Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Microsoft 365 Community / Microsoft Teams App Camp / 18 Nov 2021
Microsoft 365 Community / Microsoft Teams App Camp / 18 Nov 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Single sign-on (SSO) in Microsoft Teams tabs with Azure Active Directory

Description

#Microsoft365 #MicrosoftTeams #SSO

In this Microsoft 365 Code | Decode video, Bob German and Rabia Williams demystify SSO or Single Sign On in a Microsoft Teams tab app.

Check out this video in blog form here: https://devblogs.microsoft.com/microsoft365dev/lets-decode-single-sign-on-sso-in-microsoft-teams-tabs/

🤔 Why do you need SSO?
Applications that are interconnected yet independent often require users to login separately to access and use them. This hampers with the overall usability and satisfaction of users while using these applications. We can fix this by enabling SSO in Teams which will allow the teams tab application to use services connected to Azure AD, with security and compliance without the need to sign in again and again. No pop up, no prompts.

🤔 What is SSO for any application?
Single sign-on allow users to log in once with their credentials and access services without having to re-enter them over and over.

🤔What is Teams SSO?
Teams SSO is when users can sign in to Microsoft Teams using their credentials and use a custom applications in Teams, that may be using a service connected to Azure AD without having to re-enter credentials in any devices and are signed in automatically.

🤔How can you enable SSO in Teams Tab application?
There are three steps to do to enable SSO in your Teams tab application.
1. Azure AD App registration: https://docs.microsoft.com/en-gb/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso?WT.mc_id=m365-43962-cxa#develop-an-sso-microsoft-teams-tab
2. Manifest updates: https://docs.microsoft.com/en-gb/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso?WT.mc_id=m365-43962-cxa#2-update-your-teams-application-manifest
3. Access token exchange code using On-Behalf-Of flow: https://docs.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow?WT.mc_id=m365-43962-cxa

💻 The base code sample used is here: https://github.com/OfficeDev/TeamsAuth

Microsoft 365 code | decode is a series that focuses on breaking down topics for developers. Subscribe to the Microsoft 365 Developer channel on YouTube for more videos like this: https://www.youtube.com/Microsoft365Developer?sub_confirmation=1

🔗 LINKS 🔗
⭐️ Teams Tab SSO documentation https://aka.ms/teams-tab-sso
⭐️ Securely connect to Microsoft Graph from Teams tabs using SSO
⭐️ Sample code used in the video
⭐️ MS Graph Get user https://aka.ms/graph-me
⭐️ On-Behalf-Of Flow https://aka.ms/obo-flow
⭐️ Teams’ manifest schema https://aka.ms/teams-manifest-schema
⭐️ Join the M365 developer program https://aka.ms/m365cd-join-pgm

0:00 Why do you need SSO?
3:16 What is SSO?
5:19 SSO in Teams tab
7:31 What you’ll need to Enable SSO in you Teams tab
8:17 App registration in Azure Active Directory
12:44 Manifest file changes for SSO
13:51 Sample demo
17:15 Token claim
21:42 Demo in Postman
25:01 Prompt for consent in Team tab SSO
33:05 Wrap up

A

Hey robby, I'm wondering if you could help me out with something there's this problem that I keep seeing in in different teams apps, particularly in tabs. Do you mind taking a look.

B

Yeah, of course, let's do it.

A

Yeah, so this this seems to come up a lot that uh people will have an app, and you know you have to log into the app to get some data. So this is just a really simple one. Yes,.

C

There's.

A

A pop-up- this is a really simple one that just shows some email using the microsoft graph. So I know I know everybody out. There probably already knows that you have to log in.

C

From your.

A

App and not just from teams to get to call the graph here's the problem right if I go, if I leave here and go away and then I come back, um I have to log in again every time.

A

Oh, it's kind of annoying and I have to click this button.

B

Okay,.

A

And I kind of get that you know it's gonna pop up, so I need to click the button to do a pop-up because browser rules and all- but it's just so obnoxious right like every time, I'm doing something, I'm kind of having.

B

To come,.

A

Back and log in again.

B

So and it's not like you're gonna stay in that forever. Of course you gotta do um other stuff in teams or you gotta go to another website, so it keeps on popping up, although I noticed that you're not actually putting your user id and password in, but still that pop-up is super annoying.

A

Right yeah it I had to put it in the first time, and it even asked me for consent.

B

Right consent.

A

To the permission, the first time and.

B

Now it's.

A

Remembering like the login prompt is, is remembering that I'm logged in and it's remembering that I've.

B

Consented.

A

But right.

B

Still.

A

See the darn pop-up this pop-up is so annoying.

B

That is, and that's probably why we're here, we're gonna, discuss something called sso for teens and that's what we're going to decode today.

A

Welcome everybody to another episode of microsoft, 365 code decode, this single sign-on thing seems to have a lot of different meanings to different people. I mean. Sometimes it just means that I log in always with the same username password, and I did.

C

That.

A

Sometimes.

C

It means.

A

I can log in with this without having to re-enter my username and password technically. The app I just showed did that too, but it's still annoying. I think what I want is a level of single sign-on, that's completely transparent. In fact, I think you used a term silent authentication.

B

So, how can we how.

A

Can we make that happen inside of teams.

B

Yeah, it's a good point, because uh yeah you're really confused most of the time on what single sign-on means to you and what we're going to decode here today is the single sign-on for teamstab, but before we jump into that, I think we need to have a generic idea of what's what single sign-on is.

B

So, let's go to this um small diagram that can show you what.

A

Sign-On.

B

Is all right so what basically happens here is bob logged in or whoever logged in and asked the application uh whether they could use the application using these credentials and the application? What it does is it's tied to an identity provider where the application will go ahead and ask the identity provider whether to let him or her in right.

A

And the.

B

Identity provider, what it does first is check whether this application is registered with them and then check the credentials, and once it's all done, then it says: okay, log him or log her in and that's how the user will be logging into the application. That's done so your credentials sent everything is done all good now, another application, so the the user is again trying to log into this application where this application is also registered with the same identity provider.

B

In this case, the application again goes and checks with the identity provider and identity provider again asks. Who are you like application? Who are you you know and then sees that it is registered, and it also sees that? Oh okay, so this person has logged in before we did some trick way. We remember this person logged in and it says that okay, let her in and that application without prompting for credentials would log that person in. So this is generally what it means to have a single sign-on in your application.

A

Right and just to clarify right, the first one, the purple one appropriately is teams yeah.

C

Right.

A

And then the red one is my app. Is that right, correct.

B

That's right.

A

Because they're different apps, I mean the user, thinks it's just one thing probably, but.

B

Exactly.

A

But for us geeks here in the room, we all know that it that my app is not from microsoft. It's from me and it's not teams it's something else, so it doesn't. If, even if the user has logged into teams, they haven't necessarily logged into my app.

B

Yep now we're gonna discuss what sso is for teams tabs great.

A

So.

B

We have a teams, application, client code and there is a teams, application server side code, so client code would basically get a token from the teams sdk, and that token is now given to the server side code and the server side code. What it does is it goes ahead and asks the identity provider to get an access token, with the permissions that this app needs to show the data from a service. In our case, let's say, the service provider is microsoft.

B

Graph, in that case, the identity provider does all the checking whether the registration is done same thing that we discussed earlier. It would check well the identity of the person and the permissions and the scopes that this person needs or this application needs, and it will give the access token back to the server side code.

B

Now this is called the token exchange, and once this token is exchanged, this access token can be used to get the data from the service provider again, in our case microsoft, graph to get the data back and this data is now sent back to the teams. App client.

A

Got it so? Basically, the idea is that I'm I'm getting a token from the teams sdk and it's sort.

C

Of.

A

A generic token like I can't use it to call the um the graph, but then I need to implement a server side of my app to do that. To do the.

