Is Teams Tab SSO enough to validate user?

Question

I have an app I want to embed as a tab in MS Teams. Users may already have an account outside of teams and I use magic login link to typically to log users in. I want to know if I can leverage teams tab SSO to log users into their existing account. So my idea is:

1. User has an account with my app already. It is associated with their organization email.
2. They access my app in Teams and grant permissions necessary, my app gets an auth token and validates it
3. If that is successful, I find the user's account associated with their email and log them in with a magic login link

I'm wondering if this is a valid use case for teams tab sso? Is it enough to trust that the validated token means the user is good and can be logged in? I know typically there is a "sign in with microsoft" idp option but that is a larger lift. Was wondering if there are big security red flags here.

Answer 1

Hello SadPython,

Thanks for your question.

IMO, It is viable if implemented correctly. It's not ideal for user identity within your main app. You can try try custom authentication flow or Sign in with Microsoft to minimize reliance on magic login links.

See:

Enable SSO for tab app

How different technologies affect Microsoft Teams sign-in

https://learn.microsoft.com/en-us/entra/identity-platform/authentication-flows-app-scenarios

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola