botframework on teams channel 1:1 Authentication AAD integrated

7
votes

I'm looking to connect my bot on teams channel but i didn't know the way to secure this for use only in our domains (organization).

I have test to look (authentication AAD) for the Azure Web App but it's doesn't work on teams or on webchat because the endpoint adresse it's not redirected.

I have test to implement AUTH card but it doesn't work on teams.

Note : I'm using botframework C# api BotBuilder 3.15.2.2

I have look other "ask" like : AAD authentication in Microsoft teams for Bot Framework

Is it possible to access custom tabs in 1:1 chats in MS Teams?

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/auth-flow-bot

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/auth-bot-AAD

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication

https://tsmatz.wordpress.com/2016/09/06/microsoft-bot-framework-bot-with-authentication-and-signin-login/

Sincerely, Pascal.

Edit : I have implemented the solution sugested by Adrian, below was a piece of C# code that implement this on the MessasController.cs (Post Function): Note ==> Adding access for localhost use

 //https://stackguides.com/questions/51090597/botframework-on-teams-channel-11-authentication-aad-integrated
 string tenantIdAAD = "";
 try
 {
     tenantIdAAD = activity.GetChannelData<TeamsChannelData>().Tenant.Id;
 }
 catch (Exception exception)
 {
     tenantIdAAD = "";
 }

 ConnectorClient connector = new ConnectorClient(new Uri(activity.ServiceUrl));

 if ([AAD_TenantID].TenantIdAAD.Equals(tenantIdAAD) || activity.ServiceUrl.StartsWith("http://localhost") )
 {
     await Conversation.SendAsync(activity, () => new Dialogs.RootDialog().LogIfException());
 }
 else
 {
     await connector.Conversations.ReplyToActivityAsync(activity.CreateReply("Access Denied"));
 }
1
c#azure-active-directorybotframeworkmicrosoft-teams
By "for use only in our domains", do you mean that only users from your organization should be able to use your bot?Adrian Solis
Thx for your response Adrian. Yes it's what i locking for only my teams organization can be use the bot. But in current way the bot can be use in all organization if you take mi APP_ID.Sanpas

1 Answers

10
votes

The incoming message contains information that you can use to identify the user. A message looks like this:

{ ... "from": { "id": "29:1XJKJMvc5GBtc2JwZq0oj8tHZmzrQgFmB39ATiQWA85gQtHieVkKilBZ9XHoq9j7Zaqt7CZ-NJWi7me2kHTL3Bw", "name": "Richard Moe", "aadObjectId": "ae361bee-9946-4082-99dc-6994b00ceebb" }, "channelData": { "tenant": { "id": "72f988bf-86f1-41af-91ab-2d7cd011db47" } } }

The channelData.tenant.id identifies the organization (O365 tenant) that the user is part of, so you can look at that and reject messages that aren't from ones that you expect.

The message also has the AAD object ID of the sender in from.aadObjectId. The auth flow in the links above is useful if you need tokens to provide to other services so you can act on behalf of the user, but if all you need is the user's tenant and identity, the message has all you need.

(Remember to authenticate the incoming request first, before trusting any information in the message.)