-
Notifications
You must be signed in to change notification settings - Fork 199
ZZZ ‐ [Archived] ‐ Manage AAD application in Teams Toolkit
Important
Content in this document has been moved to Teams platform documentation. Please do not refer to or update this document.
This feature is currently under active development. Report any issues to us here.
The Microsoft Entra manifest contains a definition of all the attributes of an Microsoft Entra application object in the Microsoft identity platform.
Teams Toolkit now manages Microsoft Entra application with this manifest file as the source of truth during your Teams application development lifecycles.
In this document, you will learn:
- How to customize the Microsoft Entra application
- How to reference values using placeholders in the Microsoft Entra application manifest template
- How to preview the Microsoft Entra manifest placeholder values with code lens
- How to deploy Microsoft Entra application changes for local development
- How to deploy Microsoft Entra application changes for remote environment
- How to find the Microsoft Entra application in the Azure Portal
- How to use an existing Microsoft Entra application
- Understand Microsoft Entra application in Teams app development lifecycle
User can customize Microsoft Entra manifest template to update Microsoft Entra application.
-
Open
aad.template.json
in your project -
Update the template directly or reference values from another file. Below we have provided several customization scenarios:
-
Follow this instruction to deploy your Microsoft Entra application changes for local environment
-
Follow this instruction to deploy your Microsoft Entra application changes for remote environment.
If your Teams app required more permissions to call API with additional permissions, you need to update requiredResourceAccess
property in the Microsoft Entra manifest template. Here is an example for this property:
"requiredResourceAccess": [
{
"resourceAppId": "Microsoft Graph",
"resourceAccess": [
{
"id": "User.Read", // For Microsoft Graph API, you can also use uuid for permission id
"type": "Scope" // Scope is for delegated permission
},
{
"id": "User.Export.All",
"type": "Role" // Role is for application permission
}
]
},
{
"resourceAppId": "Office 365 SharePoint Online",
"resourceAccess": [
{
"id": "AllSites.Read",
"type": "Scope"
}
]
}
]
-
resourceAppId
property is for different APIs, forMicrosoft Graph
andOffice 365 SharePoint Online
, you can input the name directly instead of uuid, and for other APIs, you need to use uuid. -
resourceAccess.id
property is for different permissions, forMicrosoft Graph
andOffice 365 SharePoint Online
, you can input the permission name directly instead of uuid, and for other APIs, you need to use uuid. -
resourceAccess.type
property is used for delegated permission or application permission.Scope
means delegated permission andRole
means application permission.
You can use preAuthorizedApplications
property to authorize a client application indicates that this API trusts the application and users should not be asked to consent when the client calls this exposed API.
Here is an example for this property:
"preAuthorizedApplications": [
{
"appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
"permissionIds": [
"{{state.fx-resource-aad-app-for-teams.oauth2PermissionScopeId}}"
]
}
...
]
preAuthorizedApplications.appId
property is used for the application you want to authorize. If you doesn't know the application id but only knows the application name, you can go to Azure Portal following this steps to search the application to find the id:
- Go to Azure Portal and open [app registrations(https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)
- Click
All applications
and search the application name - If you find the application that you search for, you can click the application and get the application id from the overview page
Redirect URLs is used when returning authentication responses (tokens) after successfully authenticating. You can customize redirect URLs using property replyUrlsWithType
, for example, if you want to add https://www.examples.com/auth-end.html
as redirect URL, you can add it as below:
"replyUrlsWithType": [
...
{
"url": "https://www.examples.com/auth-end.html",
"type": "Spa"
}
]
Microsoft Entra manifest template file contains placeholder arguments with {{...}}
statements. These statements will be replaced at build time for different environments. With placeholder arguments, you can make references to config file, state file and environment variables.
State file is located in .fx\states\state.xxx.json
(xxx is represent different environment). A typical state file is as below:
{
"solution": {
"teamsAppTenantId": "uuid",
...
},
"fx-resource-aad-app-for-teams": {
"applicationIdUris": "api://xxx.com/uuid",
...
