MicrosoftDocs · v-shalinir · Mar 20, 2025 · Mar 20, 2025 · Mar 20, 2025 · Mar 20, 2025
diff --git a/...s-platform/assets/images/authentication/teams-sso-bots/azure-manifest-value.png b/...s-platform/assets/images/authentication/teams-sso-bots/azure-manifest-value.png
diff --git a/...s-platform/assets/images/authentication/teams-sso-tabs/azure-manifest-value.png b/...s-platform/assets/images/authentication/teams-sso-tabs/azure-manifest-value.png
diff --git a/msteams-platform/assets/images/messaging-extension/api-me-access-token.png b/msteams-platform/assets/images/messaging-extension/api-me-access-token.png
diff --git a/msteams-platform/assets/images/tabs/3.png b/msteams-platform/assets/images/tabs/3.png
diff --git a/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md b/msteams-platform/bots/how-to/authentication/bot-sso-register-aad.md
@@ -69,8 +69,8 @@ To enable SSO for your app in Microsoft Entra ID:
 
 * **[Configure messaging endpoint](#configure-messaging-endpoint)**
 * **[Configure SSO for Microsoft Entra app](#configure-sso-for-azure-ad-app)**:
-  * [Configure scope for the access token](#configure-scope-for-the-access-token)
   * [Configure access token version](#configure-access-token-version)
+  * [Configure scope for the access token](#configure-scope-for-the-access-token)
   * [Create client secret](#create-client-secret)
   * [Configure redirect URL](#configure-redirect-url)
 * **[Configure OAuth connection](#configure-oauth-connection)**
@@ -111,6 +111,30 @@ You've configured the messaging endpoint for your bot resource. Next, you must e
 
 You must configure permissions and scopes, authorize client applications, update app manifest (previously called Teams app manifest), and create client secret for your Microsoft Entra app. These configurations help to invoke SSO for your bot app.
 
+### Configure access token version
+
+You must define the access token version for your app in the Microsoft Entra app manifest.
+
+#### To define the access token version
+
+1. Select **Manage** > **Manifest** from the left pane.
+
+    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." :::
+
+    The Microsoft Entra app manifest appears.
+
+1. Set the `requestedAccessTokenVersion` property to **2**.
+
+    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for access token version." lightbox="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png":::
+
+1. Select **Save**.
+
+    A message appears on the browser stating that the app manifest was updated successfully.
+
+    :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message.":::
+
+You've updated the access token version. Next, you'll configure the scope of the access token.
+
 ### Configure scope for the access token
 
 Configure scope (permission) options for sending access token to Teams client and authorizing trusted client applications to enable SSO.
@@ -270,31 +294,7 @@ The scope and permissions are now configured. Next, you must configure the autho
     > [!NOTE]
     > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application.
 
-You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you configure the access token version.
-
-### Configure access token version
-
-You must define the access token version for your app in the Microsoft Entra app manifest.
-
-#### To define the access token version
-
-1. Select **Manage** > **Manifest** from the left pane.
-
-    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." :::
-
-    The Microsoft Entra app manifest appears.
-
-1. Enter **2** as the value for the `accessTokenAcceptedVersion` property.
-
-    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for accepted access token version." :::
-
-1. Select **Save**.
-
-    A message appears on the browser stating that the app manifest was updated successfully.
-
-    :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message.":::
-
-You've updated the access token version. Next, you'll create a client secret for your app.
+You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you'll create a client secret for your app.
 
