-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does Teams Notification Bot need MS Graph Permissions? #7920
Comments
Hi AaronSchwarzSAP! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies. Best regards, Teams Platform |
@AaronSchwarz0176 - No, you don't need to grant any MS graph permissions to the bot. Just need to follow this step-by-step guide. |
Sounds good, but unfortunately my bot is not sending notifications in the deployed state. So I'm trying to debug it with sideloading. But when starting the Debug session in VSC I get the following error: I tried with the following config:
But it still seems to be trying to register a new AAD app... Any ideas? One other thing I don't understand yet: |
@AaronSchwarz0176 - You should not use your existing app id. It will create a new AAD app by its own. |
But when deploying to Azure I was able to reuse my AAD app. Why is it not possible while sideloading? One other thing I don't understand yet: I recognized once I deploy a new version to Azure, my teams app seems as well updated. |
We followed this guide and the sample worked properly. |
Thats not really answering my question. Whats the difference between "deploy to the cloud" and "publish to teams"? |
Hello @AaronSchwarz0176 - Deploy to the cloud: Teams Toolkit helps to deploy or upload the front-end and back-end code in your app to your provisioned cloud resources in Azure. Your App's business logic runs in these deployed Azure resources. You redeploy your code to cloud whenever business logic is changed. Publish to teams: Allows you to Publish a custom app by uploading an app package. When you publish a custom Teams app, it's available to users in your organization's app store. You publish your app one time and re-publish only when you edit your manifest.json file (like adding new tab or updating display name of your app). Teams doesn't host your app. When a user installs your app in Teams, they install an app package that contains only a configuration file (also known as an app manifest) and your app's icons. The app's logic and data storage are hosted elsewhere, such as on localhost during development and Azure Web Services. Teams accesses these resources via HTTPS. Please let me know if you have any more questions. |
@Wajeed-msft Thanks, that helped. So deploying the App to Cloud/Azure is the right approach for updating business logic, I guess the connection between these two is the teamsAppId in state.dev.json? One more question: My app is constantly showing 0 Bot-Installations, although I deployed/published/installed the latest version. Any chance how this can happen? Is there some kind of caching when a new version is published? Any chance to debug/reset this bot-installations? |
I tried things like, deleting the app from teams app-store, de-installing the app, redeploying, republishing, but still no Bot installations found ( Might it be related to the storage? I'm still using the local one so far. |
I read here that the notifications connections should be stored at this place, when the bot is deployed: ${process.env.TEMP}/.notification.localstore.json, if process.env.RUNNING_ON_AZURE is set to 1. How can I access this file? |
Okay, @AaronSchwarz0176 - We are checking on it. We will get back to you if there is any update. |
I added a Azure blob storage now, as described here. My container is created successfully and I don't see error, but container stays empty and no bot installations seem to be persisted. |
Any Update on this? I would like to go-live with my bot next month and at the moment I can't use it at all due to the missing persistence of the installations. |
Hello @AaronSchwarz0176 - Sorry for delay in response. |
So far I did not see any error logs, the storage is just never filled. If there would be logs, where would I find them? |
If you have deployed your application, could you please check if you see any log in your azure application insights? |
Generally we see Exceptions table, but as per the above screeshots, it's returning result code as 401 which means unauthorized. We will also try it from our end and let you know the updates. Just one query: |
Sorry the screenshot was a bit misleading. As you can see the post-requests to /api/notification return status 200. Why I believe there are no bot installations:
|
Thanks for sharing the details. |
@ChetanSharma-msft Any update on this? |
Hello @AaronSchwarz0176 - We have tried this sample but unfortunately facing issue while executing Windows PowerShell Command: PS C:\WINDOWS\system32> Invoke-Webrequest -Method POST -URI http://localhost:3978/api/notification So, we are looking into it and once it is resolved we will let you know the further updates. |
Thanks for the effort. Can you foresee when you can provide a solution? |
Hello @AaronSchwarz0176 - Could you please confirm whether your app is working locally and getting notifications with or without using storage connection? Also, could you please try to install the app for different users and let us know if it's working or not? |
Public blob storage is currently prohibited by my org policy... But as I'm accessing through an connection-string, I think it should not need a public access, right? I'm getting my connection-string from "Access keys" of my storage account, is that correct? Or do I need a shared access signtature (SAS)? |
Hello @AaronSchwarz0176 - This is the correct way of getting storage connection string. |
Hello @AaronSchwarz0176 - We are also experiencing the behaviour where storage is always empty. We will check other bot framework samples and let you know the updates. |
@AaronSchwarz0176 - We tried this bot-builder sample locally and noticed that user and conversation data in bot is getting stored in Azure blob storage.
We will check your issue with engineering team, and we will inform you if there is any update. Thanks! |
Thanks, that sounds promising. so is that implementation something I can try for my notification bot as well? |
Hello @AaronSchwarz0176 - We are checking the issue with engineering team. |
okay, I can't find the source of the AzureBlobStorage class and it is csharp, can't use that ... So waiting for the engineering team, thanks. |
@AaronSchwarz0176 - This is in node JS. Please have a look. |
Unfortunately I don't see how I can apply this to my project... When can we expect answer from the engineering team? |
Hello @AaronSchwarz0176 - We are checking with engineering team and let you know the updates. |
@hund030 BOT_ID and BOT_PASSWORD are matching clientID and clientSecret of my AAD app registration. What is this api/messages endpoint supposed to do? Do I really need it for sending notifications? I did not implement anything here, my code is listening to /api/notification. These post-requests seemed to be automatically triggered, not by me. When I send a POST request with a valid access token and a empty JSON to /api/messages it returns Code 400 Bad Request "Error: validateAndFixActivity(): missing activity type." Do you have sample payload for this endpoint to verify if it will return 401 as well? |
@AaronSchwarz0176 As you mentioned you reuse an existing AAD app, do you also reuse the bot registration (Azure Bot Service)? If so, please make sure following IDs have the same value:
In addition, you can directly log the request header/body of server.post("/api/messages", async (req, res) => {
/// add log here... e.g., req.header..., req.body...
await bot.requestHandler(req, res);
}); You can manually trigger "/api/messages" by entering anything in the Teams chat with your bot. cc @hund030 |
@swatDong thanks for the input. I can verify that bots.botid, microsoft app id and bot_Id all have the same value. One more detail: I added my Azure IDP as authentication config in the app service: When I disable this config, the requests to /api/messages/ are returning 200, however then my requests to /api/notifications are failing with the following error: "Error: Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '2e4(...)' was not found in the directory 'Bot Framework'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant." When I re-enable the auth config the error stays the same now ... not sure if its cached and takes some time.. Any ideas? |
I changed my app config to "multitenant" (as described here) and now the notifications are sent! My admin told me that multi-tenant is not supported in general - Is it really mandatory for the bot to work? |
@AaronSchwarz0176 For the authentication part - it seems your authentication config on app service applies to both
For the multi-tenant part - now bot supports both single-tenant and multi-tenant, but you need to update your code as well. adapterConfig: {
MicrosoftAppId: process.env.BOT_ID,
MicrosoftAppPassword: process.env.BOT_PASSWORD,
//MicrosoftAppType: "MultiTenant",
MicrosoftAppType: "SingleTenant",
MicrosoftAppTenantId: "your-tenant-id"
}, Or, if your project is generated earlier, it only supports multi-tenant. Since old bot SDK only supports multi-tenant. More doc can be found at https://learn.microsoft.com/azure/bot-service/bot-service-quickstart-registration |
I adapted the config in initialize.js to SingleTenant and switched the Azure AD App to SingleTenant and re-deployed. Getting unauthorized_client again. I gave the tenantID of my Azure AD directory, correct? Do I need to re-provision again? Which version is supporting single tenancy? |
The Yep you need to re-provision again, to make sure all resources are configured as single tenant:
Also, to ensure your Teams app is up-to-date, better to uninstall the app then re-add the app to Team again. |
Tenant was set at the bot creation time, so you may need to re-create the Azure Bot Service. If your Azure Bot Service was created via provision:
In addition, after reinstall the teams app, please also clear old notification connections from your storage if you have your own storage. (Or restart the app service to make sure the temp storage is cleared as well) |
Now we are back at the initial problem again, bot is not returning any installations, storage is empty. I deleted the bot service, updated the .bicep file, "SingleTenant" is now visible in Azure Portal. I re-provisioned, redeployed, republished, reinstalled teams app, restarted the app service, cleared the storage. Any ideas? |
I disabled my app service auth config - now I get the unauthorized_client again as earlier...Happy to jump on a call if that makes things easier |
Per my test, const { BotBuilderCloudAdapter } = require("@microsoft/teamsfx");
const ConversationBot = BotBuilderCloudAdapter.ConversationBot;
...
// Create bot.
const bot = new ConversationBot({
// The bot id and password to create CloudAdapter.
// See https://aka.ms/about-bot-adapter to learn more about adapters.
adapterConfig: {
MicrosoftAppId: config.botId,
MicrosoftAppPassword: config.botPassword,
MicrosoftAppType: "SingleTenant",
MicrosoftAppTenantId: "{{your-tenant-id}}"
},
... Fine to have a call on this. Is it convenient to contact you on Teams? (I did not find any contact info from your github profile) |
After upgrading to "@microsoft/teamsfx": "^2.2.0" this did the trick for me :) Thanks a lot for the great support @swatDong! |
We are closing this issue for now. Please feel free to reopen if required. Thanks! |
Tell us about your experience!Hi AaronSchwarz0176! This issue is closed in our system. We would like your feedback on your experience with our support team and Platform. Best regards, |
I just completed the below tutorial on notification bots.
One question on this one when it comes to authorizations:
When I deploy my app to Azure - do I need to grant MS graph permissions to the bot so it can send chat messages?
If yes, is there a list of permissions which is needed for the below tutorial?
In my case its a daemon application, so I'm thinking about application permission like 'Chat.ReadWrite.WhereInstalled'.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: