App Authentication
Your application needs to authenticate to send messages to Teams as your bot. Authentication allows your app service to certify that it is allowed to send messages as your Azure Bot.
Before configuring your application, you must first set up authentication in Azure. See the App Authentication Setup guide for instructions on creating the necessary Azure resources.
Authentication Methods​
There are 3 main ways of authenticating:
- Client Secret - Simple password-based authentication using a client secret
- User Managed Identity - Passwordless authentication using Azure managed identities
- Federated Identity Credentials - Advanced identity federation using managed identities
Configuration Reference​
The Teams SDK automatically detects which authentication method to use based on the environment variables you set:
| CLIENT_ID | CLIENT_SECRET | MANAGED_IDENTITY_CLIENT_ID | Authentication Method |
|---|---|---|---|
| not_set | No-Auth (local development only) | ||
| set | set | Client Secret | |
| set | not_set | User Managed Identity | |
| set | not_set | set (same as CLIENT_ID) | User Managed Identity |
| set | not_set | set (different from CLIENT_ID) | Federated Identity Credentials (UMI) |
| set | not_set | "system" | Federated Identity Credentials (System Identity) |
Client Secret​
The simplest authentication method using a password-like secret.
Setup​
First, complete the Client Secret Setup in Azure Portal or Azure CLI.
Configuration​
Set the following environment variables in your application:
CLIENT_ID: Your Application (client) IDCLIENT_SECRET: The client secret value you createdTENANT_ID: The tenant id where your bot is registered
CLIENT_ID=your-client-id-here
CLIENT_SECRET=your-client-secret-here
TENANT_ID=your-tenant-id
The SDK will automatically use Client Secret authentication when both CLIENT_ID and CLIENT_SECRET are provided.
User Managed Identity​
Passwordless authentication using Azure managed identities - no secrets to rotate or manage.
Setup​
First, complete the User Managed Identity Setup in Azure Portal or Azure CLI.
Configuration​
Your application should automatically use User Managed Identity authentication when you provide the CLIENT_ID environment variable without a CLIENT_SECRET.
Configuration​
Set the following environment variables in your application:
CLIENT_ID: Your Application (client) ID- Do not set
CLIENT_SECRET TENANT_ID: The tenant id where your bot is registered
CLIENT_ID=your-client-id-here
# Do not set CLIENT_SECRET
TENANT_ID=your-tenant-id
Federated Identity Credentials​
Advanced identity federation allowing you to assign managed identities directly to your App Registration.
Setup​
First, complete the Federated Identity Credentials Setup in Azure Portal or Azure CLI.
Configuration​
Depending on the type of managed identity you select, set the environment variables accordingly.
For User Managed Identity:
Set the following environment variables:
CLIENT_ID: Your Application (client) IDMANAGED_IDENTITY_CLIENT_ID: The Client ID for the User Managed Identity resource- Do not set
CLIENT_SECRET TENANT_ID: The tenant id where your bot is registered
CLIENT_ID=your-app-client-id-here
MANAGED_IDENTITY_CLIENT_ID=your-managed-identity-client-id-here
# Do not set CLIENT_SECRET
TENANT_ID=your-tenant-id
For System Assigned Identity:
Set the following environment variables:
CLIENT_ID: Your Application (client) IDMANAGED_IDENTITY_CLIENT_ID:system- Do not set
CLIENT_SECRET TENANT_ID: The tenant id where your bot is registered
CLIENT_ID=your-app-client-id-here
MANAGED_IDENTITY_CLIENT_ID=system
# Do not set CLIENT_SECRET
TENANT_ID=your-tenant-id
Troubleshooting​
If you encounter authentication errors, see the Authentication Troubleshooting guide for common issues and solutions.