Generated client secret from teamsapp provision is unusable by Bot Framework SDK

[yhaskell]

Is your feature request related to a problem? Please describe.

I'm provisioning a Microsoft Teams app using teamsapp provision with the generateClientSecret: true option. The problem is that the generated client secret is in an encrypted format (crypto_xxxx), which cannot be used with the Bot Framework SDK (e.g., with CloudAdapter). This forces me to manually go into the Azure portal, find the corresponding AAD app registration, and create a new client secret just to make the bot work. This breaks the automation flow and is frustrating during both development and CI/CD setup.

Describe the solution you'd like

I’d like teamsapp provision to either:

• Output the actual client secret (V~...) once at provisioning time so I can store it securely (e.g., in .env), or
• Provide a CLI command (e.g., teamsapp env decrypt) to retrieve or decrypt the actual value from the generated secret for local development use.

Describe alternatives you've considered
I currently use the Azure portal to generate a new secret manually after provisioning, which is tedious and error-prone. I've also looked into using the Azure CLI (az ad app credential reset) as a workaround, but it adds complexity and deviates from the intended teamsapp workflow.

Additional context
This affects the ability to use teamsapp as a fully automated provisioning tool in real-world bot-enabled Teams apps. Having to manually override secrets reduces confidence in reproducibility and complicates CI/CD.

[m365-agent-toolkit-assistant]

👋 Hi @yhaskell,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

Problem:
The client secret provided by teamsapp provision is in an encrypted format and unusable by the Bot Framework SDK.

Known Issues & Relevant Insights:

1. The Bot Framework SDK only supports actual client secrets, not encrypted formats.
2. Similar issues highlight the importance of using the client secret value, not the ID, and demonstrate possible solutions, such as generating secrets manually:
   • Issue: Internal Server Error due to invalid client secret
   • Example: Using a certificate instead of a secret

Solution:
You can propose these enhancements:

• Output Client Secret: Modify teamsapp provision to output the actual client secret at provisioning time.
• CLI Decryption: Provide a CLI command to decrypt the client secret for local use.

Workaround:
Until these changes are made, manually generate and use the actual client secret from the Azure portal, despite it being tedious.

For more details on adding bot authentication and settings, see Add authentication to your Teams bot.

✨We'd love your feedback! Please take a moment to fill out our survey.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[tecton]

Hi @yhaskell, thanks for your feedback. We'll discuss this feature request to make user experience better.
For now, the generated secret in .env.*.user file can only be decrypted in VS Code extension. After you install the extension, you can open project folder and and click "Decrypt secret" in env file to view the origin secret string as a workaround.

[yhaskell]

Hello @tecton, thanks for your answer!
Since I currently don't use the vs code or extension, I don't really have an access to this functionality.
Reading a little bit of the code, I've found that the following code snippet will actually decode it for you:

import Crytpr from "cryptr";
import YAML from "yaml";
import dotenv from "dotenv";
import fs from "node:fs";

const env = process.env.ENV || "local";

const { projectId } = YAML.parse(fs.readFileSync("teamsapp.yml", "utf8"));
const cryptr = new Crytpr(`${projectId}_teamsfx`);
const envFile = fs.readFileSync(`env/.env.${env}.user`);
const parsed = dotenv.parse(envFile);

for (const [key, value] of Object.entries(parsed)) {
  if (value.startsWith("crypto_")) {
    const secret = value.replace("crypto_", "");
    const decrypted = cryptr.decrypt(secret);
    console.log(`${key}=${decrypted}`);
  }
}

But it would be nice to have this piece of code somewhere inside of CLI.