 ### Create client secret
 
@@ -462,8 +462,8 @@ Congratulations! You've completed the following app configurations in Microsoft
 To create and configure your app for enabling SSO in Microsoft Entra ID:
 
 * [**Configure your Microsoft Entra app for SSO**](#configure-your-azure-ad-app-for-sso)
-  * [Configure scope for access token](#configure-scope-for-access-token)
   * [Configure the access token version](#configure-the-access-token-version)
+  * [Configure scope for access token](#configure-scope-for-access-token)
   * [Create client secret for your app](#create-client-secret-for-your-app)
   * [Configure redirect URL for your app](#configure-redirect-url-for-your-app)
 * [**Configure bot resource in Microsoft Entra ID**](#configure-bot-resource-in-azure-ad)
@@ -479,6 +479,30 @@ You must configure permissions and scopes, authorize client applications, update
 > [!IMPORTANT]
 > Ensure that you've [registered your app](../../../tabs/how-to/authentication/tab-sso-register-aad.md#to-register-a-new-app-in-azure-ad) in Microsoft Entra ID. At registration, Microsoft Entra ID generates a new app ID that you must note. You'll need to update it later in the app manifest file.
 
+### Configure the access token version
+
+You must define the access token version for your app in the Microsoft Entra app manifest.
+
+#### To define access token version
+
+1. Select **Manage** > **Manifest** from the left pane.
+
+    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." :::
+
+    The Microsoft Entra app manifest appears.
+
+1. Set the `requestedAccessTokenVersion` property to **2**.
+
+    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for access token version." lightbox="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png":::
+
+1. Select **Save**.
+
+    A message appears on the browser stating that the app manifest was updated successfully.
+
+    :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message.":::
+
+You've updated the access token version. Next, you'll configure the scope for access token.
+
 ### Configure scope for access token
 
 You must configure scope (permission) options for your Microsoft Entra app. You need it for sending access token to Teams client and authorize trusted client applications.
@@ -636,31 +660,7 @@ The scope and permissions are now configured. Next, you must configure the autho
     > [!NOTE]
     > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application.
 
-You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, you configure the access token version.
-
-### Configure the access token version
-
-You must define the access token version for your app in the Microsoft Entra app manifest.
-
-#### To define access token version
-
-1. Select **Manage** > **Manifest** from the left pane.
-
-    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-portal-manifest.png" alt-text="Screenshot shows the Microsoft Entra admin center Manifest." :::
-
-    The Microsoft Entra app manifest appears.
-
-1. Enter **2** as the value for the `accessTokenAcceptedVersion` property.
-
-    :::image type="content" source="../../../assets/images/authentication/teams-sso-bots/azure-manifest-value.png" alt-text="Screenshot shows the Value for accepted access token version." :::
-
-1. Select **Save**.
-
-    A message appears on the browser stating that the app manifest was updated successfully.
-
-    :::image type="content" source="../../../assets/images/authentication/teams-sso-tabs/update-aad-manifest-msg.png" alt-text="Screenshot shows the Manifest updated message.":::
-
-You've updated the access token version. Next step is to create a client secret for your app next.
+You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the application ID URI. Next, step is to create a client secret for your app next.
 
 ### Create client secret for your app
 

diff --git a/msteams-platform/concepts/authentication/nested-authentication.md b/msteams-platform/concepts/authentication/nested-authentication.md
@@ -100,7 +100,7 @@ For more information on upgrading your Teams app to run in Outlook and Microsoft
 
 Initialize MSAL and get an instance of the public client app to get access tokens, when needed.
 
-```javascript
+```JavaScript
 import {
   AccountInfo,
   IPublicClientApplication,
@@ -146,46 +146,46 @@ To acquire a token, follow these steps:
 
 1. If no account is available, MSAL.js returns an `InteractionRequiredAuthError`. Call `publicClientApplication.acquireTokenPopup(accessTokenRequest)` to display an interactive dialog for the user. `acquireTokenSilent` can fail if the token expired or if the user didn't consent to all the requested scopes.
 
