Use certificate or MSI for app authentication

2024-10-28

You can use certificate- or MSI-based authentication to validate your bot app instead of bot ID and secret. This authentication resolves the compliance concerns related to the use of Microsoft Entra ID and bot secret.

Prerequisites

Ensure that you have a Teams bot app deployed to Azure with the following resources:

An Azure bot.
An Entra ID with a secret used for bot authentication.
A resource that hosts your bot app, such as Azure App Service, Azure Functions.

Update to certificate-based Authentication
Update to MSI-based authentication

To update your bot app to use certificate-based authentication:

Create and upload certificate in Azure AD
Update the bot app code
Delete bot secret

Create and upload certificate in Azure AD

To use a certificate for bot authentication:

Prepare a certificate and private key.
Go to Azure portal.
Select App registrations.
Select your registered app.
In the left pane, under Manage, select Certificates & secrets.
Under Certificates, select Upload certificate.

The Upload a certificate window appears.

Note

Upload a certificate (public key) with one of the following file types: .cer, .pem, .crt.
Upload the certificate you prepared.
Enter Description.
Select Add.

Update the bot app code

Follow the steps to update the bot app code:

Open your bot app project in Visual Studio or Visual Studio Code.

Update your code.

JavaScript
C#

    const credentialsFactory = new ConfigurationServiceClientCredentialFactory({
    MicrosoftAppId: config.botId,
    CertificatePrivateKey: '{your private key}',
    CertificateThumbprint: '{your cert thumbprint}',
    MicrosoftAppType: "MultiTenant",
    });

    const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(
    {},
    credentialsFactory
    );

    const adapter = new CloudAdapter(botFrameworkAuthentication);

    builder.Services.AddSingleton<ServiceClientCredentialsFactory>((e) => new CertificateServiceClientCredentialsFactory("{your certificate}", "{your entra id}"));

Ensure you test your bot to confirm the operation aligns with the updated authentication.

Delete bot secret

Ensure that your bot app uses the certificate for authentication before you delete the bot secret.

To delete the bot secret:

Go to Azure portal.
Select App registrations.
Select your registered app.
In the left pane, under Manage, select Certificates & secrets.
Delete the secrets from Entra.

Your bot app now uses the certificate for authentication.

I ran into an issue

To update your bot app to use MSI-based authentication:

Create bot service with MSI type in Azure AD
Update your bot app code for MSI
Delete bot secret

Note

The Azure Bot service ID and type can't be modified after creation.

Create bot service with MSI type in Azure AD

To create a new Azure Bot service with MSI type, follow these steps:

Go to Azure portal.
Go to Home.
Select + Create a resource.
In the search box, enter Azure Bot.
Select the Enter key.
Select Azure Bot.
Select Create.
Enter the bot name in Bot handle.
Select your Subscription from the dropdown list.
Select your Resource group from the dropdown list.

If you don't have an existing resource group, you can create a new resource group. To create a new Azure bot service and managed identity, follow these steps:
1. Select Create new.
2. Enter the resource name and select OK.
3. Select a ___location from New resource group ___location dropdown list.
Under Microsoft App ID, select Type of App as User-Assigned Managed Identity.
From the Creation type, select Create new Microsoft App ID.

OR

You can manually create a managed identity first, then create the Azure Bot using the Use existing app registration.
Update the new Azure Bot messaging endpoint and channels to match those of the old service.
Go to your apps hosting resource.
Select Settings > Identity > User assigned.
Add the managed identity that you've created.

Update your bot app code for MSI

To update the bot app code for MSI, follow these steps:

Open your bot app project in Visual Studio or Visual Studio Code.

Update your code.

JavaScript
C#

    const credentialsFactory = new ConfigurationServiceClientCredentialFactory({
    MicrosoftAppType: 'UserAssignedMsi',
    MicrosoftAppId: '{your MSI’s client ID}',
    MicrosoftAppTenantId: '{your MSI’s tenant ID}',
    });

    const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(
    {},
    credentialsFactory
    );

    const adapter = new CloudAdapter(botFrameworkAuthentication);

    builder.Configuration["MicrosoftAppType"] = "UserAssignedMsi";
    builder.Configuration["MicrosoftAppId"] = "{your MSI’s client ID}";
    builder.Configuration["MicrosoftAppTenantId"] = "{your MSI’s tenant ID}";
    builder.Services.AddSingleton<BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>();

Update the BOT_ID in your .env file.
Ensure you test your bot to confirm its operation aligns with the updated authentication.

Delete bot secret

Ensure that your bot app uses the certificate for authentication before you delete the bot secret.

To delete the bot secret:

Go to Azure portal.
Select App registrations.
Select your registered app.
In the left pane, under Manage, select Certificates & secrets.
Delete the secrets from Entra.

Your bot app now uses MSI for authentication.

I ran into an issue

Share via

Use certificate or MSI for app authentication

Prerequisites

Create and upload certificate in Azure AD

Update the bot app code

Delete bot secret

See Also

Additional resources