Edit

Share via

SSO for tabs and message extension

  • Article
  • Developer (Beginner)
  • 18 minutes to complete

The Microsoft Entra single sign-on (Microsoft Entra SSO) helps to authenticate users in Teams.

Key aspects of Microsoft Entra SSO:

  • Allows the user to sign in automatically after the first sign in.
  • Allows the user to sign in to other devices without entering credentials again.
  • Obtains token for the signed in user.

This step-by-step guide helps you to create tabs and message extensions enabling Microsoft Entra SSO authentication. You'll see the following output:

Screenshot of the tab and message extension with SSO authentication output after you have successfully completed the step-by-step guide.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

Ensure that you install the following tools and set up your development environment:

  Install For using...
  Microsoft Teams Microsoft Teams to collaborate with everyone you work with through apps for chat, meetings, and calls all in one place.
  Microsoft 365 developer account Access to Teams account with the appropriate permissions to install an app.
  .NET Core SDK Customized bindings for local debugging and Azure Functions app deployments. If you haven't installed the latest version, install the portable version.
  Visual Studio 2022 You can install the enterprise version in Visual Studio 2022, and install the ASP.NET and web development workloads. Use the latest version.
  Dev tunnel Teams app features (conversational bots, message extensions, and incoming webhooks) need inbound connections. A tunnel connects your development system to Teams. Dev tunnel is a powerful tool to securely open your localhost to the internet and control who has access. Dev tunnel is available in Visual Studio 2022 version 17.7.0 or later.
or
You can also use ngrok as a tunnel to connect your development system to Teams. It isn't required for apps that only include tabs. This package is installed within the project directory (using npm devDependencies).

Note

After downloading ngrok, sign up and install authtoken.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

  1. Open Microsoft-Teams-Samples.

  2. Select Code.

  3. From the dropdown menu, select Open with GitHub Desktop.

    Screenshot show the option to clone repository in local.

  4. Select Clone.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

The following steps help you to create and register your bot in Azure portal:

  • Create and register your Azure app.
  • Create client secret to enable SSO authentication of the bot.
  • Add Teams channel to deploy the bot.
  • Create a tunnel to your web server's endpoints using dev tunnel (recommended) or ngrok.
  • Add messaging endpoint to the dev tunnel that you created.

Add App registration

  1. Go to Azure portal.

  2. Select App registrations.

    Screenshot shows the Azure services to select App registrations.

  3. Select + New registration.

    Screenshot shows the New registration page on Microsoft Entra admin center.

  4. Enter the name of your app.

  5. Select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).

  6. Select Register.

    Screenshot shows the option to register the bot in Microsoft Entra admin center.

    Your app is registered in Microsoft Entra ID. The app overview page appears.

    Screenshot shows the app registration overview page.

    Note

    Save the app ID from Application (client) ID and Directory (tenant) ID for further use.

Create a tunnel

  1. Open Visual Studio.

  2. Select Create a new project.

    Screenshot shows the selection to create a new project.

  3. In the search box, enter ASP.NET. From the search results, select ASP.NET Core Web App.

  4. Select Next.

    Screenshot shows the search and selection of the template.

  5. Enter Project name and select Next.

    Screenshot shows the project name to enter.

  6. Select Create.

    Screenshot shows the project additional information.

    An overview window appears.

    Screenshot shows the overview window.

  7. In the debug dropdown list, select Dev Tunnels (no active tunnel) > Create a Tunnel....

    Screenshot shows the dropdown to select the dev tunnels.

    A pop-up window appears.

  8. Update the following details in the pop-up window:

    1. Account: Enter a Microsoft or GitHub account.
    2. Name: Enter a name for your tunnel.
    3. Tunnel Type: From the dropdown list, select Temporary.
    4. Access: From the dropdown list, select Public.

  9. Select OK.

    Screenshot shows the details to update for creation of tunnel.

    A pop-up window appears showing that dev tunnel is successfully created.

  10. Select OK.

    Screenshot shows the pop-up message that the tunnel is created.

    You can find the tunnel you've created in the debug dropdown list as follows:

    Screenshot shows the tunnel is active and selected.

