Moving comments to answer section for better visibility.
I think the AD tutorial details granting access by admin to the app for authentication scenario. In this case the bot connector service is used instead of actually authenticating users against an AD. So, Yes with respect to above question the bot framework is handling it internally.
If you look at the process to setup authentication in a bot the process is actually registering the AD identity provider with the bot there by granting required access with consent.