Skip to content

Teams SSO flow for multiple entra app #435

Description

@jkshan

I am developing a Teams bot using the Microsoft Agents SDK. For security and least-privilege principles, we are using two separate Entra ID (Azure AD) app registrations:

Bot App Registration: Handles the bot's identity and authentication in Teams.
Graph App Registration: Handles Microsoft Graph API operations (e.g., reading user profiles, sending messages, etc.).
Configuration Steps Taken:

OAuth Connection in Azure Bot Service:

Configured the OAuth connection in Azure Bot Service with the Graph App's Client ID and Secret.
Enabled SSO (Single Sign-On) for the bot.

Graph App Registration:

Added the required delegated permissions (e.g., User.Read, Chat.ReadWrite).
Granted admin consent for all permissions at the tenant level (Global Admin confirmed this).
Added the Bot App Registration's Client ID as an Authorized Client Application in the Graph App Registration (under Expose an API → Authorized client applications).

Token Exchange Flow:

The bot receives a user token via SSO (from the Bot App Registration).
The bot attempts to exchange this token for a Graph token (for the Graph App Registration) using the On-Behalf-Of (OBO) flow.

Issue:
Despite the above configuration, a user consent card is still displayed during the token exchange step, even though:

Admin consent is granted for the Graph App Registration.
The Bot App Registration is listed as an Authorized Client Application in the Graph App Registration.

Metadata

Metadata

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions