-
|
I have tried many SSO setups but it never works for me. I am developing teams bot solution for my organization and here is my setup. I setup
I use signin method to authenticate user. First user was asked to view permission, secondly, user was asked to login, I login with my production tenant account and authentication failed (I got signin failure event) and bot token framework returns 6 digits magic code. Can you shed me some lights? What am I missing here? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 18 replies
-
|
I think the application ID URI should be |
Beta Was this translation helpful? Give feedback.
-
|
Hi @n1340t, Can you make sure the You could also try running Could you also compare your setup to our guide here? As for the signin, did you sideload the bot in the same tenant as your user trying to signin? (also I reformatted your msg so its easier for me to read) |
Beta Was this translation helpful? Give feedback.
-
|
@n1340t Your setup has the Teams app sideloaded in your dev tenant, but the AAD auth app lives in your production tenant. The SSO flow requires the Teams client to silently acquire a token for the resource URI. Since the Teams client is operating in the context of the dev tenant (where the app is sideloaded), it cannot silently get a token from a production-tenant AAD app unless:
If your auth AAD app is single-tenant, SSO will silently fail and fall back to the OAuth card sign-in button. If that also fails (which seems to be what you're experiencing with the magic code), it points to an issue with the OAuth connection configuration itself. Can you check/share the following?
|
Beta Was this translation helpful? Give feedback.

No bother at all!
Admin consent: The process is for your dev tenant admin to visit this URL and grant consent:
https://login.microsoftonline.com/{dev-tenant-id}/adminconsent?client_id={your-app-client-id}Replace
{dev-tenant-id}with your dev tenant's ID and{your-app-client-id}with your multi-tenant Entra app's client ID. The admin signs in and approves the permissions. After that, SSO should work silently for users in the dev tenant.Microsoft's general guidance on admin consent
Manual
verifyState: Yes, your understanding is correct. You could intercept the magic code in your message handler by checking if the message text matches a 6-digit pattern, then calling api.users.token.get wit…