As part of the Virtual Assistant deployment documentation, it asks to set the application registration to allow Accounts in any organizational directory
However, it doesn't describe the implications are of this overlooked setting.
Accounts in any organizational directory
and then build authentication into the bot elsewhere?Accounts in this organizational directory only
. For example, say you're deploying this for a client and their security practices don't allow us to make this change. How can we work around this?This was actually a discussion point that popped up last week internally. Posting answer here so the community can see sooner, before we can get official MSFT documentation out there
User's issue
User created a bot with manual app registration, and continued to get "Internal Server Error"
"We tried a number of things to get around this, and through trial and error we found that once we changed the app registration setting for Supported account types from “Accounts in this organizational directory only” to “Accounts in any organization directory”, restarted the app, and the bot started working again. I replicated this in my sub, as well."
"Accounts in any organizational directory" Explanation
This is required so that we (in the bot can request a token for the bot. Pulled from a related thread:
Bots failing to work from the start due to the below error:
[Error] Microsoft.BotBuilderSamples.EchoWithCounterBot: Exception caught : Microsoft.Bot.Connector.Authentication.MicrosoftAppCredentials+OAuthException: Bad Request --->System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.Bot.Connector.Authentication.MicrosoftAppCredentials.<RefreshTokenAsync>d__36.MoveNext()
This exception was occurring because the Bot Framework SDK was trying to make a call to the AAD tenant to retrieve a token, and AAD was replying back with an HTTP 400 Bad Request, indicating there was an issue with the app registration credentials. Further troubleshooting uncovered the below specific error from AAD: Application with identifier '[appID]' was not found in the directory ''.
An app registration has three options/scopes for what kind of accounts can use it:
I refer to the numbers above numerous times below.
By default, when allowing the Azure Portal to create its own app registration during Bot resource creation, it does so with option 3 above. This is true if you opt for automatic creation, or click the link during creation to manually create a registration – both of those create a registration with option 3.
For example, if creating a Web App Bot in the portal, the default option (at the bottom) is this:
You can expand that part to get this:
If you click the link to “Create App ID …” it brings you to the current App Registrations portal with a pre-populated app ID and name.
Both methods above create an app registration with the #3 scope above.
Based on discussions with the AAD team and testing I performed on Bots and registrations last week, the issue was caused by the scope of the registration being too narrow. In your case, app registrations were configured with a #1 scope above, which limits the registration so it can be used only by xxx. Since the Bot Framework SDK needs the AAD tenant to use that registration, it failed to retrieve a token.
As a test, we modified the existing registration from option #1 to option #2 using the App registrations (Preview) blade in the Azure Portal (under the Azure Active Directory section). Since this option opens the registration to be used by any AAD organization, which includes, the Bot SDK had no issues retrieving a token and started working immediately.
Going Forward
Since your organization utilizes a separate management system/application for app registrations, you’ll need to ensure that registrations created for use by Bots are created with option #2 or #3, or modified afterwards if created with #1. A Bot will not work, guaranteed, if the registration can only be used by the xxx tenant, which is option #1. Existing registrations can be modified from the Azure Portal:
Portal -> Azure Active Directory -> App registrations (Preview) -> [choose one] -> Authentication blade
If you see this, then the registration is already scoped for #3 and should be fine: