| page_type | sample | ||||
|---|---|---|---|---|---|
| description | This sample app demonstrate iss how to use the Bot Framework support for oauth in your bot. | ||||
| products |
|
||||
| languages |
|
||||
| extensions |
|
||||
| urlFragment | officedev-microsoft-teams-samples-bot-team-teams-authentication--python |
Bot Framework v4 bot using Teams authentication
This bot has been created using Bot Framework, it shows how to get started with authentication in a bot for Microsoft Teams.
The focus of this sample is how to use the Bot Framework support for oauth in your bot. Teams behaves slightly differently than other channels in this regard. Specifically an Invoke Activity is sent to the bot rather than the Event Activity used by other channels. This Invoke Activity must be forwarded to the dialog if the OAuthPrompt is being used. This is done by subclassing the ActivityHandler and this sample includes a reusable TeamsActivityHandler. This class is a candidate for future inclusion in the Bot Framework SDK.
The sample uses the bot authentication capabilities in Azure Bot Service, providing features to make it easier to develop a bot that authenticates users to various identity providers such as Microsoft Entra ID, GitHub, Uber, etc. The OAuth token is then used to make basic Microsoft Graph queries.
IMPORTANT: The manifest file in this app adds "token.botframework.com" to the list of
validDomains. This must be included in any bot that uses the Bot Framework OAuth flow.
- Teams SSO (bots)
- Graph API
-
Bot Teams Authentication Teams Client/Web
-
Bot Teams Authentication Teams Desktop
Please find below demo manifest which is deployed on Microsoft Azure and you can try it yourself by uploading the app manifest (.zip file link below) to your teams and/or as a personal app. (Uploading must be enabled for your tenant, see steps here).
Teams Auth Bot: Manifest
- Register a new application in the Microsoft Entra ID – App Registrations portal.
- Select New Registration and on the register an application page, set following values:
- Set name to your app name.
- Choose the supported account types (any account type will work)
- Leave Redirect URI empty.
- Choose Register.
- On the overview page, copy and save the Application (client) ID, Directory (tenant) ID. You'll need those later when updating your Teams application manifest and in the appsettings.json.
- Navigate to API Permissions, and make sure to add the follow permissions:
Select Add a permission
- Select Add a permission
- Select Microsoft Graph -> Delegated permissions.
User.Read(enabled by default)- Click on Add permissions. Please make sure to grant the admin consent for the required permissions.
- Microsoft Teams is installed and you have an account (not a guest account)
- dev tunnel or ngrok latest version or equivalent tunnelling solution
- Python SDK min version 3.11
The simplest way to run this sample in Teams is to use Microsoft 365 Agents Toolkit for Visual Studio Code.
- Ensure you have downloaded and installed Visual Studio Code
- Install the Microsoft 365 Agents Toolkit extension and Python Extension
- Select File > Open Folder in VS Code and choose this samples directory from the repo
- Press CTRL+Shift+P to open the command box and enter Python: Create Environment to create and activate your desired virtual environment. Remember to select
requirements.txtas dependencies to install when creating the virtual environment. - Using the extension, sign in with your Microsoft 365 account where you have permissions to upload custom apps
- Select Debug > Start Debugging or F5 to run the app in a Teams web client.
- In the browser that launches, select the Add button to install the app to Teams.
If you do not have permission to upload custom apps (uploading), Microsoft 365 Agents Toolkit will recommend creating and using a Microsoft 365 Developer Program account - a free program to get your own dev environment sandbox that includes Teams.
Note these instructions are for running the sample on your local machine, the tunnelling solution is required because the Teams service needs to call into the bot.
-
Register a new application in the Microsoft Entra ID – App Registrations portal.
-
Setup for Bot Create Bot Framework registration resource in Azure
- Use the current
httpsURL you were given by running the tunneling application. Append with the path/api/messagesused by this sample - Ensure that you've enabled the Teams Channel
- If you don't have an Azure account you can use this Bot Framework registration
NOTE: When you create your app registration, you will create an App ID and App password - make sure you keep these for later.
- Use the current
-
Setup NGROK
-
Run ngrok - point to port 3978
ngrok http 3978 --host-header="localhost:3978"Alternatively, you can also use the
dev tunnels. Please follow Create and host a dev tunnel and host the tunnel with anonymous user access command as shown below:devtunnel host -p 3978 --allow-anonymous
- Setup for code
-
Clone the repository
git clone https://github.com/OfficeDev/Microsoft-Teams-Samples.git
-
In a terminal, navigate to
Microsoft-Teams-samples\samples\bot-teams-authentication\pythonfolder -
Activate your desired virtual environment
-
In the terminal, type
pip install -r requirements.txt -
Update the
config.pyconfiguration for the bot to use the Microsoft App Id and App Password from the Bot Framework registration. (Note the App Password is referred to as the "client secret" in the azure portal and you can always create a new client secret anytime.)
- Setup Manifest for Teams
-
This step is specific to Teams.
- Edit the
manifest.jsoncontained in the ./teams_app_manifest folder to replace your Microsoft App Id (that was created when you registered your app registration earlier) everywhere you see the place holder string${{AAD_APP_CLIENT_ID}}(depending on the scenario the Microsoft App Id may occur multiple times in themanifest.json) - Edit the
manifest.jsonforvalidDomainsand replace${{BOT_DOMAIN}}with base Url of your domain. E.g. if you are using ngrok it would behttps://1234.ngrok-free.appthen your domain-name will be1234.ngrok-free.appand if you are using dev tunnels then your domain will be like:12345.devtunnels.ms. - Zip up the contents of the
teams_app_manifestfolder to create amanifest.zip(Make sure that zip file does not contains any subfolder otherwise you will get error while uploading your .zip package)
- Edit the
-
Upload the manifest.zip to Teams (in the Apps view click "Upload a custom app")
- Go to Microsoft Teams. From the lower left corner, select Apps
- From the lower left corner, choose Upload a custom App
- Go to your project directory, the ./appManifest folder, select the zip folder, and choose Open.
- Select Add in the pop-up dialog box. Your app is uploaded to Teams.
-
Run your bot with
python app.py
Note this
manifest.jsonspecified that the bot will be installed in a "personal" scope only. Please refer to Teams documentation for more details.
You can interact with this bot by sending it a message. The bot will respond by requesting you to login to Microsoft Entra ID, then making a call to the Graph API on your behalf and returning the results.
Login UI: OAuth Prompt
-
The OAuth Prompt behavior differs between Teams Desktop and Teams Web (Browser) clients.
-
Below are sample UI captures demonstrating how the login experience appears on each:
-
Teams Desktop: OAuth Prompt displayed as a native popup.
-
Teams Web (Browser): OAuth Prompt shown within an Adaptive Card.
To learn more about deploying a bot to Azure, see Deploy your bot to Azure for a complete list of deployment instructions.
- Bot Framework Documentation
- Bot Basics
- AzuMessagere Bot Service Introduction
- Azure Bot Service Documentation
- Bot Authentication Basics