Share via

How to silently obtain a delegated permission access token from a user while chatting with a bot in MS Teams?

Koala Huynh 45 Reputation points
2025-03-07T10:32:20.17+00:00

I'm implementing an MS Teams chat bot using the Microsoft Bot Framework, and I need to send direct messages between users on behalf of the logged-in user. I self-hosted the MS Bot service.

Scenario:

  1. A Teams user selects a list of other Teams users from an Adaptive Card sent by bot.
  2. When they click "Complete", the bot should initiate direct chat messages between the logined user and the unchecked users. For ex: The logined user send "Sorry, you are not selected this time." message to other user in private chat.
  3. This requires delegated permissions, meaning the API call must be made on behalf of the logged-in user.

Challenge:

  • MS Graph requires a delegated access token to send messages on behalf of the user.
  • My research suggests that we need to present another Adaptive Card prompting the user to log in, so the bot can obtain the token.
  • However, this creates a poor user experience, as the user is already authenticated in MS Teams.

Question:

  • Can we retrieve the access token silently (SSO) when the user clicks "Complete", without requiring an additional login prompt?
  • If so, how can we securely obtain the token in the bot's source code and use it to call the MS Graph API for sending messages?
Microsoft Teams | Development
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nivedipa-MSFT 3,721 Reputation points Microsoft External Staff Moderator
    2025-03-07T12:31:02.82+00:00

    @Koala Huynh - You can indeed retrieve the access token silently using Single Sign-On (SSO) in Microsoft Teams, avoiding an additional login prompt. Here's how to do it:

    Steps to Implement SSO in Your Bot

    Configure Azure AD for SSO:

    • Register your bot in the Azure portal.
      • Set up the necessary API permissions for Microsoft Graph (e.g., ChatMessage.Send, Chat.ReadWrite).
        • Enable the OAuth 2.0 implicit grant flow.

    Implement SSO in Your Bot:

    • Utilize the Bot Framework SDK to manage the OAuth flow.
      • When the user interacts with the bot, it can silently acquire the token using OAuthPrompt and TokenExchangeInvokeRequest.Ref Docs:
    1. https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-sso?view=azure-bot-service-4.0
    2. https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=userassigned%2Caadv2%2Ccsharp

    Thanks, 

    Nivedipa 

    -----------------------------------------------------------------------------------------------------------

    If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate. 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.