Publisher verification status missing from Azure SSO Consent Dialog

SCT-Akouodev 26

We're developing an MS Teams Tab application in a multi-tenant setup.

We're using Azure SSO for authentication as documented here, and also the authorization code flow for requesting additional Graph Permissions.

As promised in the Publisher Verification documentation, the app logo and badge are being displayed in the Graph consent dialog.

But the same verification status is missing from the SSO consent dialog.

This is an issue because we are unable to publish the app to the MS Teams App Store without the proper 'verified publisher' experience.

Prasad-MSFT 6,876 Reputation points Microsoft Vendor

2022-02-07T13:10:12.237+00:00

Could you provide the sample repo which you are referring to or Repro steps?
SCT-Akouodev 26 Reputation points

2022-02-09T06:06:04.833+00:00

Hi @Prasad-MSFT ,
Thanks for responding.

We have followed the exact steps for adding SSO from here and for Publisher Verification from here.
Note that for Publisher Verification we have verified a custom domain name.
Prasad-MSFT 6,876 Reputation points Microsoft Vendor

2022-02-09T06:31:06.44+00:00

@SCT-Akouodev - Is the same AAD app registered in Azure Portal being used for both of these flows?
SCT-Akouodev 26 Reputation points

2022-02-09T11:11:22.187+00:00
Yes, the app ID is the same in the following places -

Azure app registration - Application (client) ID, Application ID URI, access_as_user scope, Branding -> Publisher Verification

App Manifest - id and webApplicationInfo fields
Prasad-MSFT 6,876 Reputation points Microsoft Vendor

2022-02-10T04:56:36.137+00:00

Please reach out to the Identity org since they are the ones that render these consent dialogs. You can find guidance for reaching them here:
https://identitydocs.azurewebsites.net/static/v2/get_help.html

Thanks!
SCT-Akouodev 26 Reputation points

2022-02-11T09:00:33.193+00:00

I am unable to access the page at https://identitydocs.azurewebsites.net/static/v2/get_help.html.

Is this an internal document? Can you please point me to a public page/forum to raise this request?
Thanks.
Prasad-MSFT 6,876 Reputation points Microsoft Vendor

2022-02-14T14:22:37.64+00:00

We have updated the tags so that Identity team can help with this question.
Florian Hötzinger 1 Reputation point

2022-02-16T14:11:48.817+00:00

We are facing exactly the same issue and the app submission team blocked our app for this very reason.
Skip Livingston 6 Reputation points

2022-03-07T18:57:10.09+00:00

Hi @Prasad-MSFT ,
We are facing the same problem: the verified badge is not shown in the initial SSO consent, but is shown in all other consent contexts. Has a root cause or solution been identified for this problem? We have tried just about everything we can think of without success.
Prasad-MSFT 6,876 Reputation points Microsoft Vendor

2022-03-08T14:18:05.71+00:00

Please reach out to the Identity org since they are the ones that render these consent dialogs. You can find guidance for reaching them here:
https://identitydocs.azurewebsites.net/static/v2/get_help.html
Skip Livingston 6 Reputation points

2022-03-08T14:25:06.433+00:00

@Prasad-MSFT I receive a similar error as @SCT-Akouodev reported above when attempting to access the link you provided. Is there another way I can contact the identity org?

Selected user account does not exist in tenant 'Microsoft' and cannot access the application 'ad9c3e97-0ae9-4928-a97d-63a69f873726' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
Prasad-MSFT 6,876 Reputation points Microsoft Vendor

2022-03-08T14:26:21.333+00:00

We have updated the tags so that Identity team can help with this question.
Thomas Dedek 1 Reputation point

2022-03-24T08:53:26.187+00:00

We have exactly the same issue with our Teams App. The project was created using the Microsoft Teams Toolkit and the contained SSO webapp.
Is there any update on this issue?

1 answer

Skip Livingston 6 Reputation points

2022-03-24T19:04:04.7+00:00
We found a workaround: instead of relying on SSO to request consent, catch the consent error and redirect the user to the authorization page requesting the same scopes as SSO. For whatever reason, manually requesting the scopes instead of relying on SSO gets the badge to display in the consent dialog.

If you're using @microsoft/teams-js, you can catch the consent error in authentication.getAuthToken() using the silent=true option

Redirect the user to https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/authorize requesting the same scopes as SSO: profile offline_access openid email

You should see the consent dialog with the verified badge
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Publisher verification status missing from Azure SSO Consent Dialog

1 answer

Your answer