I want to create a Microsoft Teams messenger bot. To do this:
(1) I've created a separate Azure (AAP) app through portal.azure.com to create a flow to get an access token from the Teams admin, to access information about the tenant we install the app in, to proactively install my app.
(2) I've also created a separate Microsoft Teams app through the Teams Developer Portal (dev.teams.microsoft.com) and included the ID from the Azure app in its settings:
screenshot
However when I try to proactively install the Teams bot from (2) using the Graph API with access token from (1), I get this error message:
{
"error": {
"code": "Forbidden",
"message": "AAD App Id '5f18a460-4e3b-4833-acac-9a6281e964d7' is not allowed to manage the Teams App '8782dd91-2afe-45e9-8906-858553f7675c'.",
"innerError": {
"date": "2021-09-12T21:19:56",
"request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1",
"client-request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1"
}
}
}
What am I doing wrong? Did I need to create the Teams app through the Azure portal instead of through the Teams developer portal for my Azure app to have access to install the Teams app for a user? If so how can I do that?
thanks!
• The procedure that you have followed to create a team’s messenger bot is not recommended and way round about rather than creating the bot using the Microsoft Team developer portal and then deploying it to the Azure portal for availability to all.
• Since, the procedure that you are following requires a token to be retrieved from the Azure AD for authentication to the team’s bot app and then pass it to the teams app for logging in with the AAD credentials, the token flow happens over the public internet where a tunnel is not provided between Teams and the bot app due to which the token information might not be redirected to the teams app.
• Also, when you are using the second method where in you are using the Microsoft teams developer portal for developing a bot app in teams and referring the ID of the application creating in azure in the code, there might be a conflict where in an Azure AD application regarding the bot app created by you is already created in M365 tenant for provisioning and deploying purpose at the time when you are signing up for Microsoft teams developer portal due to which the app created and hosted by you may not be able to establish a connection to the azure app created or the one already created/linked in azure.
• When you create an app in Microsoft Teams, the app manifest is submitted to the developer center for teams for publishing and code integrity violation check purposes after which a communication tunnel based on public urls is created between the Teams and the bot app code which in your case doesn’t seem to happen. Thus, the issue.
Please find the below links for more information: -
https://learn.microsoft.com/en-us/microsoftteams/platform/get-started/first-app-bot?tabs=vscode
https://learn.microsoft.com/en-us/microsoftteams/admin-settings
Related
I used "Teams Toolkit [Preview]" in VS2019 to develop a MS Teams bot. If I registered my bot via https://dev.botframework.com/bots/new, I can test that from MS Teams UI without problems. however when I registered the bot from Azure Bot service by using a existing Azure AD application which I created separately, I see "401 unauthorized" error message shown up in my ngrok screen and MS Team bot didn't work. Previously I used "Bot Channel registration" from Azure, it worked fine. As "Azure Bot" replaced "Bot Channel Registration" and "Azure Web Bot", I am trying to figure out why "Azure Bot" didn't work. Can anyone share a latest instruction how to use Azure Bot to create a MS Team Bot?
The steps to create a teams bot is essentially the same, it's just that Bot Framework Registration has been replaced by Azure Bot. The Azure Bot resource should still have all of the same Configuration and Channel registration options available.
You might find the Teams conversation bot sample helpful. Just remember that on step 4, you'll create an Azure Bot resource instead of a Bot Framework Registration resource.
You might also check for common pitfalls, such as forgetting to add /api/messages in the configuration in Azure, pointing ngrok to the wrong port, or typos of appId or other credentials in the bot settings or Teams manifest. These easy to do mistakes can usually cause those errors.
I have my website integrated with Live SDK applications to allow customers to login to their MSN, Hotmail, Outlook, etc. email accounts and invite friends to my website by reading the contacts. This used to work properly but now it's not working anymore.
When I use the App ID / Client ID from the old Application Registration Portal (https://apps.dev.microsoft.com) I get the following message when I try to login using my Microsoft account.
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
I see from the Application Registration Portal that I can now use Azure to manage my App Registrations, so I basically setup the same app under Azure with the following criteria.
Authentication: Selected Web and setup the same Redirect URI I was using previously when this was working.
API Permissions: I added "Microsoft Graph" with email, Contacts.Read, openid, profile, and User.Read.
And when I try to login to my Microsoft account using my Azure app Client ID / App ID I get the following message.
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Should I try making this work using Azure instead of Application Registration Portal credentials? If so, why is it saying "unauthorized_client" when I try to login?
Thank you!
Register your Azure AD app as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
I am trying to deploy my Azure Bot Service but I am kinda struggling to understand for what is Microsoft app ID and password used for? Can someone explain me these terms?
I was trying to find the answers online but unsuccessfully.
Thank you for any help.
This is the identity of the Bot Service.
You will notice in the App registrations of Azure Active Directory (AAD) that your Bot Service is in there. This is to give you the ability to Authenticate, Authorize and Audit (AAA) the Bot Service.
For example, you may want to provide access for your Bot Service to other services in your subscription, or other subscriptions also using the same AAD.
And so, the app has a set of credentials which it can use. The concept is similar to Managed Service Accounts in Windows Server.
The Microsoft app ID and Password are used to register the bot with the Azure Bot Service.
After you register it, those credentials will be used by the bot connector to authenticate the calls to your Bot's service and allow you to configure the bot with the different available channels.
Bot security is configured by the Microsoft App ID and Microsoft App Password that you obtain when you register your bot with the Bot Framework. These values are typically specified within the bot's configuration file and used to retrieve access tokens from the Microsoft Account service.
We just moved to Azure Portal and i created a Xamarin Cross-Platform app that gets authenticated via MSAL.
When i was building the app. it was registered on https://apps.dev.microsoft.com/, and the user was getting authenticated without any problems.
After testing, i registered it on our Azure Portal under app registration, gave it the required permissions as before, and updated the app ID in the code.
Now, i cant even go past my email page. I keep getting the message:"It looks like you're trying to open this resource with an app that hasn't been approved by your IT dept", even though the admin granted the permissions to the app. Not sure where to go from here. Any help appreciated.
Thanks in advance
When i was building the app. it was registered on https://apps.dev.microsoft.com/, and the user was getting authenticated without any problems.
apps.dev.microsoft.com is used to register the application for Azure AD v2.0, and you could leverage MSAL for authenticating users by using AD account or personal Microsoft account.
For the application registered on Azure portal, you need to use the ADAL library. Detailed tutorial about integrating Azure AD (v1.0) with your xamarin apps, you could follow here.
UPDATE:
Based on your scenario, for using MS graph via ADAL, you could create an app under your tenant and add the required delegated permissions to the Microsoft Graph API. The AcquireTokenAsync method would look as follows:
var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", clientId, returnUri, parent);
Moreover, for differences between app-only and delegated scopes permissions, you could follow here. Also, you could check differences between Microsoft Graph or Azure AD Graph.
We have an Azure resource app whose APIs we want to expose for access by a client app on Azure. The two apps are on different tenants. The users accessing the APIs (Office 365 account holders) are on different tenants.
The whole set up works when we manually provision a service principal on the tenant that is trying to authenticate from the client app against the resource app. By that I mean they are able to log in using their Office 365 account and are shown the consent screen.
If we do not provision a service principal on the AAD tenant of the user trying to authenticate, we get this error:
AADSTS65005 - The app needs access to a service <service> that your
organization org.onmicrosoft.com has not subscribed to or enabled. Contact
your IT Admin to review the configuration of your service subscriptions.
It is not feasible for us to provision a service principal on every tenant that is accessing our app (resource app). Is there something we are missing? Are we using the right flow?
You can find help for your scenario here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent. (Scroll down to Multiple tiers in multiple tenants)
In the case of an API built by an
organization other than Microsoft, the developer of the API needs to
provide a way for their customers to consent the application into
their customers' tenants.
The recommended design is for the 3rd party
developer to build the API such that it can also function as a web
client to implement sign-up:
Follow the earlier sections to ensure
the API implements the multi-tenant application registration/code
requirements
In addition to exposing the API's scopes/roles, ensure
the registration includes the "Sign in and read user profile" Azure AD
permission (provided by default)
Implement a sign-in/sign-up page in
the web client, following the admin consent guidance discussed earlier
Once the user consents to the application, the service principal and
consent delegation links are created in their tenant, and the native
application can get tokens for the API
Basically, all of the parts that your app needs must be present as service principals in the customer's tenant. This is a requirement of AAD.
The only way for that to happen is for an admin to go through consent for the API and app separately, since they are registered in different tenants.
If they were registered in the same tenant, you could use the knownClientApplications property in the manifest to allow consenting to both at the same time.
In my case, I am exposing my own API and trying to access this API from my other Application (Client Credentials mode), I removed the default permission on both of the app(consuming app and api app) - "Azure Active Directory Graph-> User. Read" since I thought I don't need that but that caused this problem "The app needs access to a service .... that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service+subscriptions.
I got the clue from the answer of #juunas - point 2. Thx Juunas