I'm running a Teams bot (bot framework based) as my client app.
The bot uses Graph API to read a meeting's chat messages. Currently, the bot authenticates itself against Graph API through the "client credentials" flow against an Azure AD app. In the Azure AD app, I'm using Graph's application permissions to access the Teams chat.
These application permissions are extremely restricted and need explicit manual approval by Microsoft - which makes sense, if you let an app access potentially sensitive chat data.
I would like to change the authentication so that the bot can access Graph API on behalf of the user talking to the bot. I was able to create a login procedure, where the bot would display a "Login" button in Teams (via OAuthPrompt), the user is taken into the browser to authenticate and then I would retrieve the access token.
Since Teams users are already authenticated, is it possible to get the access token of the current user instead, so that they don't have to log in again?
This is possible by implementing SSO for your Bot.
Single sign-on authentication in Azure Active Directory (AAD) minimizes the number of times users need to enter their sign in credentials by silently refreshing the authentication token. If users agree to use your app, they need not provide consent again on another device and can sign in automatically.
Here are two samples for the same:
Please let us know if you are facing any issues.