diff --git a/msteams-platform/assets/images/authentication/teams-sso-bots/azure-manifest-value.png b/msteams-platform/assets/images/authentication/teams-sso-bots/azure-manifest-value.png index 56516902567..12df1cebb2f 100644 Binary files a/msteams-platform/assets/images/authentication/teams-sso-bots/azure-manifest-value.png and b/msteams-platform/assets/images/authentication/teams-sso-bots/azure-manifest-value.png differ diff --git a/msteams-platform/assets/images/authentication/teams-sso-tabs/azure-manifest-value.png b/msteams-platform/assets/images/authentication/teams-sso-tabs/azure-manifest-value.png index de671b32296..8256bcf7ddc 100644 Binary files a/msteams-platform/assets/images/authentication/teams-sso-tabs/azure-manifest-value.png and b/msteams-platform/assets/images/authentication/teams-sso-tabs/azure-manifest-value.png differ diff --git a/msteams-platform/assets/images/messaging-extension/azure-manifest-value.png b/msteams-platform/assets/images/messaging-extension/azure-manifest-value.png new file mode 100644 index 00000000000..12df1cebb2f Binary files /dev/null and b/msteams-platform/assets/images/messaging-extension/azure-manifest-value.png differ diff --git a/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md b/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md index 075ce62cbef..4c7646f4967 100644 --- a/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md +++ b/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md @@ -70,8 +70,8 @@ To enable SSO for your app in Microsoft Entra ID: * **[Configure messaging endpoint](#configure-messaging-endpoint)** * **[Configure SSO for Microsoft Entra app](#configure-sso-for-azure-ad-app)**: - * [Configure scope for the access token](#configure-scope-for-the-access-token) * [Configure access token version](#configure-access-token-version) + * [Configure scope for the access token](#configure-scope-for-the-access-token) * [Create client secret](#create-client-secret) * [Configure redirect URL](#configure-redirect-url) * **[Configure OAuth connection](#configure-oauth-connection)** @@ -115,6 +115,30 @@ You've configured the messaging endpoint for your bot resource. Next, you must e You must configure permissions and scopes, authorize client applications, update app manifest (previously called Teams app manifest), and create client secret for your Microsoft Entra app. These configurations help to invoke SSO for your bot app. +### Configure access token version + +You must define the access token version for your app in the Microsoft Entra app manifest. + +#### To define the access token version + +1. Select **Manage** > **Manifest** from the left pane. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." ::: + + The Microsoft Entra app manifest appears. + +1. Set the `requestedAccessTokenVersion` property to **2**. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for access token version." lightbox="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png"::: + +1. Select **Save**. + + A message appears on the browser stating that the app manifest was updated successfully. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message."::: + +You've updated the access token version. Next, you'll configure the scope of the access token. + ### Configure scope for the access token Configure scope (permission) options for sending access token to Teams client and authorizing trusted client applications to enable SSO. @@ -280,34 +304,7 @@ The scope and permissions are now configured. Next, you must configure the autho > [!NOTE] > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application. -You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you configure the access token version. - -> [!div class="nextstepaction"] -> [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+To+configure+authorized+client+application&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad%3Ftabs%3Dbotid%23to-configure-authorized-client-application&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad.md&documentVersionIndependentId=ac68d7e8-2a35-5208-8724-68bd2fdd79b6&platformId=cdaccc16-060c-8eb1-2cee-c1f6a26e285c&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) - -### Configure access token version - -You must define the access token version for your app in the Microsoft Entra app manifest. - -#### To define the access token version - -1. Select **Manage** > **Manifest** from the left pane. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." ::: - - The Microsoft Entra app manifest appears. - -1. Enter **2** as the value for the `accessTokenAcceptedVersion` property. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for accepted access token version." ::: - -1. Select **Save**. - - A message appears on the browser stating that the app manifest was updated successfully. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message."::: - -You've updated the access token version. Next, you'll create a client secret for your app. +You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you'll create a client secret for your app. > [!div class="nextstepaction"] > [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+To+define+the+access+token+version&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad%3Ftabs%3Dbotid%23to-define-the-access-token-version&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad.md&documentVersionIndependentId=ac68d7e8-2a35-5208-8724-68bd2fdd79b6&platformId=cdaccc16-060c-8eb1-2cee-c1f6a26e285c&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) @@ -487,8 +484,8 @@ Congratulations! You've completed the following app configurations in Microsoft To create and configure your app for enabling SSO in Microsoft Entra ID: * [**Configure your Microsoft Entra app for SSO**](#configure-your-azure-ad-app-for-sso) - * [Configure scope for access token](#configure-scope-for-access-token) * [Configure the access token version](#configure-the-access-token-version) + * [Configure scope for access token](#configure-scope-for-access-token) * [Create client secret for your app](#create-client-secret-for-your-app) * [Configure redirect URL for your app](#configure-redirect-url-for-your-app) * [**Configure bot resource in Microsoft Entra ID**](#configure-bot-resource-in-azure-ad) @@ -504,6 +501,30 @@ You must configure permissions and scopes, authorize client applications, update > [!IMPORTANT] > Ensure that you've [registered your app](../../../tabs/how-to/authentication/tab-sso-register-aad.md#to-register-a-new-app-in-azure-ad) in Microsoft Entra ID. At registration, Microsoft Entra ID generates a new app ID that you must note. You'll need to update it later in the app manifest file. +### Configure the access token version + +You must define the access token version for your app in the Microsoft Entra app manifest. + +#### To define access token version + +1. Select **Manage** > **Manifest** from the left pane. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." ::: + + The Microsoft Entra app manifest appears. + +1. Set the `requestedAccessTokenVersion` property to **2**. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for access token version." lightbox="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png"::: + +1. Select **Save**. + + A message appears on the browser stating that the app manifest was updated successfully. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message."::: + +You've updated the access token version. Next, you'll configure the scope for access token. + ### Configure scope for access token You must configure scope (permission) options for your Microsoft Entra app. You need it for sending access token to Teams client and authorize trusted client applications. @@ -667,34 +688,7 @@ The scope and permissions are now configured. Next, you must configure the autho > [!NOTE] > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application. -You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you configure the access token version. - -> [!div class="nextstepaction"] -> [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+To+configure+an+authorized+client+application&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad%3Ftabs%3Dwindows%23to-configure-an-authorized-client-application&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad.md&documentVersionIndependentId=ac68d7e8-2a35-5208-8724-68bd2fdd79b6&platformId=cdaccc16-060c-8eb1-2cee-c1f6a26e285c&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) - -### Configure the access token version - -You must define the access token version for your app in the Microsoft Entra app manifest. - -#### To define access token version - -1. Select **Manage** > **Manifest** from the left pane. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." ::: - - The Microsoft Entra app manifest appears. - -1. Enter **2** as the value for the `accessTokenAcceptedVersion` property. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for accepted access token version." ::: - -1. Select **Save**. - - A message appears on the browser stating that the app manifest was updated successfully. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message."::: - -You've updated the access token version. Next step is to create a client secret for your app next. +You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, step is to create a client secret for your app next. > [!div class="nextstepaction"] > [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+To+define+access+token+version&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad%3Ftabs%3Dwindows%23to-define-access-token-version&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fbots%2Fhow-to%2Fauthentication%2Fbot-sso-register-aad.md&documentVersionIndependentId=ac68d7e8-2a35-5208-8724-68bd2fdd79b6&platformId=cdaccc16-060c-8eb1-2cee-c1f6a26e285c&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) diff --git a/msteams-platform/concepts/authentication/nested-authentication.md b/msteams-platform/concepts/authentication/nested-authentication.md index c3f590390fb..b42d3296c21 100644 --- a/msteams-platform/concepts/authentication/nested-authentication.md +++ b/msteams-platform/concepts/authentication/nested-authentication.md @@ -100,7 +100,7 @@ For more information on upgrading your Teams app to run in Outlook and Microsoft Initialize MSAL and get an instance of the public client app to get access tokens, when needed. -```javascript +```JavaScript import { AccountInfo, IPublicClientApplication, @@ -146,46 +146,46 @@ To acquire a token, follow these steps: 1. If no account is available, MSAL.js returns an `InteractionRequiredAuthError`. Call `publicClientApplication.acquireTokenPopup(accessTokenRequest)` to display an interactive dialog for the user. `acquireTokenSilent` can fail if the token expired or if the user didn't consent to all the requested scopes. -The following code snippet shows an example to access a token: - -```javascript - - // MSAL.js exposes several account APIs, logic to determine which account to use is the responsibility of the developer - const account = publicClientApplication.getActiveAccount(); - - const accessTokenRequest = { - scopes: ["user.read"], - account: account, - }; - - publicClientApplication - .acquireTokenSilent(accessTokenRequest) - .then(function (accessTokenResponse) { - // Acquire token silent success - let accessToken = accessTokenResponse.accessToken; - // Call your API with token - callApi(accessToken); - }) - .catch(function (error) { - //Acquire token silent failure, and send an interactive request - if (error instanceof InteractionRequiredAuthError) { - publicClientApplication - .acquireTokenPopup(accessTokenRequest) - .then(function (accessTokenResponse) { - // Acquire token interactive success - let accessToken = accessTokenResponse.accessToken; - // Call your API with token - callApi(accessToken); - }) - .catch(function (error) { - // Acquire token interactive failure - console.log(error); - }); - } - console.log(error); - }); - -``` + The following code snippet shows an example to access a token: + + ```JavaScript + + // MSAL.js exposes several account APIs, logic to determine which account to use is the responsibility of the developer + const account = publicClientApplication.getActiveAccount(); + + const accessTokenRequest = { + scopes: ["user.read"], + account: account, + }; + + publicClientApplication + .acquireTokenSilent(accessTokenRequest) + .then(function (accessTokenResponse) { + // Acquire token silent success + let accessToken = accessTokenResponse.accessToken; + // Call your API with token + callApi(accessToken); + }) + .catch(function (error) { + //Acquire token silent failure, and send an interactive request + if (error instanceof InteractionRequiredAuthError) { + publicClientApplication + .acquireTokenPopup(accessTokenRequest) + .then(function (accessTokenResponse) { + // Acquire token interactive success + let accessToken = accessTokenResponse.accessToken; + // Call your API with token + callApi(accessToken); + }) + .catch(function (error) { + // Acquire token interactive failure + console.log(error); + }); + } + console.log(error); + }); + + ``` ### Call an API diff --git a/msteams-platform/messaging-extensions/api-based-microsoft-entra.md b/msteams-platform/messaging-extensions/api-based-microsoft-entra.md index 7e1b75847a1..21bad77f12d 100644 --- a/msteams-platform/messaging-extensions/api-based-microsoft-entra.md +++ b/msteams-platform/messaging-extensions/api-based-microsoft-entra.md @@ -33,6 +33,7 @@ The following image shows how SSO works when a Teams app user attempts to access To enable SSO authentication for API-based message extension, follow these steps: * [Register a new app in Microsoft Entra ID](#register-a-new-app-in-microsoft-entra-id). +* [Configure access token version](#configure-access-token-version). * [Configure scope for access token](#configure-scope-for-access-token). * [Authenticate token](#authenticate-token). * [Update app manifest](#update-app-manifest). @@ -74,7 +75,6 @@ To enable SSO authentication for API-based message extension, follow these steps > [!NOTE] > You don't need to enter **Redirect URI** for enabling SSO for an API-based message extension app. - 1. Select **Register**. A message pops up on the browser stating that the app was created. @@ -88,12 +88,32 @@ To enable SSO authentication for API-based message extension, follow these steps Your app is registered in Microsoft Entra ID. You now have the app ID for your API-based message extension app. -> [!div class="nextstepaction"] -> [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+Register+a+new+app+in+Microsoft+Entra+ID&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fmessaging-extensions%2Fapi-based-microsoft-entra%3Ftabs%3Dtoken-v2%23register-a-new-app-in-microsoft-entra-id&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fmessaging-extensions%2Fapi-based-microsoft-entra.md&documentVersionIndependentId=86a1363d-83c7-8353-c2e4-18cd8f648d71&platformId=331c69cd-9c5b-151f-ea09-8e9f1bc02146&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) +## Configure access token version + +You must ensure the access token version for your app. You can