Skip to content

Latest commit

 

History

History
223 lines (140 loc) · 7.86 KB

update-bot-me-app-to-use-certificate-or-msi-for-authentication.md

File metadata and controls

223 lines (140 loc) · 7.86 KB
Raw
title author description ms.topic ms.author ms.localizationpriority
Update bot or message extension app to use certificate or MSI for authentication
surbhigupta
Learn how to update bot or message extension app to use certificate or MSI for authentication.
conceptual
surbhigupta
high

Update bot or message extension app to use certificate or MSI for authentication

You can use certificate- or MSI-based authentication to validate your bot app instead of bot ID and secret. This authentication resolves the compliance concerns related to the use of Microsoft Entra ID and bot secret.

Prerequisites

Ensure that you have a Teams bot app deployed to Azure with the following resources:

  • An Azure bot.
  • An Entra ID with a secret used for bot authentication.
  • A resource that hosts your bot app, such as Azure App Service, Azure Functions.

Update to certificate based Authentication

To update your bot app to use certificate based authentication:

  1. Create and upload certificate in Azure AD
  2. Update the bot app code
  3. Delete bot secret

Create and upload certificate in Azure AD

To use a certificate for bot authentication:

  1. Prepare a certificate and private key.

  2. Go to Azure portal.

  3. Select App registrations.

    :::image type="content" source="../assets/images/include-files/azure-app-registration.png" alt-text="Screenshot shows the Azure services to select App registrations.":::

  4. Select your registered app.

  5. In the left pane, under Manage, select Certificates & secrets.

  6. Under Certificates, select Upload certificate.

    :::image type="content" source="../assets/images/teams-toolkit-v2/certificates-secrets.png" alt-text="Screenshot shows the certificates and secrets option.":::

    The Upload a certificate window appears.

    [!NOTE] Upload a certificate (public key) with one of the following file types: .cer, .pem, .crt.

  7. Upload the certificate you prepared.

  8. Enter Description.

  9. Select Add.

    :::image type="content" source="../assets/images/teams-toolkit-v2/upload-certificate.png" alt-text="Screenshot shows the upload certificate option.":::

Update the bot app code

Follow the steps to update the bot app code:

  1. Open your bot app project in Visual Studio or Visual Studio Code.

  2. Update your code.

    JavaScript

        const credentialsFactory = new ConfigurationServiceClientCredentialFactory({
    MicrosoftAppId: config.botId,
    CertificatePrivateKey: '{your private key}',
    CertificateThumbprint: '{your cert thumbprint}',
    MicrosoftAppType: "MultiTenant",
    });
    
    const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(
    {},
    credentialsFactory
    );
    
    const adapter = new CloudAdapter(botFrameworkAuthentication);

    C#

        builder.Services.AddSingleton<ServiceClientCredentialsFactory>((e) => new CertificateServiceClientCredentialsFactory("{your certificate}", "{your entra id}"));

  3. Ensure you test your bot to confirm the operation aligns with the updated authentication.

Delete bot secret

Ensure that your bot app uses the certificate for authentication before you delete the bot secret.

To delete the bot secret:

  1. Go to Azure portal.

  2. Select App registrations.

    :::image type="content" source="../assets/images/include-files/azure-app-registration.png" alt-text="Screenshot shows the Azure services to select App registrations.":::

  3. Select your registered app.

  4. In the left pane, under Manage, select Certificates & secrets.

  5. Delete the secrets from Entra.

    :::image type="content" source="../assets/images/teams-toolkit-v2/delete-client-secret-value.png" alt-text="Screenshot shows the delete client secret value.":::

Your bot app now uses the certificate for authentication.

Update to MSI based authentication

To update your bot app to use MSI based authentication:

  1. Create bot service with MSI type in Azure AD
  2. Update your bot app code for MSI
  3. Delete the previous bot details

Note

The Azure Bot service ID and type can't be modified after creation.

Create bot service with MSI type in Azure AD

To create a new Azure Bot service with MSI type, follow these steps:

  1. Go to Azure portal.

  2. Go to Home.

  3. Select + Create a resource.

  4. In the search box, enter Azure Bot.

  5. Select Enter.

  6. Select Azure Bot.

  7. Select Create.

    :::image type="content" source="../assets/images/include-files/azure-bot.png" alt-text="Screenshot shows the creation of Azure bot.":::

  8. Enter the bot name in Bot handle.

  9. Select your Subscription from the dropdown list.

  10. Select your Resource group from the dropdown list.

    :::image type="content" source="../assets/images/include-files/create-azure-bot.png" alt-text="Screenshot shows the option resource group and subscription in the Azure portal.":::

    If you don't have an existing resource group, you can create a new resource group. To create a new Azure bot service and managed identity, follow these steps:

    1. Select Create new.
    2. Enter the resource name and select OK.
    3. Select a location from New resource group location dropdown list.

    :::image type="content" source="../assets/images/include-files/new-resource-location.png" alt-text="Screenshot shows the new resource group option in Azure portal.":::

  11. Under Microsoft App ID, select Type of App as User-Assigned Managed Identity.

  12. In the Creation type, select Create new Microsoft App ID.

    :::image type="content" source="../assets/images/teams-toolkit-v2/microsoft-app-id.png" alt-text="Screenshot shows the microsoft app ID option.":::

    OR

    You can manually create a managed identity first, then create the Azure Bot using the Use existing app registration.

  13. Update the new Azure Bot messaging endpoint and channels to match those of the old service.

  14. Go to your apps hosting resource.

  15. Select Settings > Identity > User assigned.

  16. Add the managed identity that you've created.

Update your bot app code for MSI

To update the bot app code for MSI, follow these steps:

  1. Open your bot app project in Visual Studio or Visual Studio Code.

  2. Update your code.

    JavaScript

        const credentialsFactory = new ConfigurationServiceClientCredentialFactory({
    MicrosoftAppType: 'UserAssignedMsi',
    MicrosoftAppId: '{your MSI’s client ID}',
    MicrosoftAppTenantId: '{your MSI’s tenant ID}',
    });
    
    const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(
    {},
    credentialsFactory
    );
    
    const adapter = new CloudAdapter(botFrameworkAuthentication);

    C#

        builder.Configuration["MicrosoftAppType"] = "UserAssignedMsi";
    builder.Configuration["MicrosoftAppId"] = "{your MSI’s client ID}";
    builder.Configuration["MicrosoftAppPassword"] = "{your MSI’s tenant ID}";
    builder.Services.AddSingleton<BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>();

  3. Update the BOT_ID in your .env file.

  4. Ensure you test your bot to confirm its operation aligns with the updated authentication.

Delete the previous bot details

  1. Go to Azure portal.
  2. Delete the old Azure bot and the Entra ID.

Your bot app now uses MSI for authentication.

See Also