setup:
I have a bot registered in developer portal and created a app by teams tool kit.To add SSO for my bot i have created a azure bot with multi-tenant and create new app.Under bot configuration oauth connection setting create a service provider with azure ad v2.0 name botConnection,client Id & secret of my app already created by tool kit in token exchange url api://botid-clientidofapp then tenant is common and scope is set to User.Read,openId,email.
problem:
when i try to debug the bot while the oauth begin dialog throws "Could not find Connection Setting with name botconnection". i have set webapplicationinfo in manifest with client id of the app.any one can help me on this.
I'm not an expert, but did you update your code accordingly? You can check this link: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=userassigned%2Caadv2%2Ccsharp which teaches you how to add authentication for Azure bot.
Also, Teams Toolkit supports adding sso for the scaffolded project. Check https://learn.microsoft.com/en-us/microsoftteams/platform/toolkit/add-single-sign-on?tabs=typescript%2F%3Ffrom%3Dteamstoolkit to see if it can help in your case.
Related
I'm using the default template for Blazor Webassembly Hosted with ASP.NET Core (.NET 6), with Microsoft Identity enabled.
I was however, unable to figure out how it was able to authenticate with Microsoft AAD and what source files need to be removed from version control to prevent others from getting access to Microsoft authentication against my app registration.
I couldn't find anything in the Client project. In the Server project, I only found this configuration which the builder was binding but there was no Secret or Certificates (details and IDs changed for privacy)
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "contoso.com",
"TenantId": "4e590f17-467e-4085-adc1-1c4992f82f3a",
"ClientId": "e67489f6-44d1-4658-86b6-20eb1c71b154",
"CallbackPath": "/signin-oidc",
"Scopes": "access_as_user",
"ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
"ClientCertificates": []
},
Would it be sufficient to just remove this file from version control? I would like to share the source code publicly.
How does the app registration work? Are the TenantId and ClientIds enough for letting an app use Microsoft Authentication?
I've broken the three main questions you have down and provided some resources for further info.
Q: Would it be sufficient to just remove this file from version control?
A: You are correct in saying that removing the configuration will indeed prevent others from being able to access your AAD via the app registration.
There is some useful documentation over on the Microsoft ASP.Net Core site that may be of some help with regards to authentication using AAD if you're looking for further information, the link is: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-7.0
Q: How does the app registration work?
A: The Server project connects with AAD utilising the Tenant and Client ID's as well as a client secret or certificate to authenticate. The app registration acts works by providing a client secret and id to utilise within your project to manage permissions and access to your Azure resources through RBAC.
To quote the Microsoft documentation regarding App Registrations, "Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around." Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Q: Are the TenantId and ClientIds enough for letting an app use Microsoft Authentication?
A: You will also need to include the client secret or certificate in your config to ensure that your project successfully authenticates with AAD.
You will need to add a client secret to your App Registration as it is not created by default upon making an app registration. Here is the Microsoft documentation on creating a new client secret: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret
Hope these are of some help and good luck with your project!
I am trying to use contentBotId (Azure bot ID) in my MS Teams manifest file.
https://learn.microsoft.com/en-us/microsoftteams/platform/resources/schema/manifest-schema-dev-preview
When it is from same tenant that of MS teams domain (xyz.com) then its working and loading the data
But when its from different tenant, then MS Teams is not loading anything
{errorCode: 0, message: "<BadArgument>Unknown bot"}
Is there any restriction on this?
Before creating the MS bot, using ML Studio, create multi-tenant bot for perfect App registration.
Follow the procedure to create the bot and register the application.
By mentioning all the required. Check the manifest file for the required ContentBotId. Test the URL after app registration into multi-Tenant.
If still the error occurs. We need to setup the connection settings under configurations.
By adding Oauth connection settings we will get some kind of authentication for different clients for the same authentication URL (website URL).
Able to resolve the issue.
Yes it can be from different tenant.
when we use existing AAD instead of creating from Azure bot template, this issue occurs. Seems like MS Teams is not able to find this AAD/ or Bot Handle.
Root Cause (Might be): Manually created AAD have email address of user who have created this in Owners section (screenshot 1), while AAD created from Azure bot template have "Bot Framework Dev Portal" user (Screenshot 2).
And I am unable to add this user by searching.
Screnshot 1
Screenshot2
In the instructions for adding authentication to a teams bot (https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication) they indicate the usage of an "Identity Provider", an app registration separate from the bot.
In the instructions for bot SSO (https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots), there is no mention of this "Identity Provider" app registration.
In my testing, I am able to get the normal authentication working with the identity provider. I am also able to get the SSO authentication working without the identity provider.
Is it possible to get the bot SSO working with an identity provider app registration? I have tried several approaches, but none seem to work.
thanks,
Tom
are you maybe refering to this https://learn.microsoft.com/en-us/composer/how-to-use-oauth?tabs=v1x
I have developed a endpoint to be used for an skype bot but I have not hosted it in Azure so in order to be use skype channel I need registered it using Azure Bot Service (Bot Channels Registration). I did it but when I try create a App Password for that then Azure redirect me to Application Page and show me this message (In the image the message appears in Spanish but this is the translation):
The application no longer exists or is not associated with your
account.
I have tried clear the cache of my browser and try using private tab too but nothing happens.
The application no longer exists, or is not associated with your account.
Based on my test, if I login to Application Registration Portal using the account that is not used to create Bot Channels Registration bot service, I get same message. Please check the account you are using to login to Application Registration Portal and make sure that account is same one you used to create your Bot Channels Registration bot service.
Besides, please check if others know your account and delete that app. You can also try to create another Bot Channels Registration bot service and check if same issue appears.
This could be the account issue. But this does happen if you even create the new one. But what I do think is that there may be some sort of problem with the App Registration portal, or to be specific the link between the app registration portal API that generates auto id and password so if you are using the auto create Microsoft App ID and Password you would face this issue. But if you will do that manually from the App registration portal and use that in your bot channel or web app bot it should work fine. Hope that help.
I want to authenticate my mvc application by microsoft. I successfully done with Facbook, Google and Twitter, but when i click on Microsoft then the error `We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later`
is coming.
I successfully created an app and paste the Client ID and Client Secret in my mvc application . But I do not know the real problem
What is the return URL that you specified for the given Client ID and Client Secret? If the site is not running under that specific URL (e.g. is running under localhost whilst you are in dev mode), you can get this error message.
In my case I had my gmail account configured as my primary Microsoft Live account once I changed this to my Hotmail account as the primary account and then created a new app with a new name Client ID and Secret it started working for me.
The gmail account worked signing in as a gmail user on my app Identity Provider being Google to give some background this is the account I used as my Microsoft Account. I suspect my Microsoft account using my gmail user name and password confused the MS identity Provider thus resulting in the error. So avoid using a different Identity Providers credentials to authenticate with a different Identity provider if testing this. One account per Identity provider not associated to other Identity providers.
Since the Google account had been my primary for the other Identity Providers when I logged into the App as this I as essentially I suspect therefore already logged in with my Microsoft account.
Step 1:-
Open Application Registration Portal of Microsoft [https://apps.dev.microsoft.com] where you have Registered your Application.
You need to make change in Redirect URIs
For example :-
The URI which is Registered
URL:- http://localhost:8000
Change to make in URI :-
Just Add :- [/signin-microsoft] at end of URL It works
URL:- http://localhost:8000/signin-microsoft
Finally save your setting and try again it will work.
In my case, it failed when I used my personal Outlook account to login.
Once I switched to an Office 365 account, it started working.