}
...
}
If you want to reference applicationIdUris
value in fx-resource-aad-app-for-teams
property, you can use this placeholder argument in the Microsoft Entra manifest: {{state.fx-resource-aad-app-for-teams.applicationIdUris}}
Config file is located in .fx\configs\config.xxx.json
(xxx is represent different environment). A typical config file is as below:
{
"$schema": "https://aka.ms/teamsfx-env-config-schema",
"description": "description.",
"manifest": {
"appName": {
"short": "app",
"full": "Full name for app"
}
}
}
If you want to reference short
value, you can use this placeholder argument in the Microsoft Entra manifest: {{config.manifest.appName.short}}
Sometimes you may not want to hardcode the values in Microsoft Entra manifest template. For example, when the value is a secret. Microsoft Entra manifest template file supports referencing the values from environment variables. You can use syntax {{env.YOUR_ENV_VARIABLE_NAME}}
in parameter values to tell the tooling that the value needs to be resolved from current environment variable.
Microsoft Entra manifest template file has code lens to help you better review and edit it.
At the beginning of the Microsoft Entra manifest template file, there is a preview codelens. Click this codelens, it will generate Microsoft Entra manifest based on the environment you selected.
Placeholder argument has code lens to help you take quick look of the values for local debug and develop environment. If your mouse hover on the placeholder argument, it will show tooltip box for the values of all the environment.
Different from official Microsoft Entra manifest schema that resourceAppId
and resourceAccess
id in requiredResourceAccess
property only support uuid, Microsoft Entra manifest template in Teams Toolkit also support user readable strings for Microsoft Graph
and Office 365 SharePoint Online
permissions. If you input uuid, codelens will show user readable strings, otherwise, codelens will show uuid.
For preAuthorizedApplications
property, code lens will show the application name for the per-authorized application id.
-
Click
Preview
code lens inaad.template.json
-
Select
local
environment. -
Click
Deploy Microsoft Entra Manifest
code lens inaad.local.json
-
And now the changes for Microsoft Entra app used in local environment will be deployed.
-
Open the command palette and select:
Teams: Deploy Microsoft Entra app manifest
-
Or you can right click on the
aad.template.json
and selectDeploy Microsoft Entra app manifest
from the context menu
-
Copy the Microsoft Entra app client id from
state.xxx.json
(xxx is the environment name that you have deployed the Microsoft Entra app) file in thefx-resource-aad-app-for-teams
property. -
Go to Azure portal and login your M365 account which must same with the account which created Teams app.
-
Open app registrations page, search the Microsoft Entra app using client id which copied from step 1.
-
Click Microsoft Entra app from search result to view the detailed information.
-
In Microsoft Entra app information page, click
Manifest
menu to view manifest of this app. The schema of the manifest is same as the one inaad.template.json
file, for more information about manifest, you can refer this doc. -
You can also click other menu to view or configure Microsoft Entra app through portal.
- Copy the Microsoft Entra app client id from "aad.manifest"
If you want to use existing Microsoft Entra app for your Teams project, you can refer to this doc for more information.
You would interact with Microsoft Entra application during various stages of your Teams app development lifecycle and here is how Teams Toolkit makes it easy.
You can create a project with Teams Toolkit that comes with SSO support by default. Such as SSO-enabled tab
. Refer here for how to create a new Teams app with Teams Toolkit. An Microsoft Entra manifest file will be automatically created for you: templates\appPackage\aad.template.json
. Teams Toolkit will create or update the Microsoft Entra application during local development or when you move your application to the cloud.
If you created a Teams application without SSO built-in, Teams Toolkit can incrementally help you add SSO to your project. As a result, An Microsoft Entra manifest file will be automatically created for you: templates\appPackage\aad.template.json
. Teams Toolkit will create or update the Microsoft Entra application during next local debug session or when you move your application to the cloud.
