#SharePointProblems | Koskila.net
Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog

M365 Agents SDK SSO broken - how to fix it?

koskila
Reading Time 7 min
Word Count 1171 words
Comments 0 comments
Rating n/a ( votes)
#authentication #graph-api #m365 #microsoft365 #teamsfx #M365AgentsSDK
View
Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

There are a lot of ways SSO can break for your bot or agent on Teams/M365 Copilot/any other M365 app. I don't even know how to explain the extensibility in M365 now, so this word salad is what you get.

Anyway in this article, I'll explain how to fix one of the possible ways your setup might be broken.

Background

I've been working on and off with M365 Agents SDK (and Teams Toolkit before) for a while now, and have some strong opinions about it. Maybe some of the strongest opinions are about SSO configuration.

You'd expect things like calling the Graph API with delegated permissions to "just work" (because in a Blazor tab it basically does). Unfortunately, that's not always the case with M365 Agents SDK.

Plenty of reasons why that is, I'm sure. But that doesn't really help when you're stuck trying to figure out why your SSO flow is broken. In the next section, I'll walk you through a specific issue I encountered and how I fixed it.

Problem

I was setting up another POC, and just wanted something quick to start with - namely, a Teams extension (bot, agent, message extension - anything with Graph API with delegated permissions straight out of the box).

I don't have great experiences using the Wizard experience in M365 Agents SDK Agent in GitHub Copilot Coding Agent to provision an agent for me using M365 Agents SDK, so I decided to start with a sample instead - those are surefire ways to get started with a working foundation.

After a little bit of deliberation, I ended up using the bot-sso sample from:

Bot-SSO sample on M365 Agents SDK GitHub repo

As shown in the readme, it's a simple bot (without a LLM behind it, mind you) that should be available tfor personal chats on Teams, and should call the Graph API with delegated permissions to read the current user's name, job title and profile picture.

And I took the shortcut to awesome by essentially just hitting F5, and lo and behold, after provisioning for about 10 seconds, building for another 5 seconds, and then waiting for Teams to start in Chrome for about 10 minutes, I had a bot.

A bot, that wouldn't work. The one thing it is supposed to do - bring up a card with OAuth dialog pop-up - just didn't happen.

("show" command is supposed to show the user's profile information - this is not an LLM, remember :D)

But instead, I had some nice errors in the output:

The backend is clearly running, the provisioning was 100% successful without so much as a warning, but the bot fumbles on

What gives?

Reason

I've got my friend and fellow Microsoft MVP Michaël Maillot to thank for this one. He's got plenty more miles on the SDK than I do, and has shared some of his findings on his blog - see one great resource right here:

And his affinity at writing long-form content makes me almost blush with my 5-minute musings - but I digress.

He pointed out something I of course knew, but failed to action on: the long history of the SDK at wrapping a bunch of different technologies together.

And while Microsoft has traditionally put a lot of effort into all kinds of backwards compatibility scenarios and support, they occasionally still drop the ball. And the M365 Agents SDK seems to be one example of that.

In this particular case, bringing together a swath of pre-existing frameworks and services like Teams Toolkit, Entra ID, Bot Framework (which itself is a hodgepodge of existing technologies), Azure AI Foundry, and others is no small feat. And some of the samples were built to be stable on Teams Toolkit, but apparently aren't that stable when upgraded to M365 Agents SDK.

Solution

For background - we already know, of course, that in order to set up a bot with SSO, you'll need to do something in at least all of the following portals and admin views:

  • entra.microsoft.com (for SSO - in a perfect world, should be automatic)
  • dev.teams.microsoft.com (for bot registration and configuration)
  • teams.admin.microsoft.com (for setting app policies)
  • admin.microsoft.com (if you're distributing an Agent)
  • dev.botframework.com (realistically, to confirm dev tunnel and bot/app id configuration because you don't trust the tooling when it has failed you before)

But none of that actually helped me here - everything seemed ok to me.

Until Michaël pointed out that the out-of-the-box sample file from Microsoft was missing something from the validDomains configuration:

Can you spot it?

This is the missing entry:

*.botframework.com

Yep. Without that the bot won't be able to authenticate users via SSO.

Add that to the validDomains array in the manifest.json file, and then re-provision (F5) and the manifest will get updated (you can check your local manifest.local.json file to confirm) and published to Teams Developer Portal too.

And with that, you should have a well-functioning little bot:

Afterword

Is it surprising, that setting something as fundamental and theoretically as simple as SSO for a bot, without multitenancy, without any sort of external user scenarios, without even extending it to M365 Copilot, would be so complicated?

Maybe it isn't. There's a lot of moving parts.

But it IS disappointing, that Microsoft's supposedly recent and supported samples wouldn't work out of the box!

And I am not very impressed by the M365 Agents GitHub Copilot agent's (what a mouthful that is!) capability to help - when I've asked it to add SSO to an existing bot or agent, or fix the SSO configuration for this sample, it has a tendency to answer "RTFM, mate" (without providing said manual) and not make any of the changes to code. Or it'll just propose you should update my teams extension manifest to version 1.12 (I was using 1.8 - 1.9 is the latest unstable prerelease version available).

Anyway.

M365 Agents SDK - whether you're using it for agents or just to create a simple bot, tab or message extension - unlocks some quick wins and nice productivity gains, but you can definitely see some of it is built on pretty shoddy foundations.

By the way... I'll be talking about the topic - quick wins and shoddy foundations of M365 Agents SDK and Copilot extensibility in general - at these upcoming events in September:

  1. 11.9.2025 CollabDays 2025 in Helsinki - Baby Steps to Copilot Mastery: Leave the Training Wheels behind using Teams Toolkit
  • I was somehow able to convince the all-around M365 wizard Gautam Sheth to join me on stage for this one!
  • We'll talk about how to take stable baby steps (despite the shoddiness of the foundations) to get maximum value out of M365 Copilot extensibility
  1. 17.9.2025 TeamsDagen 2025 in Stockholm - Supercharge Your Teams Collaboration with Microsoft 365 Agents SDK
  • A session with the one and only Michaël Maillot
  • Learn about the latest advancements in the M365 Agents SDK and how to leverage them for your Teams applications.

References

Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

Related Posts

One way to fix "Unsupported or invalid query filter clause specified for property" for your Microsoft Graph API queries

2y agoby koskila
#c#graph-api#graphexplorer

How to fix Graph API returning null properties for Users?

3y agoby koskila
#graph-api#graphexplorer

How to fix "AADSTS700054: response_type 'id_token' is not enabled for the application" error

6y agoby koskila
#authentication#azure-ad

Comments

Interactive comments not implemented yet. Showing legacy comments migrated from WordPress.

No comments yet.

← Back to home
github x linkedin dev.to bluesky sessionize slideshare youtube thoughts on tech antti koskela
Whitewater Magpie Ltd.
© 2025
Static Site Generation timestamp: 2025-09-03T16:49:13Z