  11. Select F5 to run the application in the debug mode.

  12. If a Security Warning dialog appears, select Yes.

    Screenshot shows the dialog box to accept the security warning.

    A pop-up window appears.

  13. Select Continue.

    Screenshot shows the url for the tunnel.

    The dev tunnel home page opens in a new browser window and the dev tunnel is now active.

    Screenshot shows the dev tunnel welcome page in browser.

  14. Go to Visual Studio, select View > Output.

  15. From the Output console dropdown menu, select Dev Tunnels.

    The Output console shows the dev tunnel URL.

    Screenshot shows the url in the Visual Studio output console.

Add a web authentication

  1. In the left pane, under Manage, select Authentication.

  2. Select Add a platform > Web.

    Screenshot shows the selection of web authentication.

  3. Enter the redirect URI for your app by appending auth-end to the fully qualified domain name. For example, https://your-devtunnel-domain/auth-end or https://your-ngrok-domain/auth-end.

  4. Under Implicit grant and hybrid flows, select the Access tokens and ID tokens checkboxes.

  5. Select Configure.

    Screenshot shows the option to add redirect uri and select implicit grant and hybrid flows.

  6. Under Web, select Add URI.

  7. Enter https://token.botframework.com/.auth/web/redirect.

  8. Select Save.

    Screenshot shows the option to add redirect uri and select implicit grant and hybrid flows.

Create a client secret

  1. In the left pane, under Manage, select Certificates & secrets.

  2. Under Client secrets, select + New client secret.

    Screenshot show the selection of new client secret.

    The Add a client secret window appears.

  3. Enter Description.

  4. Select Add.

    Screenshot show the client secret description option to add.

  5. Under Value, select Copy to clipboard to save the client secret value for further use.

    Screenshot show the option to copy the client secret ID value to copy value to clipboard.

Add API permissions

  1. In the left pane, select API permissions.

  2. Select + Add a permission.

    Screenshot shows the option to select Add permission.

  3. Select Microsoft Graph.

  4. Select Delegated permissions.

  5. Select User > User.Read.

  6. Select Add permissions.

    Screenshot show the option to select permissions.

Note

  • If an app isn't granted IT admin consent, users must provide consent the first time they use an app.
  • Users need to consent to the API permissions only if the Microsoft Entra app is registered in a different tenant.

Add Application ID URI

  1. In the left pane, under Manage, select Expose an API.

  2. Next to Application ID URI, select Add.

    Screenshot shows the option to add Application ID URI.

  3. Update the Application ID URI in the api://your-devtunnel-domain/botid-{AppID} or api://your-ngrok-domain/botid-{AppID} format and select Save.

    Screenshot shows the option to add redirect uri and save.

    The following image shows the domain name:

    Screenshot shows the redirect uri.

Add a scope

  1. In the left pane, under Manage, select Expose an API.

  2. Select + Add a scope.

    Screenshot shows the selection to Add a Scope.

  3. Enter access_as_user as the Scope name.

  4. Under Who can consent?, select Admins and users.

  5. Update the values for the rest of the fields as follows:

    • Enter Teams can access the user’s profile as Admin consent display name.

    • Enter Allows Teams to call the app’s web APIs as the current user as Admin consent description.

    • Enter Teams can access the user profile and make requests on the user’s behalf as User consent display name.

    • Enter Enable Teams to call this app’s APIs with the same rights as the user as User consent description.

  6. Ensure that State is set to Enabled.

  7. Select Add scope.

    The following image shows the fields and the values:

    Screenshot shows the values filled in the field to Add a scope.

    Note

    The Scope name must match with the Application ID URI with /access_as_user appended at the end.

    Screenshot shows the details in Scopes.

Add client application

  1. In the left pane, under Manage, select Expose an API.

    Under Authorized client applications, identify the applications that you want to authorize for your app’s web application.

  2. Select + Add a client application.

    Screenshot shows the option to Select client application.

  3. Add Teams mobile or desktop and Teams web application.

    1. For Teams mobile or desktop: Enter the Client ID as 1fec8e78-bce4-4aaf-ab1b-5451cc387264.

      Screenshot shows the mobile or desktop Client ID application.

