In the previous post Azure AD & Microsoft Graph permission scopes, with Azure CLI, we registered an Azure AD Application using specific scopes to the service principal Microsoft Graph
. We also prepared it with a reply-URL that works for Bot Framework auth.
In this post, we will create an OAuth connection
from the Bot Channels Registration to the Azure AD Registration, giving the Bot the possibility to get a token to call Microsoft Graph.
When we use the command az bot authsetting create there are some common things we need to enter such as:
--resource-group
--name
--setting-name
--provider-scope-string
--client-id
--client-secret
. Depending on which --service
(service provider) you decide to use there are a few service-specific things we need to add in --parameters
.
As you can see in the picture with Azure Active Directory V2 we need to add a Tenant ID
.
At first, I tried to create the OAuth connection with the common properties and only tenantId=<tenantId>
in the property string.
The connection seemed to work just fine, although, from the UI in the portal, the Client id, and Client secret were blank.
This made no sense since I had provided the --client-id
and --client-secret
in the creation.
Turns out the Azure Active Directory V2 service takes more --parameters
key-value pairs:
clientId
clientSecret
tenantId
If you provide all of them everything will be fine!
We use the command az bot authsetting list-providers
to get all service providers.
We also add a query --query "value[].[properties.displayName, properties.serviceProviderNamme]"
to get the display name and the service provider name, and output it as a table.
az bot authsetting list-providers --query "value[].[properties.displayName, properties.serviceProviderName]" -o table
You could of course just copy the service provider name from the table we printed.
If you are running Azure CLI from PowerShell, like I am, this is an example to grab the Azure Active Directory service provider name to a variable.
$providerName = az bot authsetting list-providers --query "value[?properties.displayName=='Azure Active Directory v2'].properties.serviceProviderName | [0]"
In this example, we create a connection setting to an Azure AD V2 application. The registered Azure Active Directory Application has permissions to the Microsoft Graph.
Create variables
$clientId = "<IdFromAADapp>"$clientSecret = "<secretFromAADapp>"$tenantId = "<tenantId>"$rGroup = "RGSimonBot"$botName = "BotSimonBot"$connName = "GraphConnection"$scopeString = "openid profile User.Read Group.Read.All"
Get Azure Active Directory V2 service provider name
$providerName = az bot authsetting list-providers --query "value[?properties.displayName=='Azure Active Directory v2'].properties.serviceProviderName | [0]"
Create Connection
az bot authsetting create -g $rGroup -n $botName -c $connName --client-id $clientId --client-secret $clientSecret --provider-scope-string $scopeString --service $providerName --parameters "clientId=$clientId" "clientSecret=$clientSecret" "tenantId=$tenantId"
Great! Now you have created the connection, and we could find it from the settings of the Bot Channels registration.