Home General Discussion

Teams Integration works if I turn off Azure auth, which is how SSO works....

Eric_EvansEric_Evans Member IT Monkey ✭

Is there a way to make the teams integration work when our public URL is an app proxy with Azure preauth turned on for SSO, or is there a better way of doing Azure SSO that will work with teams integration? When I turn off Azure preauth the teams bot works but SSO breaks and we'll need SSO to work

Answers

  • Thomas_VielhaberThomas_Vielhaber Customer IT Monkey ✭

    I am facing the same issue, Teams Bot won't interact through Azure App proxy with preauth, I would appreciate to get a solution for that. Thanks in advance

  • Shane_WhiteShane_White Cireson Support Super IT Monkey ✭✭✭✭✭

    Hi @Thomas_Vielhaber Could you raise a support ticket for this issue if you haven't already please?

  • james_kleinschnitzjames_kleinschnitz Cireson Dev, Product Owner Advanced IT Monkey ✭✭✭

    From Microsoft:

    "Azure Proxy requires the incoming call to the bot to be authenticatable with an AAD application and using a user identity. For incoming calls to the bot, Azure Bot Service does not use a user-configurable AAD application (channel services such as Direct Line use an Azure Bot Service owned AAD application and a certificate to create the service to service authentication token). The end result is that a bot cannot be configured to run behind Azure Proxy directly as it will never be able to receive the calls that Azure Proxy could authenticate (because like I said services only use a single, fixed way of creating an auth header). What you'd need to do is create the bot outside of the Azure Proxy, and have the bot make calls to Azure Proxy to access on-premise resources (you could use a bot to bot communication where one bot outside of the proxy receives the messages from channels, and then this bot calls another bot behind the Azure Proxy...using the appropriate developer controlled auth mechanism).


    I don't have any timeline on Azure Bot Service supporting Azure Proxy directly, so using one of the work arounds would be the way to go."


    Configuring App Proxy with passthrough will work but I understand that may not be a viable solution for some. Based on the fact that MS is telling us to use a work around I guess my question to y'all would be what type of configuration are you looking for us to support and what would you consider to be, acceptable work arounds?

Sign In or Register to comment.