C

Proper got it: okay, yeah.

A

Yeah so that looks that sounds really useful. How does that um do you have like an example of that you can show me.

B

Absolutely so uh we have a very basic sample that will show you this token exchange and bob. Let's also show the tokens that we discussed the token that we uh get from teams which you said you know have very, very uh basic information of the user, and then we also would show um the access token how we get this exchange, etc. So, let's go to the demo now.

B

So what you'll need to do to enable sso in your teams? Tab is basically three things, so um we you have the azure 80 app registration. Remember how we discussed about the application talks to the idp, which is the azure id and checks. You know where they're registered and stuff like that. So that's where this comes in so azure id app registration, which I will walk you through, um and then there is the manifest updates based on whatever we registered.

B

We need to make sure that the teams tab, which teams application, which is a package that has manifest and two icons, so this manifest file needs to have some sort of an information that points to whatever registration. We did um also the access token exchange, which we will be showing you a detailed demo. So this is the app registration that I already done. um I created the application with the name um I went after I've created the name. What I did was.

B

I chose the multi-tenant support type, so maybe I'll just show you quickly on how I did that and then we'll come to the application. So in azure act you go to the portal.azure.com, which is your azure portal, go to azure active directory and you go to app registration and you click on new app registration.

B

And you go ahead and fill in the information here, so you have got the name, you choose multi-tenant and then you go ahead and register and that's what I've done in the first step.

A

So.

B

Once that is registered, um let me just go ahead and search for my app here.

B

Okay, so this is the app that I already registered to save time. I went straight ahead into expose and api part and I added a scope which then gave me the application id uri, which basically is api, slash um the app id first. What I did extra was I added the sub domain, wherever my app, my tab is hosted.

B

So this is what this is, how I created this application id uri and then once that was created, I added the scope, which basically is um like a form that opens up, and I call my scope name remember how, um in when you open up the token you can actually see the scope name. So this is the scope name that we give okay.

A

And.

B

Then we choose who can consent, which basically is admins and users, um and then you basically give a display name and description. Make.

A

Sure it's enabled so this is the scope that teams uses when it gives you that first token,.

B

Yes exactly, but you still have to do a few more things. You need to um authorize your team's mobile application and uh what was this one again. I forgot.

A

The one is the desktop app and the other one is the yeah.

B

The mobile ones, yes, so exactly so, you need to make sure that these client applications are able to use it, because once you set the sso um in your application and you've logged in using your desktop, then you should not have that window where you put credential in for your mobile. So that's what we're trying to do here um once the this part is over.

B

You go ahead and add the permissions you need and bob I think, you're going to go into detail about the permissions and the scopes, because we are currently going to do a simpler version just to show the token exchange we're going to pre-consent these scopes right.

A

You can see it says granted uh in the.

C

Status.

A

Field and that's because you must have clicked that check, grant admin. I.

C

Didn't button.

A

Up at the top of the.

B

Idea in the middle.

A

Of the screen there that green check box.

B

Yeah um and I've added a bunch of scopes. uh User.Read was already there by default, they're all delegated permission uh for the user um and they're all graph. um So that's what we're seeing here, which is our service provider so I'll go to once. The permission part is done I'll, go to overview because we need to copy a bunch of things. We need the client id and the secret client id basically is the application um id here. So you can copy that and um what your certificate? uh Sorry, your secret, is.

B

You need to come to certificates in secret and set your secret, and one thing I would say is um once you have the secret here in this window: copy that save it somewhere somewhere secure, um because once you come back, you won't be able to see the secret anymore. So.

A

Cool, so I think you said some of this information now goes into the app manifest the team's app manifest.

B

Yes, so that's the next step, so we've done all this, but teams is still clueless about what's happening because it doesn't know all this information. So how do we pass that information to teams and teams only read stuff using its manifest? It's like very picky.

