Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
[This article is prerelease documentation and is subject to change.]
In this section we will walk through creating an app that can access the Microsoft Graph APIs on behalf of the user by authenticating them with the Microsoft Entra ID oauth provider.
Note
It is possible to authenticate the user into other auth providers like Facebook, Github, Google, Dropbox, and so on.
Warning
User authentication does not work with the developer tools setup. You have to run the app in Teams. Follow these [instructions](../../getting-started/running-in-teams.md#debugging-in-teams to run your app in Teams.
Setup Instructions
Create an app with the graph template
Tip
Skip this step if you want to add the auth configurations to an existing app.
Note
In this template, graph is the default name of the OAuth connection, but you can change that by supplying defaultOauthConnectionName in the app.
Use your terminal to run the following command:
teams new oauth-app --template graph
This command:
- Creates a new directory called
oauth-app. - Bootstraps the graph agent template files into it under
oauth-app/src. - Creates your agent's manifest files, including a
manifest.jsonfile and placeholder icons in theoauth-app/appPackagedirectory. The Teams app manifest is required for sideloading the app into Teams.
Add Agents Toolkit auth configuration
Open your terminal with the oauth-app/ folder set as the current working directory and run the following command:
teams config add atk.oauth
This will add relevant Agents Toolkit files to your project.
Tip
See App Setup to learn more about what this command does.
Interacting with the app in Teams
Once you have successfully sideloaded the app into Teams you can now interact with it and sign the user in.
Signing the user in
Note
This is the Single Sign-On (SSO) authentication flow. To learn more about all the available flows and their differences see the How Auth Works guide.
When the user sends a message to the user a consent form will popup:
This will ask the user to consent to the User.ReadBasic.All Microsoft Graph scope:
Note
The atk.oauth configuration explicitly requests the User.ReadBasic.All permission. It is possible to request other permissions by modifying the App Registration for the bot on Azure.
Once the user signs in and grants the app access, they will be redirected back to the Teams client and the app will send back the user's information as retrieved from the graph client:
The user can then signout by sending the signout command to the app:
