Update app manifest for SSO and preview your app

Before you update app manifest (previously called Teams app manifest), ensure that you configure the code to enable single sign-on (SSO) in your app.

You've registered your app and bot resource in Microsoft Entra ID. You've also configured code to handle tokens. Now, you must update the app manifest to enable SSO for your app. The app manifest describes how an app integrates into Teams.

webApplicationInfo property

Configure the webApplicationInfo property in the app manifest file. This property enables SSO for your app to help app users access your bot app seamlessly.

webApplicationInfo has two elements, id and resource.

The application ID URI that you registered in Microsoft Entra ID is configured with the scope of the API you exposed. Configure your app's subdomain URI in resource to ensure that the authentication request using getAuthToken() is from the ___domain given in app manifest.

For more information, see webApplicationInfo.

To configure app manifest

1. Open the app project.

2. Open the app manifest folder.

   Note

   • The app manifest folder should be at the root of your project. For more information, see Create a Microsoft Teams app package.
   • For more information on learning how to create a manifest.json, see the app manifest schema for Microsoft Teams.

3. Open the manifest.json file.

4. Add one of the following code snippets to the app manifest file to add the new property:

   • If your app has a standalone bot, add the following code snippet:

     "webApplicationInfo": 
     {
     "id": "{Azure AD AppId}",
     "resource": "api://botid-{Azure AD AppId}"
     }
     

   • If your app contains a bot and a tab, add the following code snippet:

     "webApplicationInfo": 
     {
     "id": "{Azure AD AppId}",
     "resource": "api://subdomain.example.com/botid-{Azure AD AppId}"
     }
     

     where,

     • {Azure AD AppId} is the app ID you created when you registered your app in Microsoft Entra ID. It's the GUID.
     • subdomain.example.com is the application ID URI that you registered when creating scope in Microsoft Entra ID.

5. Update the app ID from Microsoft Entra ID in the id property.

6. Update the subdomain URL in the following properties:

   1. contentUrl
   2. configurationUrl
   3. validDomains

   Note

   To handle authentication and token exchange, add https://token.botframework.com to the validDomains property for bots using Bot Framework. For OAuth URLs and data residency list, see OAuth URL support in Azure AI Bot Service.

7. Save the app manifest file. For more information, see app manifest.

{
  "$schema": "https://developer.microsoft.com/json-schemas/teams/v1.7/MicrosoftTeams.schema.json",
  "manifestVersion": "1.7",
  "version": "1.0",
  "id": "00000000-0000-0000-0000-000000000000",
  "packageName": "com.microsoft.teams.samples.auth",
  "developer": {
    "name": "Your Name Here",
    "websiteUrl": "https://www.example.com",
    "privacyUrl": "https://www.example.com/PrivacyStatement",
    "termsOfUseUrl": "https://www.example.com/TermsOfUse"
  },
  "name": {
    "short": "Teams AuthBot"
  },
  "description": {
    "short": "Authentication sample for Microsoft Teams",
    "full": "Authentication sample for Microsoft Teams"
  },
  "icons": {
    "outline": "outline.png",
    "color": "color.png"
  },
  "accentColor": "#F3F4F6",
  "configurableTabs": [

  ],
  "staticTabs": [
    {
      "contentUrl": "https://<<BASE_URI_DOMAIN>>/tab/simple",
      "entityId": "simpleAuth",
      "name": "Simple Auth",
      "scopes": [
        "personal"
      ]
    },
    {
      "contentUrl": "https://<<BASE_URI_DOMAIN>>/tab/silent?loginHint={loginHint}&userObjectId={userObjectId}&tenantId={tid}",
      "entityId": "silentAuth",
      "name": "Silent Auth",
      "scopes": [
        "personal"
      ]
    },
    {
      "contentUrl": "https://<<BASE_URI_DOMAIN>>/tab/sso",
      "entityId": "ssoAuth",
      "name": "SSO Auth",
      "scopes": [
        "personal"
      ]
    }
  ],
  "bots": [
    {
      "botId": "<<REGISTERED_BOT_ID>>",
      "scopes": [
        "personal"
      ]
    }
  ],
  "permissions": [
    "messageTeamMembers",
    "identity"
  ],
  "validDomains": [
    "<<BASE_URI_DOMAIN>>",
    "token.botframework.com"
  ],
  "webApplicationInfo": {
      "id": "<<REGISTERED_BOT_ID>>",
      "resource": "api://<<BASE_URI_DOMAIN>>/<<REGISTERED_BOT_ID>>"
  }
}

Upload a custom app and Preview in Teams

You've configured the app to enable SSO. You can now upload your custom app in Teams and preview it in Teams environment.

To preview your app in Teams:

1. Create an app package.

   The app package is a zip file that contains the app manifest file and app icons.

2. Open Teams.

3. Select Apps > Manage your apps > Upload an app.

   The options to upload an app appear.

4. Select Upload a custom app to upload your custom app into Teams.

5. Select your app package zip file, and then select Add.

   The custom app is uploaded. The consent dialog appears to inform you of the permissions that might be required.

6. Select Continue.

   

Teams opens the app and you can use it.

Congratulations! You've enabled SSO for your bot or message extension app.

SSO support in Developer Portal

You can import your SSO-enabled app in Developer Portal for Teams. For more information, see import an existing app. To enable SSO support for your app in Developer Portal after you import it, follow these steps:

1. Go to Developer Portal.

2. Select Apps, and from the list that appears, select your app.

3. Go to Configure > Single sign-on.

4. Under Application ID URI, enter the messaging endpoint you configured as the endpoint address in Microsoft Entra ID.

   

5. Select Save.

Developer Portal now supports SSO for your app.