Share via

Need Help Implementing SSO for Teams Bot Using User-Assigned Managed Identity + Federated Credentials (Python Agent SDK)

Anand Kumar (MAQ LLC) 20 Reputation points Microsoft External Staff
2025-12-03T15:11:13.7666667+00:00

Hi Community,

I need help completing SSO integration for a Microsoft Teams bot that uses User-Assigned Managed Identity (UAMI) instead of a traditional App Registration client secret/certificate.

What I have done so far

  • Created a Teams bot whose bot identity = User Assigned Managed Identity

Connected the bot to Teams using the manifest file

Deployed backend (Python, Agent SDK, Bot Framework) to Azure App Service

Since client secrets & certificates are not allowed in my tenant, I created an Azure App Registration only for SSO

Under Authentication → added Federated Credentials

Configured OAuth Connection in Azure Bot Channel Registration → Test Connection works, token is issued successfully

Everything works until this point.

Where I am stuck

1. How do I integrate OAuth SSO token into my Python backend (Agent SDK + Bot Framework)?

Since I am not using a traditional App Registration for the bot, I’m not sure how to integrate the federated-credential–based OAuth flow inside the bot logic.

Is there any Python sample/repo where federated credentials + Teams SSO + Agent SDK have been implemented?

How should the bot verify the token and request Graph API on behalf of the user?

2. Do I need to expose an API in the App Registration?

My tenant raises a security alert if any API is exposed,

Is it possible to complete SSO without exposing API permissions in the App Registration?

User's image

3. Do I need to modify the Teams Manifest?

I’m unsure if something must be added to enable SSO with federated credentials, such as:

webApplicationInfo.resource

webApplicationInfo.id

or any additional SSO-related entries for bots

Currently my manifest only contains basic bot configuration.

What I need clarity on

Correct backend implementation pattern for federated credentials SSO with Python Agent SDK

Whether API permissions are mandatory

Required manifest changes (if any)

Any official documentation, GitHub samples, or guidance would be extremely helpful. Thanks in advance!

Azure AI Bot Service
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gowtham CP 7,005 Reputation points Volunteer Moderator
    2025-12-12T09:23:47.2933333+00:00

    Hi Anand Kumar (MAQ LLC),

    Thanks for the question.

    How to use the OAuth SSO token in your Python backend The bot should use the Bot Framework’s built-in OAuth flow. In your code, retrieve the user token through OAuthPrompt or get_user_token tied to your OAuth Connection. This gives you the delegated access token you can use with Microsoft Graph. Reference (Python SSO sample): https://xtls-v4.hkg1.meaqua.org/en-us/samples/officedev/microsoft-teams-samples/officedev-microsoft-teams-samples-bot-conversation-sso-quickstart-python/

    Do you need to expose an API in the App Registration? No. For Teams SSO, you only need delegated Graph permissions on the App Registration used by your OAuth Connection. Exposing an API isn’t required unless another application needs to call your bot.

    Do you need manifest changes? Yes. Add webApplicationInfo to your Teams manifest with the App Registration’s client ID and resource identifier. This is what enables SSO for the bot. Reference: https://xtls-v4.hkg1.meaqua.org/en-us/microsoftteams/platform/bots/how-to/authentication/bot-sso-manifest

    I hope this helps.

    If the answer is useful, please accept and upvote it to close the thread. Thanks.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.