MS Graph API Authentication | MS Teams | Bot framework

0
votes

I am new to bot development. I am working on creating a MS Teams bot using bot framework. The bot will be installed in ‘Personal’ scope in Teams, and it doesn’t have any tab / messaging extension etc. Once installed, I want to get the list of all the members/ channels/ Notification updates (i.e. members added/deleted etc.). As per the different documentation, I can get the list using Graph API.

  1. List members of team - Microsoft Graph v1.0 | Microsoft Docs
  2. List members of a channel - Microsoft Graph v1.0 | Microsoft Docs

To achieve this, I need the token that will be passed in API. I am not sure how to implement that. I have followed the instructions mentioned in Add authentication to a bot in Bot Framework SDK - Bot Service | Microsoft Docs. There was a step to add ‘Add OAuth Connection Settings’ and there were multiple options in ‘Service Provider’. I selected ‘Azure Active Directory v2’. After doing that, it works and I can get the token, but it only works if during login, I user my azure directory credentials. I have a Microsoft account linked with my MS Teams which id different than the Azure account. A user in team can have a Microsoft account / work / office account so this needs to work for everyone so what would be the correct ‘Service Provider’ option that will work for all accounts?

I was thinking that the flow should be like:

  1. When clicks on ‘Add’ button to install the app in Teams
  2. Once added, bot will prompt for Graph API permission using OAuth.
  3. Once user gives the permission, I can use the token to call graph APIs.

I have also looked at the following tutorials:

  1. How to use Bot Framework Composer to build low-code Microsoft Teams bots (Part 1)
  2. Get user profile information in your Microsoft Teams bot with Microsoft Graph (Part 2) - YouTube

But after performing all the steps, when I try to login, it says – ‘This action can't be performed since the app does not exist or has been uninstalled.’.

I am not getting a clear approach on how to proceed with it.

1
microsoft-graph-apibotframeworkmicrosoft-teamsmicrosoft-graph-teams
Did you see this docs.microsoft.com/en-us/learn/modules/msteams-sso ? When you develop your bot via Bot Framework Composer, you must use Bot Framework Emulator and Ngrok to test authentication. So, if it works fine during tests, after you publish bot to Azure, you must carefully setup connections in bot: one to ms graph, another to some api's. Last step - is develop MS Teams application with SSO to allow MS Teams to call authentication to this connections.Maxim
Thanks for proving that link. It seems it's more about implementing SSO with tabs. In my case, there is no tab. The user will be installing the bot in personal scope only and then they will interact with the bot. Also, all the users are in Azure AD and hence it is working. What about if an organization is using Microsoft Account or Gmail etc.?Devesh Tiwari
As I mentioned that my Teams account is linked to Microsoft Account and Azure Account is link to different account where I setup the bot and app registration. When I install the bot and try to authenticate it using my teams account, it gives error saying - "AADSTS50020: User account [email protected] from identity provider live.com does not exist in tenant Sample and cannot access the application 5se6c0-2b1f-4285-8d4b-757346 in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."Devesh Tiwari
Every bot is Azure Active Directory resource. Did your user [email protected] belongs own Azure Dicrectory? If yes - you must set up your Bot app as multitenant application. If no - your user [email protected] will be guest in your tenant and you should setup Teams access and Azure AD access allow to work with guests accounts. May be you must invite your user [email protected] as guest to your tenant. The error description directly says that the user does not exist in the tenant and you should add him as a guest. Did you try this?Maxim
To setup connection into bot: add OAuth Connection String with next settings: 'AAD V2', ClientId=BotId (in AAD app registration), Client Secret =Bot Secret, Token Exchange URL= api://botid-<bot id guid>, Tenant ID empty or 'common', and in Scopes enumerate graph scopes. In bot app registration you grant access to graph, setup API permissions, setup Expose an API with Application ID URI api://botid-<botId>, add scopes, add client application if need and test it in Bot framework emulator. After your user [email protected] can access AD resources - you can configure MS Teams App as I mentioned earlyMaxim

1 Answers

2
votes

As @Maxim has also suggested, if you want to have a bot that should run multitenant you need to put tenant Id as common in OAuth Setting in Azure bot. As the value suggest it isn't going to specific to single tenant and Redirect Uri should be set to https://token.botframework.com/.auth/web/redirect in app registration.

This is it, you don't need to add anything. This is also mention in the doc -- enter image description here

We have some sample around it as well that shows how to use Graph API with the bot -

https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/24.bot-authentication-msgraph

You can setup this one and update the Graph calls to get member of team or channels.