Forum Discussion
SSO for a Python Teams Bot (M365 Agents SDK + FastAPI) — Single-Tenant, Multi-Tenant, and UAMI
We're building, a Teams bot (Python / FastAPI) that uses the M365 Agents SDK (microsoft-agents-hosting-fastapi + microsoft-agents-authentication-msal, v0.8.0) with a CloudAdapter and MsalConnectionManager. The bot is currently scoped to personal only and runs behind an Azure Bot resource.
We are trying to implement SSO to authenticate users, so far we are not successful. The main blocker is that we failed to authenticate users from tenant different than the Azure Bot resource of our app.
If anyone has successfully managed to authenticate users on Teams using a setup similar than ours please do share your experience. We would love to learn from your experience.
So far this was our main source of documentation:
https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/bot-sso-overview
Many thanks
1 Reply
Nivedipa-MSFTMicrosoft
Hello seydou -
Most likely cause: Your Azure AD app or Bot OAuth connection is set up for a single tenant instead of multi-tenant.
Key fixes:
- App registration: Change supported account types to Multitenant
- Bot OAuth connection: Set Tenant ID to common rather than a specific tenant ID
- Token Exchange URL: Use api://botid-{your-bot-id}
- MSAL authority in Python: https://login.microsoftonline.com/common
- Authorized client apps under "Expose an API": Include Teams client IDs (1fec8e78-bce4-4aaf-ab1b-5451cc387264 and 5e3ce6c0-2b1f-4285-8d4b-75ee78787346)
- External tenant admins may need to give consent using the admin consent URL
Quick test: If SSO works for users in the same tenant but not for external users, it's likely that the tenant ID is hardcoded instead of set to common.