find this configuration in the Microsoft Entra application app manifest. + +### To configure the access token version + +1. Select **Manage** > **Manifest** from the left pane. + + The Microsoft Entra application app manifest appears. + +1. Set the `requestedAccessTokenVersion` property to **2**. + + :::image type="content" source="../assets/images/messaging-extension/azure-manifest-value.png" alt-text="Image shows how to configure access token version." lightbox="../assets/images/messaging-extension/azure-manifest-value.png"::: + + > [!NOTE] + > If you've selected **Personal Microsoft accounts only** or **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (for example, Skype and Xbox)** during app registration, update the value for the `requestedAccessTokenVersion` property as **2**. + +1. Select **Save**. + + A message pops up on the browser stating that the app manifest was updated successfully. + +After you've verified and configured the version of access token, you must configure its scope. ## Configure scope for access token -After you've created a new app registration, configure scope (permission) options for sending access token to Teams client, and authorizing trusted client applications to enable SSO. +After you configure the access token version, configure scope (permission) options for sending access token to Teams client, and authorizing trusted client applications to enable SSO. To configure scope and authorize trusted client applications, you must: @@ -180,6 +200,7 @@ To configure scope and authorize trusted client applications, you must: > [!div class="nextstepaction"] > [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+Configure+API+scope&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fmessaging-extensions%2Fapi-based-microsoft-entra%3Ftabs%3Dtoken-v2%23configure-api-scope&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fmessaging-extensions%2Fapi-based-microsoft-entra.md&documentVersionIndependentId=86a1363d-83c7-8353-c2e4-18cd8f648d71&platformId=331c69cd-9c5b-151f-ea09-8e9f1bc02146&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) +> ### Configure authorized client application 1. Move through the **Expose an API** page to the **Authorized client application** section and select **+ Add a client application**. @@ -218,7 +239,7 @@ To configure scope and authorize trusted client applications, you must: > [!NOTE] > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application. -You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the app ID URI. Next, you configure the access token version. +You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the app ID URI. Next, you update the app manifest. > [!div class="nextstepaction"] > [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+Configure+authorized+client+application&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fmessaging-extensions%2Fapi-based-microsoft-entra%3Ftabs%3Dtoken-v2%23configure-authorized-client-application&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Fmessaging-extensions%2Fapi-based-microsoft-entra.md&documentVersionIndependentId=86a1363d-83c7-8353-c2e4-18cd8f648d71&platformId=331c69cd-9c5b-151f-ea09-8e9f1bc02146&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) @@ -237,9 +258,7 @@ After the API-based message extension gets a request header with token, perform * **Authenticate**: Verify the token for the audience, scope, issuer, and signature claims to check if the token is for your app. For more claims, see [ID token claims](/entra/identity-platform/access-tokens#validate-tokens). - The following example shows the JSON Web Token (JWT) with a header and response: - - # [Token V2](#tab/token-v2) + The following example shows the JSON Web Token (JWT) V2 with a header and response: ```json { @@ -268,36 +287,7 @@ After the API-based message extension gets a request header with token, perform } ``` - # [Token V1](#tab/token-v1) - - ```json - { - "typ": "JWT", - "rh": "0.AhoAv4j5cvGGr0GRqy180BHbR6Rnn7s7iddIqxdA7UZsDxYaABY.", - "alg": "RS256", - "kid": "q-23falevZhhD3hm9CQbkP5MQyU" - }.{ - "aud": "api://00000002-0000-0000-c000-000000000000", - "iss": "https://sts.windows.net/{tenantid}/", - "iat": 1537231048, - "nbf": 1537231048, - "exp": 1537234948, - "acr": "1", - "aio": "AXQAi/8IAAAA", - "amr": ["pwd"], - "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", - "appidacr": "0", - "ipaddr": "192.168.1.1", - "name": "John Doe", - "oid": "00000000-0000-0000-0000-000000000000", - "scp": "access_as_user", - "sub": "AAAAAAAAAAAAAAAAAAAAAIkzqFVrSaSaFHy782bbtaQ", - "tid": "12345678-aaaa-bbbb-cccc-9876543210ab", - "uti": "fqiBqXLPj0eQa82S-IYFAA", - } - ``` - -* **Use the token**: Extract the user information from the token, such as name, email, and object ID and use the token to call the message extension app's own API. For more information on claims reference with details on the claims included in access tokens, see [access token claims](/entra/identity-platform/access-token-claims-reference). +* **Use the token**: Extract the user information from the