-The following code snippet shows an example to access a token:
-
-```javascript
-
-  // MSAL.js exposes several account APIs, logic to determine which account to use is the responsibility of the developer
-  const account = publicClientApplication.getActiveAccount();
-
-  const accessTokenRequest = {
-  scopes: ["user.read"],
-  account: account,
-  };
-
-  publicClientApplication
-    .acquireTokenSilent(accessTokenRequest)
-    .then(function (accessTokenResponse) {
-      // Acquire token silent success
-      let accessToken = accessTokenResponse.accessToken;
-      // Call your API with token
-      callApi(accessToken);
-    })
-    .catch(function (error) {
-      //Acquire token silent failure, and send an interactive request
-      if (error instanceof InteractionRequiredAuthError) {
-        publicClientApplication
-          .acquireTokenPopup(accessTokenRequest)
-          .then(function (accessTokenResponse) {
-            // Acquire token interactive success
-            let accessToken = accessTokenResponse.accessToken;
-            // Call your API with token
-            callApi(accessToken);
-          })
-          .catch(function (error) {
-            // Acquire token interactive failure
-            console.log(error);
-          });
-      }
-      console.log(error);
-    });
-
-```
+    The following code snippet shows an example to access a token:
+
+    ```JavaScript
+    
+      // MSAL.js exposes several account APIs, logic to determine which account to use is the responsibility of the developer
+      const account = publicClientApplication.getActiveAccount();
+    
+      const accessTokenRequest = {
+      scopes: ["user.read"],
+      account: account,
+      };
+    
+      publicClientApplication
+        .acquireTokenSilent(accessTokenRequest)
+        .then(function (accessTokenResponse) {
+          // Acquire token silent success
+          let accessToken = accessTokenResponse.accessToken;
+          // Call your API with token
+          callApi(accessToken);
+        })
+        .catch(function (error) {
+          //Acquire token silent failure, and send an interactive request
+          if (error instanceof InteractionRequiredAuthError) {
+            publicClientApplication
+              .acquireTokenPopup(accessTokenRequest)
+              .then(function (accessTokenResponse) {
+                // Acquire token interactive success
+                let accessToken = accessTokenResponse.accessToken;
+                // Call your API with token
+                callApi(accessToken);
+              })
+              .catch(function (error) {
+                // Acquire token interactive failure
+                console.log(error);
+              });
+          }
+          console.log(error);
+        });
+    
+    ```
 
 ### Call an API
 

diff --git a/msteams-platform/messaging-extensions/api-based-microsoft-entra.md b/msteams-platform/messaging-extensions/api-based-microsoft-entra.md
@@ -33,8 +33,9 @@ The following image shows how SSO works when a Teams app user attempts to access
 To enable SSO authentication for API-based message extension, follow these steps:
 
 * [Register a new app in Microsoft Entra ID](#register-a-new-app-in-microsoft-entra-id).
+* [Configure access token version](#configure-access-token-version).
 * [Configure scope for access token](#configure-scope-for-access-token).
-* [Authenticate token](#authenticate-token).
+* [Authenticat.e token](#authenticate-token).
 * [Update app manifest](#update-app-manifest).
 
 ## Register a new app in Microsoft Entra ID
@@ -87,9 +88,32 @@ To enable SSO authentication for API-based message extension, follow these steps
 
     Your app is registered in Microsoft Entra ID. You now have the app ID for your API-based message extension app.
 
+## Configure access token version
+
+You must ensure the access token version for your app. You can find this configuration in the Microsoft Entra application app manifest.
+
+### To configure the access token version
+
+1. Select **Manage** > **Manifest** from the left pane.
+
+    The Microsoft Entra application app manifest appears.
+
+1. Set the `requestedAccessTokenVersion` property to **2**.
+
+    :::image type="content" source="../assets/images/messaging-extension/api-me-access-token.png" alt-text="Image shows how to configure access token version." lightbox="../assets/images/messaging-extension/api-me-access-token.png":::
+
+    > [!NOTE]
+    > If you've selected **Personal Microsoft accounts only** or **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (for example, Skype and Xbox)** during app registration, update the value for the `requestedAccessTokenVersion` property as **2**.
+
+1. Select **Save**.
+
+    A message pops up on the browser stating that the app manifest was updated successfully.
+
+After you've verified and configured the version of access token, you must configure its scope.
+
 ## Configure scope for access token
 
-After you've created a new app registration, configure scope (permission) options for sending access token to Teams client, and authorizing trusted client applications to enable SSO.
+After you configure the access token version, configure scope (permission) options for sending access token to Teams client, and authorizing trusted client applications to enable SSO.
 
