Authentication in Teams

Note

Web-based authentication on mobile clients requires version 1.4.1 or later of the Teams JavaScript SDK.

In order for your app to access user information protected by Azure Active Directory, as well as access data from other services like Facebook and Twitter, your app will have to establish a trusted connection with those providers. If your app needs to use Microsoft Graph APIs in the user scope, you'll also need to authenticate the user to retrieve the appropriate authentication tokens.

In Microsoft Teams there are two different authentication flows for your app to take advantage of. You can perform a traditional web-based authentication flow in a content page embedded in a tab, a configuration page, or a task module. If your app contains a conversational bot you can use the OAuthPrompt flow (and optionally the Azure Bot Framework's token service) to authenticate a user as part of a conversation.

Web-based authentication flow

You'll need to use the web-based authentication flow for tabs, and can choose to use it with conversational bots or messaging extensions. You'll use the Microsoft Teams JavaScript client SDK in a web content page to enable authentication, then embed that content page in a tab, a configuration page, or a task module. If you want to use the web-based authentication flow with a conversational bot, you'll need to use a task module with a bot.

The OAuthPrompt flow for conversational bots

The Azure Bot Framework’s OAuthPrompt makes authentication easier for apps using conversational bots. You can take advantage of Azure Bot Framework's token service to assist with token caching as well.

For more information on using the OAuthPrompt see:

Configure your identity provider

Regardless of which authentication flow your app is using (you might even be using both), you'll need to configure your identity provider to communicate with your Teams app. The majority of the samples and walkthroughs you'll find here will deal primarily with using Azure Active Directory as your identity provider. The concepts however apply regardless of which identity provider you'll use.

For more information see configuring an identity provider