Conflict Between Microsoft Entra and Teams Admin Settings Regarding Bot Installation

Question

I am currently developing a Teams bot and have a question regarding potential conflicts between Microsoft Entra administrator settings and Teams administrator settings.

As I understand it, when a Teams bot is installed, a service principal with the same ID as the bot is created in the Microsoft Entra tenant to which the user belongs.

I would like to consider the following two conditions:

• The Teams administrator has allowed the installation of third-party apps for Teams users.
• The Microsoft Entra administrator has set "Do not allow user consent" under Enterprise applications > Consent and permissions > User consent settings in the user's tenant.

My concern is whether this configuration could lead to unexpected behavior or error messages from the user's perspective. Specifically, while the app appears installable in Teams, the Microsoft Entra settings might prevent the actual installation (i.e., the creation of the service principal). Would this result in any unexpected issues?

(Unfortunately, I do not have the necessary permissions to test this scenario myself.)

One point I have noticed is that a bot’s service principal may not require user consent. If that is the case, Microsoft Entra settings might not affect the installation, meaning that as long as the Teams administrator allows the app installation, the service principal would still be created.

Could you confirm whether this understanding is correct?

Additionally, if there are any documented cases of conflicts between Microsoft Entra and Teams admin settings, or any troubleshooting guides related to such conflicts, I would appreciate it if you could share them.

Thank you for your support.

Best regards,

Answer 1

Here’s a detailed explanation of how these settings interact and what you can expect:

Interaction Between Teams and Microsoft Entra Settings:

1. Teams Administrator Settings:
   • Teams administrators can control the installation of third-party apps for Teams users. If the Teams administrator allows the installation of third-party apps, users can install and use these apps within Teams.
2. Microsoft Entra Administrator Settings:
   • Microsoft Entra administrators can control user consent settings for enterprise applications. If the setting "Do not allow user consent" is enabled under Enterprise applications > Consent and permissions > User consent settings, users cannot grant consent to applications that require permissions.

Potential Conflicts and Behavior:

• Service Principal Creation:
  • When a Teams bot is installed, a service principal with the same ID as the bot is created in the Microsoft Entra tenant. This service principal allows the bot to operate within the tenant.
  • If the Microsoft Entra administrator has set "Do not allow user consent," it may prevent users from granting consent to applications that require permissions. However, the creation of the service principal for the bot itself does not typically require user consent.
• User Experience:
  • If the Teams administrator allows the installation of the bot, users will be able to install the bot in Teams.
  • If the bot requires specific permissions that need user consent, and the Microsoft Entra settings prevent user consent, users may encounter issues when the bot tries to access resources that require those permissions. This could result in error messages or limited functionality.

Thanks, 

Prasad Das

************************************************************************* 

If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.