During local development (known as F5
), Teams Toolkit will:
-
Check if there is an existing Microsoft Entra application by reading the
state.local.json
file. If yes, Teams Toolkit will re-use the existing Microsoft Entra application otherwise we will create a new one using theaad.template.json
file. -
When creating a new Microsoft Entra application with the manifest file, some properties in the manifest file which require additional context (such as
replyUrls
property that requires a local debug endpoint) will be ignored first. -
After the local dev environment startup successfully, the Microsoft Entra application's
identifierUris
,replyUrls
, and other properties which are not available during creation stage will be updated accordingly. -
Changes you made to your Microsoft Entra application will be loaded during next local debug session. Optionally you can follow this instruction if you want to manually apply Microsoft Entra application changes.
When moving your application to the cloud, you would need to provision cloud resources and deploy your application. At these stages, like local development, Teams Toolkit will:
-
Check if there is an existing Microsoft Entra application by reading
state.{env}.json
file. If yes, Teams Toolkit will re-use the existing Microsoft Entra application otherwise we will create a new one using theaad.template.json
file. -
When creating a new Microsoft Entra application with the manifest file, some properties in the manifest file which require additional context (such as
replyUrls
property requires frontend or bot endpoint) will be ignored first. -
After other resources provision completes, the Microsoft Entra application's
identifierUris
andreplyUrls
will be updated accordingly to the correct endpoints.
-
Deploy to the cloud
command will deploy your application to the provisioned resources. This will not include deploying Microsoft Entra application changes you made. - You can follow this instruction to deploy Microsoft Entra application changes for remote environment
- Teams Toolkit will update the Microsoft Entra application according to the Microsoft Entra manifest template file.
Please note, when deploying Microsoft Entra application for remote environment, you need to trigger provision first.
-
Not all the properties listed in Microsoft Entra manifest schema are supported in Teams Toolkit extension, this tab show the properties that are not supported:
Not supported properties Reason passwordCredentials Not allowed in manifest createdDateTime Readonly and cannot change logoUrl Readonly and cannot change publisherDomain Readonly and cannot change oauth2RequirePostResponse Doesn't exist in Graph API oauth2AllowUrlPathMatching Doesn't exist in Graph API samlMetadataUrl Doesn't exist in Graph API orgRestrictions Doesn't exist in Graph API certification Doesn't exist in Graph API -
Currently
requiredResourceAccess
property can use user readable resource app name or permission name strings only forMicrosoft Graph
andOffice 365 SharePoint Online
APIs. For other APIs, you need to use uuid instead. You can follow these steps retrieve ids from Azure Portal:- Register a new Microsoft Entra application on Azure Portal.
- Click
API permissions
from the Microsoft Entra application page. - Click
Add a permission
to add the permission you want. - Click
Manifest
, from therequiredResourceAccess
property, you can find the ids of API and permissions.
Build Custom Engine Copilots
- Build a basic AI chatbot for Teams
- Build an AI agent chatbot for Teams
- Expand AI bot's knowledge with your content
Scenario-based Tutorials
- Send notifications to Teams
- Respond to chat commands in Teams
- Respond to card actions in Teams
- Embed a dashboard canvas in Teams
Extend your app across Microsoft 365
- Teams tabs in Microsoft 365 and Outlook
- Teams message extension for Outlook
- Add Outlook Add-in to a Teams app
App settings and Microsoft Entra Apps
- Manage Application settings with Teams Toolkit
- Manage Microsoft Entra Application Registration with Teams Toolkit
- Use an existing Microsoft Entra app
- Use a multi-tenant Microsoft Entra app
Configure multiple capabilities
- How to configure Tab capability within your Teams app
- How to configure Bot capability within your Teams app
- How to configure Message Extension capability within your Teams app
Add Authentication to your app
- How to add single sign on in Teams Toolkit for Visual Studio Code
- How to enable Single Sign-on in Teams Toolkit for Visual Studio
Connect to cloud resources
- How to integrate Azure Functions with your Teams app
- How to integrate Azure API Management
- Integrate with Azure SQL Database
- Integrate with Azure Key Vault
Deploy apps to production