Ensure that you adhere to the following prerequisites while building your Teams personal and channel or group tab:

  • Enable discovery of your tab pages in an iFrame by utilizing X-Frame-Options and Content-Security-Policy HTTP response headers.

    • Set Content Security Policy headers to allow Teams and any other host applications of your app:

      Microsoft 365 app host frame-ancestor permission
      Teams, *, *
      Microsoft 365 app *, *
    • For Internet Explorer 11 compatibility, set X-Content-Security-Policy. Alternately, set header X-Frame-Options: ALLOW-FROM This header is deprecated but still accepted by most browsers.

  • Login pages don't render in iFrames, as a safeguard against clickjacking. Your authentication logic needs to use a method other than redirect. For example, use token-based or cookie-based authentication.


    It is recommended that you set the intended use for your cookies rather than rely on default browser behavior. For more information, see SameSite cookie attribute.

  • Browsers same-origin policy restriction prevents webpages from making requests to different domains than the served web page. So, you can redirect the configuration or content page to another domain or subdomain. Your cross-domain navigation logic needs to allow the Teams client to validate the origin against a static validDomains list in the app manifest when loading or communicating with the tab.

  • Style your tabs based on the Teams client's theme, design, and intent. Tabs work best when they're built to address a specific need and focus on a small set of tasks or a subset of data that is relevant to the tab's channel location.

  • Within your content page, add a reference to Microsoft Teams JavaScript client library using script tags. After your page loads, make a call to app.initialize(), otherwise your page won't be displayed.

  • For authentication to work on mobile clients, you must upgrade to TeamsJS version 1.4.1 or later.

  • If you choose to have your channel or group tab to appear on Teams mobile client, the setConfig() configuration must have a value for the websiteUrl property.

  • Microsoft Teams tab doesn't support the ability to load intranet websites that use self-signed certificates.


This topic reflects version 2.0.x of the Microsoft Teams JavaScript client library (TeamsJS). If you are using an earlier version, refer to the TeamsJS library overview for guidance on the differences between the latest TeamsJS and earlier versions.

Tools to build tabs

  Install For using...
  Node.js Back-end JavaScript runtime environment. Use the latest v16 LTS release.
  Microsoft Edge (recommended) or Google Chrome A browser with developer tools.
  Visual Studio Code JavaScript, TypeScript, or SharePoint Framework (SPFx) build environments.
  Visual Studio 2022, ASP.NET and web development workload .NET. You can install the free community edition of Visual Studio 2022.
  Git Git to use the sample apps repo from GitHub.
  Microsoft Teams Microsoft Teams to collaborate with everyone you work with through apps for chat, meetings, call - all in one place.
  ngrok Ngrok is a reverse proxy software tool. Ngrok creates a tunnel to your locally running web server's publicly available HTTPS endpoints. Your server's web endpoints are available during the current session on your computer. When the computer is shut down or goes to sleep, the service is no longer available.
  Developer Portal for Teams Web-based portal to configure, manage, and distribute your Teams app including to your organization or the Microsoft Teams Store.

Build your Teams tab

Now let's build your tab. But first select your choice of tab to build:

See also