Auto Sign-In Requires Multiple User Messages to Succeed with Authorization Agent Token Exchange on Teams Channel

[Santhosh0505]

Hi Team,

We’ve set up the Authorization Agent to handle token exchange without using a SignIn card, by configuring the Token Exchange URL within the OAuthSettings.

However, we’re encountering an issue where the auto sign-in process doesn’t consistently succeed on the user's first message. In most cases, the auto sign-in only completes successfully after the user sends 3 or more random messages. Once it succeeds, the request reaches the OnMessageAsync method as expected.

App Registration Configuration
Below are the configuration steps we followed for the Azure App Registration:

1. Authentication

• Added a Web platform with the Redirect URL:
  https://token.botframework.com/.auth/web/redirect

• Enabled both checkboxes under Implicit grant and hybrid flows for:

  • Access tokens
  • ID tokens

2. API Permissions

• Added permissions for Microsoft Graph (Delegated):

  • User.Read
  • openid
  • profile
  • offline_access

• Added permissions for Power Platform API (Delegated):

  • CopilotStudio.Copilots.Invoke

• Granted admin consent for the tenant.

3. Certificates & Secrets

   Created a new client secret and securely stored the secret value.

4. Expose an API

• Set Application ID URI to api://botid-

  • Added a scope:
  • Scope name: access_as_user
  • Who can consent: Admins
  • Admin consent display name: Access Copilot Agents as user
  • Admin consent description: Allow the app to access Copilot Agents as you
  • State: Enabled

OAuthSettings Configuration

• Name: MyTestApp
• Service Provider: Azure Active Directory v2
• Client Id: {Azure Bot Client Id}
• Client Secret: {Azure Bot Client Secret}
• Token Exchange URL: api://botid-{Azure Bot Client Id}
• Tenant Id: {Tenant Id}
• Scopes: profile openid

Issue
We need the auto sign-in to reliably succeed when the user sends their first message, without requiring multiple retries. Could you please help us identify what might be causing this behavior or suggest configuration adjustments to ensure a seamless auto sign-in experience on the first attempt?

Thanks in advance for your help!

[sarahcritchley]

Thanks @Santhosh0505 for raising and for detailed repo steps. @MattB-msft we are monitoring a similar issue at the moment, is this the same?

[rido-min]

@Santhosh0505 from your repro steps, it's not clear if you are using the same AppRegistration for the Bot instance and the SSO connection.

We are seeing similar errors when the ABS OAuth connection is configured using a different AppRegistration from the bot for the token exchange. Can you try to use the same appregistration?

[Santhosh0505]

@rido-min I am using the same app registration, that's when we are seeing the above behavior.

Previously I have also tried with different app registration, in that case we were seeing a different behaviour which didn't worked for me either.

[MattB-msft]

@Santhosh0505 , Thanks for the information so far.
Could you clarify where you're seeing the breakdown please?

For example,
Using auto signin, when you get into the message hanlder you should see an access token returned from

UserAuthorization.GetTurnToken(handlerName)

Are you seeing that?
and is the token not good there? or are you not getting a token back from that?

[Santhosh0505]

@MattB-msft
We cannot see the request reaching the OnMessage handler while it is failing, after 3 trials it reach the On Message handler and we can also see the token using the

UserAuthorization.GetTurnToken(handlerName)

We have observed that the Appservice get a activity with type signin/exchangetoken after the 3 trials after which the bot starts working.

[MattB-msft]

Thanks for the additional information, Which channel are you using for this?

Not all channels fully support sso (which is what your trying to do here)

Thanks

[Santhosh0505]

@MattB-msft
We are trying only for Microsoft Teams as of now.

[MattB-msft]

Thanks, the behavior your seeing is definitely not intended. We will have a look

[tracyboehrer]

I am not seeing that behavior in Teams. I am using the latest AutoSignIn sample from the DotNet repo though.

Are you using devtunnel? Do you see the message arriving in the devtunnels "Inspect network activity" page?

Did you set UserAuthorization.OnUserSignInFailure to a handler? For example:

    private async Task OnUserSignInFailure(ITurnContext turnContext, ITurnState turnState, string handlerName, SignInResponse response, IActivity initiatingActivity, CancellationToken cancellationToken)
    {
        // Raise a notification to the user that the sign-in process failed.
        await turnContext.SendActivityAsync($"Sign In: Failed to login to '{handlerName}': {response.Cause}/{response.Error.Message}", cancellationToken: cancellationToken);
    }

In the case of a sign in failure, it will never make it to the message handler you setup, but it would call the OnUserSignInFailure.

[tracyboehrer]

Is this a Teams channel, or something like BizChat?