I have a Microsoft Teams app. At this time, the app is in development. I do not want to Submit the App for approval yet. However, I do want to integrate a notification-only bot into my app. Currently, I'm trying to test notifications for this app via this bot. However, I'm stuck.
From my understanding, to post a notification, I need to:
Get an access token
Get a bearer token for my Bot
Start a Conversation
Post a message
Please let me know if I'm wrong in any of this. Either way, I'm stuck on step 1. When attempting to get an access token from https://login.microsoft.com/botframework.com/oauth2/v2.0/token, I receive an error that says:
Application with identifier '{guid}' was not found in the directory 'botframework.com'. This can happen if the application has not ben installed by the administrator of the tenant or consented to by any user in the tenant.
Since I've installed the app from the Test and Distribute tab using the Install button in the App Studio, I assume this meets the need that I, a user in my tenant, has consented to use the app. However, I guess since I haven't submitted the app to the store, I can't get a token via https://login.microsoft.com/botframework.com/. Is this true? If it is true, is there another endpoint I should be using? How do I get a token for a bot in a Team App that I am actively developing / testing?
A Microsoft BotFramework Bot always needs to have an App ID and an App Password when securing the connection. This ID and Password are registered in Azure Portal (which will pass the information to botframework.com).
You can test your Bot locally without ID and Password, but when trying to integrate other channels like MS Teams, you will need to configure these ID and Password...
Normally you would do this by passing them to your ICredentialProvider:
services.AddSingleton<ICredentialProvider>(provider => new SimpleCredentialProvider(appId, appPassword))
You do not need to publish your Bot in any way. Just create an App Registration in Azure Portal and use the App ID and Password.
Always remember that a Teams App and a BotFramework Bot have nothing in common. The BotFramework is channel agnostic. Only the MS Teams app knows that there is a Bot with your App ID (configured in manifest.json).
The connection between MS Teams (emea.ng.msg.teams.microsoft.com), BotFramework (token.botframework.com) and your Bot (xxx.azurewebsites.net or even ngrok...) is secured via the App ID and the Password. So never ever tell anyone what your App Password is.
Related
We are developing a react.js application that we registered in azure portal. We use the react-microsoft-plugin package from npm to have the login button using our company credentials. This works well
We added App roles in the App Registrations page of azure, just like this :
We also assigned these roles correctly in the Enterprise application -> Users and groups page in Azure.
When we login using the React microsoft login button, we receive a token that contains a lot of stuff, among which the name, the mail, the job of the user. We would like to get the App role as well but we can't figure how. We read this Add app roles to your application and receive them in the token microsoft documentation but it's not too clear for me how we can actually get the user's role in the received token directly.
What is the process to follow so we get the user's app roles in the token ?
I am developing an Azure bot for Microsoft teams, using Azure Bot Service, Bot registration channel setup. The messaging endpoint is an App Service that is authenticated with AAD login. Could some please help me understand how to call this authenticated endpoint from a bot? currently, I am testing it on Webchat and I get a 401 unauthorized error. I tried configuring the Oauth Setting in the bot as per this, but still getting 401.
Could someone please point to any concepts and documentation required here.
There is no need to enable the App service Authentication. Just follow this article to add authentication to your bot via Azure Bot service. Then logon is required when you use the bot.
Reference:
Azure AD integration with Bot Framework / teams
Microsoft Teams behaves somewhat differently than other channels in regards to OAuth and requires a few changes to properly implement authentication. Specifically an Invoke Activity is sent to the bot rather than the Event Activity used by other channels. This Invoke Activity must be forwarded to the dialog if the OAuthPrompt is being used. This is done by subclassing the TeamsActivityHandler and implementing handleTeamsSigninVerifyState. It is best advised to make use of the 46.teams-auth sample to set up OAuth in Teams.
Hope this helps.
I am trying to deploy my Azure Bot Service but I am kinda struggling to understand for what is Microsoft app ID and password used for? Can someone explain me these terms?
I was trying to find the answers online but unsuccessfully.
Thank you for any help.
This is the identity of the Bot Service.
You will notice in the App registrations of Azure Active Directory (AAD) that your Bot Service is in there. This is to give you the ability to Authenticate, Authorize and Audit (AAA) the Bot Service.
For example, you may want to provide access for your Bot Service to other services in your subscription, or other subscriptions also using the same AAD.
And so, the app has a set of credentials which it can use. The concept is similar to Managed Service Accounts in Windows Server.
The Microsoft app ID and Password are used to register the bot with the Azure Bot Service.
After you register it, those credentials will be used by the bot connector to authenticate the calls to your Bot's service and allow you to configure the bot with the different available channels.
Bot security is configured by the Microsoft App ID and Microsoft App Password that you obtain when you register your bot with the Bot Framework. These values are typically specified within the bot's configuration file and used to retrieve access tokens from the Microsoft Account service.
Unable to authorize multiple users for a BOT within the same organization using Azure AD authentication
Following are the steps we tried.
1. Created an office 365 organization, so as to be the admin of the Azure AD
Registered the Azure AD app thru app registrations on Azure in the same Org, and then assigned the permissions to the app to read emails and calendar, by following the URL - https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=csharp%2Cbot-msgraph-auth
Then created the web app bot under azure
Then under [OAuth Connection Settings] settings of the bot added the Azure AD app details, first added as Azure AD V1.0 with as per the recommendation in the URL of Microsoft
Used the standard template code of the project - BotAuthenticaionMSGraph from the Github sample code repository - https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
In the sample code, we just need to edit the appsettings.json file to add the [ConnectionName, MicrosoftAppId, MicrosoftAppPassword]
Then published the local bot code to the app service of the web app bot on Azure
Tested the Bot Auth on the [Test in Web Chat] on Azure -- It works for my Azure AD
Then enabled the Directline Channel for bot and distributed bot to other users of the same organization
The issue is here - when the other user opens the bot, they can see the emails and calendar of the admin user who has already logged in initially. So when the other user logs off and logs in thru his AD credential, then only his emails and calendar data is available since then.
Issue - So, at a given point of time only one user's o365 data is visible globally on the bot chat, and not individual user's data who logs in for that session. The AD token is not per user session but instead its a universal token across for all the conversations.
When I use the Azure AD V2, I get the bad request while trying to login.
Please help. Thanks.
https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
used the BotAuthenticaionMSGraph project
Expected is, every user should be able to log in individually, and only his data shud be visible on the bot conversation distinctively.
I have tested the sample code and it works fine for both Azure AD V1 and V2.
I followed Azure AD v2 to configure it. Don't forget to enter Mail.Read Mail.Send openid profile User.Read User.ReadBasic.All for Scopes. It's different from Azure AD V1. Otherwise, it will return 400 bad request while trying to login.
I didn't reproduce the first issue. Could you tell where the other user opens the bot? From "Test in Web Chat"?
Update
You need to be aware that your are dealing with two user identities:
The user’s identity in a channel.
The user’s identity in an identity provider that the bot is
interested in.
See Security considerations. When a bot asks user A in a channel to sign-in to an identity provider P, the sign-in process must assure that user A is the one that signs into P. If another user B is allowed to sign-in, then user A would have access to user B’s resource through the bot.
To enable the protection, you need to configure trusted Origins and tamper-proof user IDs.
You can refer to the sample code.
And this blog Using WebChat with Azure Bot Service’s Authentication provides more detailed infomration.
I have created a Bot in Node JS using Microsft Bot Framework and is deployed on Skype for Business (SFB) channel.
Whenever a user interacts with Bot over SFB and asks to fetch some details, I want the Bot to get these details from my companies internal system using the user's authentication token which should have generated when user login to SFB.
So, is there any way to get user's token from SFB which the Bot can use to get the required information on user's behalf? I can't use the Bot credential to get the information requested by the user on his/her behalf. My companies internal system, SFB uses the same Azure AD for user authentication.
I refer the questions Authenticate user across channels in Microsoft bot Framework, Skype for Business channel doesn't pass authentication credentials correctly but that doesn't help me to answer my question.
I referred Authenticate user in Microsoft bot framework link and If I ask the user to authenticate by using something https://blogs.msdn.microsoft.com/tsmatsuz/2016/09/06/microsoft-bot-framework-bot-with-authentication-and-signin-login/ then every time user ask some question, I need to ask the user to authenticate and that won't be a good for user experience as the user has already been authenticated over SFB.
Can someone please help me with some documentation that I can refer to resolve this issue?
I don't know about getting the token via the Skype channel directly, but I believe you could write UCMA code that would capture communication with a Skype user configured to be your bot, then transmit the conversation to the bot using Directline, with full knowledge of the user transmitted to the bot. You would then capture the result and reply to the user using the UCMA code.