B

So let's go back to visual studio code and see the manifest uh file here in my project, so um we've got all the details that we need and if you want to learn more about manifest, go to our older video, where we're explaining all the teams application um stuff where we've talked about the manifest magic. um So this is um pretty useful. So the one thing you need to add for your application to have a teamstab sso is to put this information in the web application info.

B

So this, basically, is your app id that the app that you just registered in your azure portal, the id and then the application uri remember uh there was a uri api, slash um the domain, slash the id. So this is what you need to put in um for your team's uh client to know that your app is single sign on ready.

A

Let's see so that's what's going to allow that first call that the local call in teams- yes.

B

To give.

A

You that that, in that first token,.

B

That's right: okay, cool cool, so I've got this project here, which basically um has a html file here, as you can see, this is our client side code that we discussed before, which has the sdk teams sdk and also it goes ahead and gets a token from teams. So this is what we discussed earlier. So we get a token in the client application code and then we exchange it in the server side code. Now for the server side code, we have uh this index.js file.

B

uh Your token that we get from the teams is exchanged for the access token, and this is where it all happens. So this request.query.token is actually the token that you get from the sdk.

A

So it's making a rest service call directly to azure id there at login.microsoftonline.com right.

B

That's right, and you can see here- client, id and client secret, and what this is basically is um uh earlier. We showed you, the azure, ada, app registration that we did and we have the app id and the secret from there and that's what we're going to pass in here and the token is the token that we got and then this is the app scope, the scopes that you want, um for um you know what kind of data you are getting from graph or whichever service provider and bob um we have.

B

This requested token use that says on behalf of, and also this grand tab, I'm not really sure uh of what that stands for.

A

Yeah so well, the grant type is just saying: that's an oauth request, you're asking for a jwt bearer token and uh using the oauth protocol and then requested token uses on behalf of so.

C

You're passing in the old.

A

Token that you got from teams and then proving that you are the app because you have the client id and secret and then you're.

C

Acting.

A

On on behalf of the user, you, based on the token that teams had for that user.

B

Yeah, that makes sense, so that's what they call oboe flow right.

A

On behalf of phone yeah, yep.

B

Awesome so and then all we do is once we get that um token back from azure 80, then we just pass it back into our um application. That's what we're doing here. So this is basically just to show the exchange of the token. Now, let's see how that token looks like.

A

Okay, so there's the access token.

B

Yeah, so here is the access token in the team step because I'm displaying it, but you can see here in this terminal that I'm displaying uh the tokens now. First, we have the ecpc token that we get from teens.

B

I call.

A

The pcpc token it is so easy it. I wish. The whole thing was that easy, but.

B

And then complicated right, that is it is you have no idea how much I screamed when I saw the um access token coming back.

C

um

A

For happiness right, I know, I know.

B

And I also printed the access token- and I called my heavens because that's exactly how I felt when I um got it back and you can see here these. Both these tokens are different and I have no idea what's in it, though,.

A

Mm-Hmm well, let's take a look right.

B

You can go.

A

To jwt.ms and uh okay.

B

It will.

A

Parse, that out for us.

B

Well, bob always has a plan. What is it called jwt.

A

Dot, ms there's.

B

Another jwt.

A

Dot io, which does pretty much the same thing, and you know okay, this is going to show something which is that these tokens are not encrypted right. So the.

C

Fact is that.

A

You just pasted this into a random website and I guess I wouldn't advise doing it to just a completely random one. That's why I like jwt.ms. I know I work for microsoft. It comes from microsoft. I know it's safe but anyway, the point being that these are bear tokens, it's kind of like a 20 bill. If you find one.

C

On the street, you.

A

Can spend it you don't there's.

C

Nothing.

A

They're not going to check on who you are whether it's your token you just get to use it so so.

B

Anyway,.

A

That we that's why you have to have https when you use this stuff, because anybody who might.

C

Intercept.

A

The message, if it's not encrypted the only thing, that's.

B

Encrypting.

A

It really is https so anyway,.

B

But yeah you can see it's broken.

A

Broken the whole thing down for us.

