Search code examples
azure-active-directorybotframeworkmicrosoft-teamsazure-ad-b2c

Azure AD B2C and MS Teams app (bot + tab) auth

We are working on integrating our app with MS Teams using a Teams app with a bot and a tab and we are struggling with the authentication.

Our scenario is:

  • We use Azure AD B2C for authentication to our app (using predefined user flows).
  • We have different customers that use Azure AD (each one with its own Azure AD tenant). We created a custom identity provider that enables sign-in/sign up users to our app using their own Azure AD credentials.
  • We created a bot channel registration using a "Generic Oauth 2" service provider to connect to our bot with Azure AD B2C.

Our challenges are:

  • Ideally, we want to implement SSO for our bot in Teams to allow our customers to be able to sign in to our app using their MS Teams credentials. We managed to authenticate using OAuthPrompt for Teams following this sample but the challenge we've seen is that the user needs to sign in every time that opens the bot (i.e. there refresh token is not working) and also we are not able to send a "domain_hint" query string to differentiate our customers.
  • Ideally, we want the authentication to be handled using only one bot channel registration Probably it could be achieved by creating one channel registration for each customer but in the long-term, we'd need to create one bot for each customer and that could be difficult to maintain/avoiding our customers installing an App Registration on their Azure AD.

Anyone had similar experiences dealing with MS Teams apps for multiple Azure AD tenants using Azure AD B2C? How's the best way you recommend to handle this scenario?

Your help would be appreciated!

Thanks in advance!

Solution

  • If it helps to someone, after some research, we are doing the following for our scenario:

    • For the SSO in the tabs, given the limitation of OAuthPrompt to don't refresh tokens (we don't want users to sign in every time the token expires) we are following this solution posted months ago https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token.

    • For handling multiple Azure AD tenants within B2C, given that we are using predefined user flows and we need to build a custom sign-in for our scenario, we are going to pass the get and pass the domain_hint from MS Teams to Azure AD B2C.