How can you get the logged in user in a Teams App chat bot

Question

How can you get the logged in user in a Teams App chat bot

Andrew Kochie 20

Hello,

I am developing a Teams app chatbot and need guidance on the best way to retrieve the logged-in user’s information to personalize responses. The app is hosted on Azure App Service and is registered with Microsoft Graph. I have the tenant ID, client ID, client secret, and other necessary credentials.

However, I’m encountering issues with authentication to the Graph API to retrieve user profile details. Here’s what I’ve tried so far:

Device Code Flow: This allows me to give consent through the browser, but the token request fails with an error indicating a missing client secret, despite it being included in the header.
On-Behalf-Of Flow: I find this confusing because I’m unclear about where to obtain the initial authorization token required as the assertion in the access token request.
MSAL Python Library: Using the ConfidentialClientApplication class, I can successfully obtain a token, but this token doesn’t work for hitting the /me endpoint, as it’s not a delegated flow.

Ideally, I’d like to leverage the fact that users are already signed into Teams via enterprise SSO to gain authorization to access Graph. However, I’m open to other suggestions. Is the Graph API even necessary for retrieving basic user details like a username, or is there a simpler approach?

Thank you in advance for your help!

Accepted answer

1 additional answer

Your answer

Answer 1

Azizkhon Ishankhonov 540

Hi

You can user your Entra Id application in order to get information about user. But, it requires wide range API permission.

First, get access token on behalf of application https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#first-case-access-token-request-with-a-shared-secret
Use this access token for Graph API request to retrieve data about user.
https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#example-1-standard-users-request

Andrew Kochie 20 Reputation points

2024-11-28T23:54:53.8466667+00:00

Can you describe what you mean by wide range API permissions? When I use the token obtained from step 1 and use it in a query against the signed in user endpoint (GET https://graph.microsoft.com/v1.0/me) the error is

/me request is only valid with delegated authentication flow.
Azizkhon Ishankhonov 540 Reputation points

2024-11-29T08:46:45.7866667+00:00

Application will have access for all users information, which bit not secure.
Try use /user/{user_id} route

/me should identify user somehow, but since you obtain token for application, it can't identify since there not information about user, so its looks logically correct.
Azizkhon Ishankhonov 540 Reputation points

2024-11-29T08:51:55.16+00:00

In the documentation you can find which application level permission you need in order to get access to resource:
https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions
Andrew Kochie 20 Reputation points

2024-11-29T17:34:56.0866667+00:00

How would I know the user ID to plug in to the /user/{user_id} end point?
Azizkhon Ishankhonov 540 Reputation points

2024-11-29T23:50:17.2233333+00:00

@Andrew Kochie Well, it depends on your business logic and framework which are using.
For example, Bot Framework for MS Teams development almost everywhere uses TurnContext class and such field:
turnContext.Activity.From.AadObjectId
which is same user user_id

Answer 2

Raja Pothuraju 23,790 Microsoft External Staff Moderator

Hello @Andrew Kochie,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it seems you want to fetch user information for individuals logged into your Teams app chatbot. You can achieve this by making a Microsoft Graph API call to retrieve the signed-in user's details. To do this, you’ll need to generate an access token for the Microsoft Graph API using scopes such as user.read, email, profile, openid, and offline_access through the OAuth flow.

Using the user.read scope, user fetch their own details by sending a GET request to the following endpoint: GET https://graph.microsoft.com/v1.0/me

To generate a delegated access token, you can follow the steps outlined in the Microsoft documentation for the OAuth 2.0 authorization code grant flow:

Request an ID token or hybrid flow using OAuth 2.0

Graph API - Get user details

If you would like to fetch details of other users, you will need to use the user.read.all scope when generating an access token. This scope allows you to retrieve information about all users within the directory.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

JimmyYang-MSFT 58,646 Reputation points Microsoft External Staff

2024-11-29T08:16:18.39+00:00

@Andrew Kochie

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Andrew Kochie 20 Reputation points

2024-11-29T17:44:56.2066667+00:00

Thanks for your response. I understand the general workflow but I’m having trouble generating the token. How does the redirect URI work within the Teams App? What would I set as the redirect URI in the app service?
Raja Pothuraju 23,790 Reputation points Microsoft External Staff Moderator

2024-12-04T20:08:45.68+00:00

Hello @Andrew Kochie,

It looks like once you obtain a token, you can set the redirect URI as redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fv2 (which corresponds to https://teams.microsoft.com/v2). The Teams application should then use this token to make Microsoft Graph API calls to retrieve user details.

Thanks,
Raja Pothuraju.

Share via

How can you get the logged in user in a Teams App chat bot

1 additional answer

Your answer