Search code examples
azureoauthbotframeworkazure-bot-serviceazure-managed-identity

Azure Bot of type UserAssignedMSI still requires client ID and secret when creating a new OAuth connection


I have a Azure Bot (UAMI Configured). However when I try to add OAuth Connection Setting, all Service Providers expect either a secret or certificate to authenticate to an external resource.

Is it not possible to leverage the User-assigned Managed Identity to connect to other resources secret-free?

Here's how the Azure Bot is configured - Screencap Showing the Configuration menu of the Azure Bot

To clarify -

I have an existing Azure Web App bot that works fine using an external identity provider (App registration). However that requires the use of a Client Secret.

My question here is, Is it possible to configure an OAuth connection without a client secret/certificate, rather relying on the UAMI under the hood to authenticate.


Solution

  • As mentioned in the MSDOC, the existing Microsoft Entra ID application in which the Azure bot with User Assigned MSI registered allows the bot to access an external secured resource ie., Microsoft Graph and also allows the user to communicate with the bot via several channels such as Web Chat, teams etc.,

    You have to create a separate Microsoft Entra ID application to function as identity provider for the Bot.

    To establish the OAuth connection between the bot and the secured resources, you need to provide the credentials such as Client ID and Client Secret.

    Create a separate Entra ID application with OAuth Redirect URL as Redirect URI:

    enter image description here

    Set the API permissions for the app under App=>API permissions=>Add a Permission=>Microsoft Graph=>Delegated Permissions:

    enter image description here

    Create a Client Secret in the newly created Entra ID application.

    Navigate to Azure Bot and configure OAuth Connection using Client ID and client secret of Entra application to register the identity provider with the bot.

    enter image description here

    Select Connection entry=>Test Connection:

    enter image description here

    After accepting the consent, it redirects Test Connection Succeeded page as below:

    enter image description here