    2. For Teams web: Enter the Client ID as 5e3ce6c0-2b1f-4285-8d4b-75ee78787346.

      Screenshot shows the web Client ID application.

  4. Select the Authorized scopes checkbox.

  5. Select Add application.

    Screenshot shows the option to select authorized scopes and add application.

    The following image displays the Client Id:

    Screenshot shows the output of Client applications.

Update the manifest

  1. In the left pane, select Manifest.

  2. Set the value for the accessTokenAcceptedVersion to 2 and select Save.

    Screenshot shows the manifest option and accesstoken details in Azure portal.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

Create an Azure bot resource

Note

If you're already testing your bot in Teams, sign out of this app and Teams. To see this change, sign in again.

  1. Go to Home.

  2. Select + Create a resource.

  3. In the search box, enter Azure Bot.

  4. Select Enter.

  5. Select Azure Bot.

  6. Select Create.

    Screenshot shows the creation of Azure bot.

  7. Enter the bot name in Bot handle.

  8. Select your Subscription from the dropdown list.

  9. Select your Resource group from the dropdown list.

    Screenshot shows the option resource group and subscription in the Azure portal.

    If you don't have an existing resource group, you can create a new resource group. To create a new resource group, follow these steps:

    1. Select Create new.
    2. Enter the resource name and select OK.
    3. Select a location from New resource group location dropdown list.

    Screenshot shows the new resource group option in Azure portal.

  10. Under Pricing, select Change plan.

    Screenshot shows the pricing option in Azure portal.

  11. Select FO Free > Select.

    Screenshot shows the option to select free.

  12. Under Microsoft App ID, select Type of App as Multi Tenant.

  13. In the Creation type, select Use existing app registration.

  14. Enter the App ID.

    Note

    You can't create more than one bot with the same Microsoft App ID.

  15. Select Review + create.

    Screenshot shows the creation of new bot.

  16. After the validation passes, select Create.

    The bot takes a few minutes to provision.

  17. Select Go to resource.

    Screenshot shows the Go to resource option in the Azure portal.

    You've successfully created your Azure bot.

    Screenshot shows the output of a bot.

Add a Teams channel

  1. In the left pane, select Channels.

  2. Under Available Channels, select Microsoft Teams.

    Screenshot shows the selection of Teams in channels.

  3. Select the checkbox to accept the Terms of Service.

  4. Select Agree.

    Screenshot shows the acceptance of terms of service.

  5. Select Apply.

    Screenshot shows the Microsoft Teams as messaging to apply.

To add a messaging endpoint

  1. Use the dev tunnel URL in the Output console as the messaging endpoint.

    Screenshot shows the url in the Visual studio output console.

  2. In the left pane, under Settings, select Configuration.

  3. Update the Messaging endpoint in the format https://your-devtunnel-domain/api/messages.

    Screenshot shows the messaging endpoint adding api.

  4. Select Apply.

    You've successfully set up a bot in Azure Bot service.

    Note

    If the Application Insights Instrumentation key shows an error, update with App ID.

Add an OAuth connection settings

  1. In the left pane, select Configuration.

  2. Select Add OAuth Connection Settings.

  3. Under New Connection Setting, update the following details:

    • Name: Enter a name for your new connection setting. You can use the name in the settings of your bot service code.
    • Service Provider: From the dropdown list, select Azure Active Directory v2.
    • Client id: Update your Microsoft App ID.
    • Client secret: Update the client secrets Value.
    • Token Exchange URL: Update the Application ID URI.
    • Tenant ID: Enter Common.
    • Scopes: Enter User.Read.

  4. Select Save.

    Screenshot shows the values added to set OAuth connection.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

  1. Go to the appsettings.json file in the cloned repository.

    Screenshot of Project file with appsettings.json file highlighted in red.