 To configure scope and authorize trusted client applications, you must:
 
@@ -209,11 +233,11 @@ To configure scope and authorize trusted client applications, you must:
 > [!NOTE]
 > You can authorize more than one client application. Repeat the steps of this procedure for configuring another authorized client application.
 
-You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the app ID URI. Next, you configure the access token version.
+You've successfully configured app scope, permissions, and client applications. Ensure that you note and save the app ID URI. Next, you update the app manifest.
 
 ## Authenticate token
 
-When the message extension calls the API during authentication, it receives a request with the user’s access token. The message extension then adds the token in the authorization header of the outgoing HTTP request. The header format is `Authorization: Bearer <token_value>`. For example, when a message extension makes an API call to a service that requires authentication. The extension constructs an HTTP request as follows:
+After you've created a new app registration, you must configure the scope of access token. When the message extension calls the API during authentication, it receives a request with the user’s access token. The message extension then adds the token in the authorization header of the outgoing HTTP request. The header format is `Authorization: Bearer <token_value>`. For example, when a message extension makes an API call to a service that requires authentication. The extension constructs an HTTP request as follows:
 
 ```http
 GET /api/resource HTTP/1.1
@@ -225,9 +249,7 @@ After the API-based message extension gets a request header with token, perform
 
 * **Authenticate**: Verify the token for the audience, scope, issuer, and signature claims to check if the token is for your app. For more claims, see [ID token claims](/entra/identity-platform/access-tokens#validate-tokens).
 
-  The following example shows the JSON Web Token (JWT) with a header and response:
-
-  # [Token V2](#tab/token-v2)
+  The following example shows the JSON Web Token (JWT) V2 with a header and response:
 
   ```json
   {
@@ -256,36 +278,7 @@ After the API-based message extension gets a request header with token, perform
     }
   ```
 
-  # [Token V1](#tab/token-v1)
-
-  ```json
-  {
-  "typ": "JWT",
-  "rh": "0.AhoAv4j5cvGGr0GRqy180BHbR6Rnn7s7iddIqxdA7UZsDxYaABY.",
-  "alg": "RS256",
-  "kid": "q-23falevZhhD3hm9CQbkP5MQyU"
-  }.{
-    "aud": "api://00000002-0000-0000-c000-000000000000",
-    "iss": "https://sts.windows.net/{tenantid}/",
-    "iat": 1537231048,
-    "nbf": 1537231048,
-    "exp": 1537234948,
-    "acr": "1",
-    "aio": "AXQAi/8IAAAA",
-    "amr": ["pwd"],
-    "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
-    "appidacr": "0",
-    "ipaddr": "192.168.1.1",
-    "name": "John Doe",
-    "oid": "00000000-0000-0000-0000-000000000000",
-    "scp": "access_as_user",
-    "sub": "AAAAAAAAAAAAAAAAAAAAAIkzqFVrSaSaFHy782bbtaQ",
-    "tid": "12345678-aaaa-bbbb-cccc-9876543210ab",
-    "uti": "fqiBqXLPj0eQa82S-IYFAA",
-    }
-  ```
-
-* **Use the token**: Extract the user information from the token, such as name, email, and object ID and use the token to call the message extension app's own API. For more information on claims reference with details on the claims included in access tokens, see [access token claims](/entra/identity-platform/access-token-claims-reference).
+* **Use the token**: Extract the user information from the token, such as name, email, and object ID and use the token to call the message extension app's own API. For more information on claims reference with details on the claims included in access tokens, see [access token claims](/entra/identity-platform/access-token-claims-reference). Next, you configure the scope for access token.
 
 ## Update app manifest