AshishSood-7525 avatar image
0 Votes"
AshishSood-7525 asked AshishSood-7525 commented

How to add SSO to an azure bot on microsoft teams

Followed steps documented to enable bot sso

  1. Created a bot.

  2. Added Microsoft Teams under Channels.

  3. Under Configuration added the messaging endpoint. e.g. (

  4. Generated a client secret for the Microsoft app id.

  5. Added "" as the Redirect URI for Web platform under Authentication for my Microsoft App.

  6. Under API Permissions for my Microsoft App added "email offline_access openid profile". "User.Read" was available by default.

  7. Under Expose an API added "api://botid-{Microsoft app id}". Added scope "access_as_user". Added web (1fec8e78-bce4-4aaf-ab1b-5451cc387264) and desktop (5e3ce6c0-2b1f-4285-8d4b-75ee78787346) client applications.

  8. In the Manifest file for my Microsoft app updated "accessTokenAcceptedVersion": 2.

  9. For my bot added an OAuth Connection as below

  10. List item

  1. Created an app on Microsoft Teams and associated my Micorsoft App Id as the bot id. Attached is the manifest for my Microsoft Teams app.

When I install this app to Microsoft Teams the bot is shown in the chat tab which is expected. Further the document says as a 1st step
"The bot sends a message with an OAuthCard that contains the tokenExchangeResource property.". How can I achieve this?

When I type "Hi" for the very 1st time on the bot I receive the below JSON at my messaging endpoint

{"text":"hi","textFormat":"plain","attachments":[{"contentType":"text/html","content":"<div>hi</div>"}],"type":"message","timestamp":"2021-10-05T18:27:21.5454867Z","localTimestamp":"2021-10-05T23:57:21.5454867+05:30","id":"1633458441515","channelId":"msteams","serviceUrl":"","from":{"id":"29:1kR5UGDG5iTFhsVadKAadeYuzsLEhMYK_YFxb7_Y62nAilJVLIMiPtC8oLrGGyK7wZTaFc8-jlVxJq3q0bpoBMw","name":"Ashish Sood","aadObjectId":"3836*be046"},"conversation":{"conversationType":"personal","tenantId":"1734bb8ecf","id":"a:1xMOdsbv02hfl2J4GUGA7-WemaLGCOxFlzsSNcQ9StjIMAAKn64tJ0zxKk25b02NMTl3rc7nbNffMZGXVYfraNIDKnptC01oeLRv7Ngh2WMCyOrmBT2KaDleQXSU2s4MY"},"recipient":{"id":"28:18c902b9","name":"NOW_Virtual_Agent_SSO_Bot"},"entities":[{"locale":"en-GB","country":"GB","platform":"Mac","timezone":"Asia/Calcutta","type":"clientInfo"}],"channelData":{"tenant":{"id":"1734****b8ecf"}},"locale":"en-GB","localTimezone":"Asia/Calcutta"}

How do I use this JSON to complete the 6 steps mentioned at

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding the Microsoft Teams app manifest.json

0 Votes 0 ·
manifestjson.txt (1.3 KiB)


As we are mainly responsible for general question of Microsoft Teams, your question related to azure bot is not supported by us. I will change office-teams-windows-itpro tag to office-teams-app-dev tag. Someone checking that tag will give you more insight. Thanks for your patience and understanding.

0 Votes 0 ·

@AshishSood-7525 I think the detailed steps are mentioned in the next section of this documentation, It has a sample bot with the tokenExchange helper file.
You can try all the steps with the sample bot to achieve the SSO authentication scenario with teams bot.

0 Votes 0 ·

@romungi-MSFT Thanks for the reply. Below is my issue

  1. All the demos and sample codes are either in C# or Javascript (Node.js) or DotNetCore and are using the Bot Builder frame SDK.

  2. We have a already running bot to which we need to add SSO capability. All demos and sample code either create a bot and the app using Visual Studio or Yeoman generator and then add Bot Builder as a dependency using npm. That's not my case.

  3. I created the bot on Azure portal under Bot Services->AzureBot. Configured the AAD app backing the bot under App Registrations. Finally created the MS Teams app using the App Studio feature within MS Teams and attached my bot to this MS Teams app from there.

  4. Further in my scenario I have my activity endpoint i.e. /api/messages defined in a proxy server which is programmed in LUA programming language. The demos use ngrok which is always pointing to there local server.

  5. Is there a way where instead of depending upon the bot builder SDK I have an API way of completing the SSO flow for my bot. For e.g. currently I use below 3 API to complete my OAuth flow

  6. What I am looking for is a way that when my activity endpoint receives a 'Hi' or 'Hello' message for the very 1st time can I create a JSON which contains the OAuth Card with 'tokenExchangeResource' property defined

0 Votes 0 ·

0 Answers