Microsoft Teams provides single sign-on (SSO) function for an app to obtain signed in Teams user token to access Microsoft Graph and other APIs. Microsoft Teams Toolkit streamlines the process by incorporating certain Microsoft Entra workflows and integrations into straightforward, high-level APIs. As a result, you can effortlessly incorporate SSO capabilities into your Teams app. For more information, see authenticate users in Microsoft Teams.
Key configurations
To enable SSO, configure your Teams app as follows:
Microsoft Entra app manifest: Ensure to define URIs, including the URI that identifies the Microsoft Entra authentication app and the redirect URI that returns the token.
Teams app manifest: Connect your SSO app to your Teams app by incorporating the correct configuration.
Teams Toolkit configuration and infra files: Ensure the necessary configurations are in place to enable SSO for your Teams app.
SSO app information in Teams Toolkit configuration files: Ensure the authentication app registers on the backend service and Teams Toolkit initiates it during the debugging or previewing of the Teams app.
Download the Microsoft Entra app manifest template.
Add the downloaded app manifest template code to ./aad.manifest.json file. This allows you to customize different aspects of your app registration and update the manifest as required. For more information, see app manifest.
Update Teams app manifest
In the ./appPackages/manifest.json file, add the following code:
webApplicationInfo provides your Microsoft Entra App ID and Microsoft Graph information to assist users sign in to your app.
Note
You can use {{ENV_NAME}} to reference variables in env/.env.{TEAMSFX_ENV} file.
Update Teams Toolkit configuration files
Locate your Teams Toolkit configuration files, such as ./teamsapp.yml and ./teamsapp.local.yml. Update the required configurations related to Microsoft Entra in these files.
Add the aadApp/create action under provision in ./teamsapp.yml and ./teamsapp.local.yml to create new Microsoft Entra app used for SSO:
Update the manifestPath value to the relative path of the Microsoft Entra app manifest template aad.manifest.json, if you've changed the file's path.
In a local setup, position the aad/update after the file/createOrUpdateEnvironmentFile action. This is required because aad/update uses the output from file/createOrUpdateEnvironmentFile.
For a React project, update cli/runNpmCommand under deploy.
If you're building a tab app using the React framework in CLI, find the cli/runNpmCommand action with build app in the teamsapp.yml file and add the following environment variables:
If you're building a tab app with React framework, find the file/createOrUpdateEnvironmentFile action for deployment in teamsapp.local.yml file and add the following environment variables:
Move the auth-start.html and auth-end.html files from the auth/public folder to the public/ folder. These HTML files serve the purpose of handling authentication redirects.
Move sso folder under auth/ to src/sso/.
InitTeamsFx: This file executes a function that initializes the TeamsFx SDK. After the SDK initialization, it opens the GetUserProfile component.
GetUserProfile: This file executes a function to retrieve user information by invoking the Microsoft Graph API.
Download the Microsoft Entra app manifest template.
Add the downloaded app manifest template code to ./aad.manifest.json file. This allows you to customize different aspects of your app registration and update the manifest as required. For more information, see app manifest.
Update Teams app manifest
In the ./appPackages/manifest.json file, add the following code:
webApplicationInfo provides your Microsoft Entra App ID and Microsoft Graph information to assist users sign in to your app.
Note
You can use {{ENV_NAME}} to reference variables in env/.env.{TEAMSFX_ENV} file.
Register one or more commands in commandLists.
The commandLists includes commands that your bot can suggest to users. If you're using the teamsFx bot template, set the following values:
{
"title": "profile",
"description": "Show user profile using Single Sign On feature"
}
The validDomains field includes the domains for websites that the app loads within the Teams client. Update the following value:
"validDomains": [
"${{BOT_DOMAIN}}"
]
Update Teams Toolkit configuration files
Locate your Teams Toolkit configuration files, such as ./teamsapp.yml and ./teamsapp.local.yml. Update necessary configurations related to Microsoft Entra in these files.
Add the following code aadApp/create under provision in ./teamsapp.yml and ./teamsapp.local.yml to create new Microsoft Entra apps used for SSO:
Move the files located in the auth/sso folder to src. The ProfileSsoCommandHandler class serves as an SSO command handler, designed to retrieve user information using an SSO token. You can adopt this method to develop your own SSO command handler.
Move the auth/public folder to src/public. This folder contains HTML pages for the bot app. On initiating SSO flows with Microsoft Entra, the user is redirected to these pages.
Run the following command in ./ folder:
npm install copyfiles --save-dev
Update the following command in package.json file:
Update commandApp.requestHandler to ensure auth works with the following code:
await commandApp.requestHandler(req, res).catch((err) => {
// Error message including "412" means it is waiting for user's consent, which is a normal process of SSO, sholdn't throw this error.
if (!err.message.includes("412")) {
throw err;
}
});
Add ssoConfig and ssoCommands in ConversationBot in src/internal/initialize:
import { ProfileSsoCommandHandler } from "../profileSsoCommandHandler";
export const commandBot = new ConversationBot({
...
// To learn more about ssoConfig, please refer teamsfx sdk document: https://docs.microsoft.com/microsoftteams/platform/toolkit/teamsfx-sdk
ssoConfig: {
aad :{
scopes:["User.Read"],
},
},
command: {
enabled: true,
commands: [new HelloWorldCommandHandler() ],
ssoCommands: [new ProfileSsoCommandHandler()],
},
});
Implement the API key handleMessageExtensionQueryWithSSO in TeamsActivityHandler.handleTeamsMessagingExtensionQuery. For more information, see SSO for message extensions.
Move the auth/public folder to src/public. This folder contains HTML pages for the bot app. On initiating SSO flows with Microsoft Entra, the user is redirected to these pages.
Update your src/index file to add the appropriate restify:
const path = require("path");
// Listen for incoming requests.
server.post("/api/messages", async (req, res) => {
await adapter.process(req, res, async (context) => {
await bot.run(context);
}).catch((err) => {
// Error message including "412" means it is waiting for user's consent, which is a normal process of SSO, sholdn't throw this error.
if(!err.message.includes("412")) {
throw err;
}
})
});
server.get(
"/auth-:name(start|end).html",
restify.plugins.serveStatic({
directory: path.join(__dirname, "public"),
})
);
Run the following commands under ./ folder:
npm install @microsoft/teamsfx
npm install isomorphic-fetch
Implement the API key handleMessageExtensionQueryWithSSO in TeamsActivityHandler.handleTeamsMessagingExtensionQuery.
Install copyfiles npm packages in your TypeScript bot project and update the build script in src/package.json file as follows:
To debug your app, select the F5 key. Teams Toolkit uses the Microsoft Entra manifest to register an SSO-enabled app. For more information, see debug your Teams app locally.
Customize Microsoft Entra apps
Teams app manifest enables you to customize different aspects of your app registration. You can update the manifest as required.