token, such as name, email, and object ID and use the token to call the message extension app's own API. For more information on claims reference with details on the claims included in access tokens, see [access token claims](/entra/identity-platform/access-token-claims-reference). Next, you configure the scope for access token. ## Update app manifest diff --git a/msteams-platform/tabs/how-to/authentication/tab-sso-register-aad.md b/msteams-platform/tabs/how-to/authentication/tab-sso-register-aad.md index 0f9d550bc2f..412feeb4836 100644 --- a/msteams-platform/tabs/how-to/authentication/tab-sso-register-aad.md +++ b/msteams-platform/tabs/how-to/authentication/tab-sso-register-aad.md @@ -42,8 +42,8 @@ It's helpful if you learn about the configuration for registering your app on Mi To create and configure your app in Microsoft Entra ID for enabling SSO: -- [Configure scope for access token.](#configure-scope-for-access-token) - [Configure access token version.](#configure-access-token-version) +- [Configure scope for access token.](#configure-scope-for-access-token) @@ -113,6 +113,33 @@ Register your app in Microsoft Entra ID and configure the tenancy and app's plat +### Configure access token version + +You must define the access token version for your app. You can find this configuration in the Microsoft Entra application app manifest. + +#### To configure the access token version + +1. Select **Manage** > **Manifest** from the left pane. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-portal-manifest.png" alt-text="Microsoft Entra admin center Manifest"::: + + The Microsoft Entra application app manifest appears. + +1. Set the `requestedAccessTokenVersion` property to **2**. + + > [!NOTE] + > If you've selected **Personal Microsoft accounts only** or **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (for example, Skype and Xbox)** during app registration, update the value for the `requestedAccessTokenVersion` property as **2**. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-manifest-value.png" alt-text="Value for access token version" lightbox="../../../assets/images/authentication/teams-sso-tabs/azure-manifest-value.png"::: + +1. Select **Save**. + + A message pops up on the browser stating that the app manifest was updated successfully. + + :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Manifest updated message"::: + +After you've verified and configured the version of access token, you must configure its scope. + ### Configure scope for access token After you've created a new app registration, configure scope (permission) options for sending access token to Teams Client, and authorizing trusted client applications to enable SSO. @@ -251,35 +278,7 @@ To configure scope and authorize trusted client applications, you need: > [!NOTE] > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application. -You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you configure the access token version. - -> [!div class="nextstepaction"] -> [I ran into an issue](https://github.com/MicrosoftDocs/msteams-docs/issues/new?template=Doc-Feedback.yaml&title=%5BI+ran+into+an+issue%5D+To+configure+authorized+client+application&&author=%40surbhigupta&pageUrl=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Ftabs%2Fhow-to%2Fauthentication%2Ftab-sso-register-aad%23to-configure-authorized-client-application&contentSourceUrl=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmsteams-docs%2Fblob%2Fmain%2Fmsteams-platform%2Ftabs%2Fhow-to%2Fauthentication%2Ftab-sso-register-aad.md&documentVersionIndependentId=52cb5b2e-e1e9-1993-04a0-6925d1453f20&platformId=99c40f58-4ac9-d047-867f-7323665fe4e0&metadata=*%2BID%253A%2Be473e1f3-69f5-bcfa-bcab-54b098b59c80%2B%250A*%2BService%253A%2B%2A%2Amsteams%2A%2A) - -### Configure access token version - -You must define the access token version for your app. This configuration is made in the Microsoft Entra application app manifest. - -#### To define the access token version - -1. Select **Manage** > **Manifest** from the left pane. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-portal-manifest.png" alt-text="Microsoft Entra admin center Manifest"::: - - The Microsoft Entra application app manifest appears. - -1. Enter **2** as the value for the `accessTokenAcceptedVersion` property. - - > [!NOTE] - > If you've selected **Personal Microsoft accounts only** or **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (for example, Skype and Xbox)** during app registration, update the value for the `accessTokenAcceptedVersion` property as 2. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/azure-manifest-value.png" alt-text="Value for accepted access token version"::: - -1. Select **Save** - - A message pops up on the browser stating that the app manifest was updated successfully. - - :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Manifest updated message"::: +You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Congratulations! You've completed the app configuration in Microsoft Entra ID required to enable SSO for your tab app.