00:00 Thanks @Nivedipa-MSFT , I just had a look and it looks quite similar to my implementation. Can you please provide a typescript sample with same set of features + sign in using SignIn command instead of auto sign in. So then I can have the correct npm packages and deploy scripts (including yml and bicep files). So in the end I will have all the code, npm packages and azure resources deployed the correct way.
-
Nivedipa-MSFT • 3,076 Reputation points • Microsoft Vendor
2024-06-25T10:33:49.8066667+00:00 @Mate Varga- Could you please refer below typescript sample:
https://github.com/microsoft/teams-ai/tree/main/js/samples/05.authentication/d.teamsSSO-bot -
Mate Varga • 0 Reputation points
2024-06-25T12:11:26.9833333+00:00 @Nivedipa-MSFT , yes, this is the sample I initially took. But seems this only works for internal org users. So I made some changes to make it available for public.
aad.manifest.json:
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
azurebot.bicep:
botService
properties
msaAppType: 'MultiTenant' msaAppTenantId: ''
index.ts:
graph
msalConfig
auth authority: `${process.env.AAD_APP_OAUTH_AUTHORITY_HOST}/common`
endOnInvalidMessage: false
auth-start.html:
let authorizeEndpoint =
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?${toQueryString(queryParams)}
;Am I have to change something else?
-
Nivedipa-MSFT • 3,076 Reputation points • Microsoft Vendor
2024-06-25T13:17:23.2666667+00:00 @Mate Varga - Could you please keep the original code (with auto login) and see if everything is working in your applicaiton?
-
Mate Varga • 0 Reputation points
2024-06-25T13:44:00.4466667+00:00 @Nivedipa-MSFT yes, but keep the changes related to out of org clients?
-
Mate Varga • 0 Reputation points
2024-06-25T13:50:30.58+00:00 "signInAudience": "AzureADandPersonalMicrosoftAccount", "publisherDomain": "321gocheck.com", "oauth2AllowIdTokenImplicitFlow": true, "oauth2AllowImplicitFlow": true, authority: `${process.env.AAD_APP_OAUTH_AUTHORITY_HOST}/common` let authorizeEndpoint = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?${toQueryString(queryParams)}`;
These?
-
Mate Varga • 0 Reputation points
2024-06-26T17:35:40.2+00:00 @Nivedipa-MSFT any suggestions? Seems the sample you provided is not working for out of org users.
-
Nivedipa-MSFT • 3,076 Reputation points • Microsoft Vendor
2024-06-27T10:36:12.9633333+00:00 Mate Varga - We are getting some issues while setting up the sample locally and we are trying, meanwhile could you please try making these changes?
- Update the line: "signInAudience": "AzureADMyOrg" => AzureADMultipleOrgs
Ref Doc: teams-ai/js/samples/05.authentication/d.teamsSSO-bot/aad.manifest.json at main · microsoft/teams-ai (github.com) - Follow the guide and change the account type = AzureADMultipleOrgs
Ref Doc: How to: Change the account types supported by an application
- Update the line: "signInAudience": "AzureADMyOrg" => AzureADMultipleOrgs
-
Mate Varga • 0 Reputation points
2024-06-27T12:31:23.12+00:00 @Nivedipa-MSFT , the version I released to the testing team was with AzureADandPersonalMicrosoftAccount, so It should work for out of org users. And already made those changes according to point 2.
-
Mate Varga • 0 Reputation points
2024-06-27T12:33:40.1+00:00 @Nivedipa-MSFT , the way I deployed is already with AzureADandPersonalMicrosoftAccount, and /common url for authority. Not sure why it was not working for the Microsoft testing team with out of org user.
-
Wajeed-MSFT • 311 Reputation points • Microsoft Employee
2024-06-28T04:45:59.47+00:00 Mate Varga - what do you mean by 'out of org user'? Are you referring to guest users or you are referring to a user from a different tenant?
For your app to work with different tenants you just need to set the app type as AzureADMultipleOrgs.
-
Mate Varga • 0 Reputation points
2024-06-28T05:48:19.8933333+00:00 I mean all users who has ms365 and out of our organization.. So including personal accounts with ms365. So the changes I made related to the common url is not required right? And oauth2Allow* properties also not required to be set to true right?
-
Mate Varga • 0 Reputation points
2024-06-28T05:50:04.03+00:00 @Wajeed-MSFT can you please answer quickly so then I can deploy a new version which can be tested by today?
-
Mate Varga • 0 Reputation points
2024-06-28T05:55:57.6566667+00:00 Like it is in that sample project...
-
Mate Varga • 0 Reputation points
2024-06-28T06:00:32.48+00:00 "signInAudience": "AzureADandPersonalMicrosoftAccount",
"publisherDomain": "321gocheck.com", "oauth2AllowIdTokenImplicitFlow": true, "oauth2AllowImplicitFlow": true,
authority:
${process.env.AAD_APP_OAUTH_AUTHORITY_HOST}/common
let authorizeEndpoint =
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?${toQueryString(queryParams)}
;
Sign in to comment