  2. Open the appsettings.json file in Visual Studio.

  3. Update the following information:

    • Replace "MicrosoftAppId" to your bot's Microsoft App ID.
    • Replace "MicrosoftAppPassword" to your bot's client secrets Value.
    • Replace "SiteUrl" to your ngrok URL.
    • Replace "ConnectionName" to the name of OAuth connection setting.
    • Replace "TenantId" to the tenant ID of the tenant where the app is used.
    • Replace "ClientId" to your bot's Microsoft App ID.
    • Replace "AppSecret" to your bot's client secrets Value.
    • Replace "ApplicationIdURI" in the form of api://*******.ngrok.io/botid-{AppID}.

    Screenshot of the appsettings.json file with the values entered highlighted in red.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

  1. Go to the manifest.json file in the cloned repository.

    Screenshot of Manifest folder with the manifest file highlighted in red.

  2. Open the manifest.json file in Visual Studio and make the following changes:

    • Replace DOMAIN-NAME with your ngrok URL.

    • Replace YOUR-MICROSOFT-APP-ID with your bot's Microsoft App ID.

      Note

      Depending on the scenario [YOUR-MICROSOFT-APP-ID] and [DOMAIN-NAME] may occur multiple times.

    • Replace resource as api://*******.ngrok.io/botid-{AppID}.
      Screenshot of the manifest.json file with the values entered highlighted in red.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

To build and run the service, use Visual Studio or Command line.

  1. Open Visual Studio.

  2. Select File > Open > Project/Solution....

    Screenshot of Visual Studio file menu. The menu entries titled Open under File menu and Project/Solution under Open are highlighted in red.

  3. In the csharp folder, select App SSO Sample.csproj file.

    Screenshot of Project file with App SSO Sample.csproj file highlighted in red.

  4. Press F5 to run the project.

  5. Select Yes if the following dialog appears:

    Screenshot of Security Warning with the Yes option highlighted in red.

    A webpage appears with a message Your bot is ready!

    Screenshot of the webpage that displays Your bot is ready.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

  1. In your cloned repository, go to csharp > App SSO Sample > TeamsAppManifest.

  2. Create a .zip file with the following files that are present in the Manifest folder:

    • manifest.json
    • icon-outline.png
    • icon-color.png

    Screenshot of Manifest folder with tab manifest zip folder highlighted in red.

  3. In the Teams client, select the Apps icon.

  4. Select Manage your apps.

  5. Select Upload an app.

  6. Look for the option to Upload a custom app. If you see the option, custom app upload is enabled.

    Screenshot shows the upload a custom app.

    Note

    Contact your Teams administrator, if you don't find the option to upload a custom app.

  7. Select Open to upload the .zip file that you created in the Manifest folder.

    Screenshot of Manifest folder with Open option to upload the Teams Bot zip file highlighted in red.

  8. Select Add.

    Screenshot of Conversation Bot with Add option highlighted in red.

  9. Send a message to the bot.

  10. The bot performs SSO and displays profile card along with option prompt to view token.

    Screenshot of the profile card received in Teams.

  11. Select Yes to view token or No to continue with chat.

    Screenshot of the dialog to either select Yes or No.

  12. If SSO isn't performed, then the bot performs default authentication method for your tab.

    Screenshot of the default SSO page in Teams.

  13. To sign in, if SSO isn't performed:

    1. In the left pane of the Teams, select More added apps (●●●).

    2. Select your new SSO application.

      Screenshot of your app highlighted in red in Apps section.

    3. Select sign in.

      Screenshot of your app with sign in highlighted in red.

    4. Enter your credentials in Sign in window and select Next.

      Screenshot of Microsoft Sign in page with Next highlighted in red.

    5. Select Accept.

      Screenshot of Microsoft consent dialog with Accept highlighted in red.

    6. Select your profile under search box. You'll see the following output:

      Screenshot of the selected profile.

  14. Send https://profile.botframework.com to the application to get a profile card.

    Screenshot of the selected profile after entering the URL.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

Did you come up with output like this?

Screenshot of the output after you have successfully completed the step-by-step guide.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser

You've completed the tutorial to get started with SSO for tab and message extension app.

Use your local computer

Stay on this site and follow instructions with your own machine.

Continue to first step
Use a virtual machine

Visit the Hands-on Lab site for integrated instruction.

Hands-on Lab
Try the code in your browser