Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
Need Help Implementing SSO for Teams Bot Using User-Assigned Managed Identity + Federated Credentials (Python Agent SDK)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 68%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Anand Kumar (MAQ LLC)
20
Reputation points Microsoft External Staff
Hi Community,
I need help completing SSO integration for a Microsoft Teams bot that uses User-Assigned Managed Identity (UAMI) instead of a traditional App Registration client secret/certificate.
What I have done so far
- Created a Teams bot whose bot identity = User Assigned Managed Identity
Connected the bot to Teams using the manifest file
Deployed backend (Python, Agent SDK, Bot Framework) to Azure App Service
Since client secrets & certificates are not allowed in my tenant, I created an Azure App Registration only for SSO
Under Authentication → added Federated Credentials
Configured OAuth Connection in Azure Bot Channel Registration → Test Connection works, token is issued successfully
Everything works until this point.
Where I am stuck
1. How do I integrate OAuth SSO token into my Python backend (Agent SDK + Bot Framework)?
Since I am not using a traditional App Registration for the bot, I’m not sure how to integrate the federated-credential–based OAuth flow inside the bot logic.
Is there any Python sample/repo where federated credentials + Teams SSO + Agent SDK have been implemented?
How should the bot verify the token and request Graph API on behalf of the user?
2. Do I need to expose an API in the App Registration?
My tenant raises a security alert if any API is exposed,
Is it possible to complete SSO without exposing API permissions in the App Registration?
3. Do I need to modify the Teams Manifest?
I’m unsure if something must be added to enable SSO with federated credentials, such as:
webApplicationInfo.resource
webApplicationInfo.id
or any additional SSO-related entries for bots
Currently my manifest only contains basic bot configuration.
What I need clarity on
Correct backend implementation pattern for federated credentials SSO with Python Agent SDK
Whether API permissions are mandatory
Required manifest changes (if any)
Any official documentation, GitHub samples, or guidance would be extremely helpful. Thanks in advance!
Azure AI Bot Service
Sign in to answer