B

Yeah and it has got all these information, but it's really russian to me at the moment, uh except for maybe the name. um So it's like very basic information of a user.

A

Yeah well so the thing some of the things to look at right are right up at the top, the audience aud.

C

And I see that it's it's.

A

Looking the audience is your app right.

C

Cda.Nbroc.Io.

A

Is where your app is running so.

B

That's what you want to call.

A

Graph, which is why, right out of the gate, this token is not going to work for graph. It's only going to work when you call your app.

B

Yeah, that's right.

A

Right.

B

That makes all sense, because earlier we showed in the regis app registration that we put this as the application uri.

A

Yeah and then I see your family name is admin, so you are so into being an admin that you change, your name legally to admin and.

A

um

A

And then there's a bunch of other stuff here that including a.

C

Signature.

A

Saying that this is all okay, uh there should be a scope somewhere scp access.

C

As.

A

User, so that's the permission.

B

There.

C

We go.

A

All you have permission to do is access as user, so so that's the situation is you've got a token for your own app and I guess that kind of makes sense because teams is authorized to when we did the app registration. You gave it permission to issue tokens for your app, but not for the graph or.

B

Some other app that's right, which is why we have the access token. So, let's go and decode that one as well, I'm going to open up my visual studio code, okay and open up the access token that we got, which clearly looks different. uh I just checked the ending, and I know that it's different all right. So, let's see the um access token now, hey.

A

Yeah.

B

Cool.

A

Okay, so oh look at that, so the audience now you might think that's all zeros, but it's actually got some digits in there like the three and stuff. That's the magic for um for the graph. Isn't it.

B

Yeah, that's it you're right.

A

Oh there you go okay, so we got that correct and then they've got the um the uh scope is now different. So you've got your uh you're getting email, open id profile and user.read yeah for the graph. So user.greed is the one that would allow you to read your user profile.

B

Yeah.

A

And um and the rest of it is, it looks all pretty good, so I think this looks like it should work for the microsoft graph.

B

That's awesome, so we got the tokens yay, and this is what basically team status. Teamstab sso is under the hood like the basic stuff right. So this is how we get the token without the user going in and doing a bunch of things.

A

Yeah yeah.

B

Awesome, I wonder if we could go ahead and call um the graph call right away using postman or some other tool. So let's just go ahead and try that out now all.

C

Right so.

B

I already set this up um where I have a request, but I have not done anything else yet. So I know that I need to call http.

C

Is it.

B

Me just me not messages yet spring.

A

Okay, yep.

B

And in the authorization I'm just going to use my access token, so I choose para token and paste that token that we got I'll adjust that a bit. So you can see uh what I did there and then hit send. That should just get me. The data that I need, which is oh look at that look at that. Look at that. My.

A

Business phone there's your very binary, looking phone number and your your admin name, your new alter ego.

B

I knew that my job title is null. Oh.

A

No, does that mean you can get employment insurance.

C

That's right.

B

Cool but at least yeah it's working, so um I guess you get the idea. You can go ahead and call graph right away using this toolkit with the permissions that it's it's granted you so we're gonna go ahead and go to our client code, and this is where we're printing it out right. So we saw earlier that we're printing the access token in the tab. So maybe we can go ahead and you know, since we already have the access token, we could just go ahead and call graph right sure, oh wait.

B

Waldek has something to tell.

C

You wanna do what no no, no! No! No! No, no don't expose the token on the client. If you get a token on the server, keep it there, you don't want to expose a token from server to the client. That's just not the way it goes right, so it's basically the same way as if you wouldn't share a password, the benefit you get.

C

If you get token on a server and keep it there is that when that token expires, you will be able to renew it there without having to do a round trip right, because otherwise you call server to get a token put it on a client, then use it to call an api that token expires. They need to get back to the server get another one. Don't if you get a token on a server, keep it there.

B

So let's just go ahead and do the right thing right: let's go back to our server side code and where we are sending our token uh information back, we're just gonna delete that and paste our graph call.

A

I see right so you've already got a web service. You might as well just do all the work down there and pass the result. Instead of passing this very sensitive data back.

B

Exactly so, the token is now safely in your server side code that is hosted somewhere in the cloud, but it's not there in the browser for anyone to sniff it out. Okay,.

A

So.

B

um I'm sending that data back and let's just see it working one last time in the tab, which shows all the graph information that we saw earlier in postman.

A

Yes, we got it look at that. That's great.

B

All right so we saw the earlier sample, it was pre-consented the scopes uh et cetera, and we said that we promised our viewers that bob would go ahead and show a real sample that you could leverage and use in enterprise level applications that would require this kind of consent.

A

Yeah, so it's very some it's very simple as well, so here's the app and you can see I'm running it for the first time, so I'm it says, consent required. I click the button and that's partly you know the the click.

A

The button part is to handle pop-up blockers and here is the consent form, and um you can see here that it says I could consent just for myself or if I check this off for the whole organization b, and I only see that because I'm an admin, so I'm just going to consent for myself and then there we go and it's just returning same as yours. It's just returning the the profile. The nice thing is, though, if I leave and come back, it's not going to it's not going to bother me with anything.

A

It just comes right up.

B

No.

C

Interaction.

A

No buttons, no pop-ups, nothing right so.

B

Sorry can I just say I just love your job title.

A

I'm I'm going to work really hard to get to be a real chief.

B

My.

A

Gold, my goal in life is to be the chief bottle, washer, so anyways uh yeah. So this is, uh let me show you a couple things I had to do. One was in the um app registration, I had to add something I had to add the ability to handle a pop-up, so we're going to use um we're going to use the old authentication if we can't get the token, because it's authentication required or sorry consent required we're going to use the old authentication just once and that will force the consent.

A

So that's why I have these redirected urls, which is really just because of a few different versions of the app that I'm using with.

C

The same.

B

Registration.

A

And then I just want to point this out: implicit grant is not enabled and so you'll see in the documentation. It says that you don't need implicit grant, but some of the tutorials still say implicit grant should be checked, and that goes back to an earlier version of azure ad before they supported something called auth code pkce flow, which is kind of an alphabet soup.

A

So don't worry about it, but just just letting you know if you use this sample here, you do not need the implicit flow because we're going to take care of that in the code. So the code is here and I've, I've kind of structured it out quite a bit now the ac that server side is here.

A

This is the on behalf of flow right, and it's very much like what you showed um except the difference is that um when I get my response back, I'm going to check the status and if it's not 200, and if the er is either invalid grant or interaction required.

A

That's really telling me that azure ad is basically saying I need to talk to this person. You know it's funny, but you ever go into it like a place and that you have to go talk to the manager. Oh no.

B

Oh, my god,.

A

It's like it's kind of like that right and then so then, I'm gonna return that error back.

A

In that case, I'll you'll have to trust that my exception handling logic is going to return interaction required status back as opposed to returning the actual token and then inside of my server side, um I'm not going to actually um I'm not actually going to return the token. The way waldek didn't want us to right. So if I ask for the user profile, I'm going to go and and get that server side token, if I can and if it needs interaction, it will throw an exception which.

C

You just saw me do.

A

A throw in the other function and I'm going to come back here and I'm going to log that the interaction was required and then what will happen is that the client side is going to pick up on that.

A

So here's the client-side code, the happy path is, I got my client-side token. I passed it to the to the web service got my user profile and I displayed it. That's the happy.

C

Yeah, if.

A

I've got an error here, it's gonna, say: okay. If that err happens to be interaction required, then I'm going to uh show that button on the screen right and what that button is going to do.

A

Is it's going to call this other sdk teams sdk, which is the weirdest one? It's it. This is the sdk call that launches a pop-up from teams. It's called authentication.authenticate, but it doesn't actually do authentication at all. What.

C

It really does, is it displays a pi.

B

Open up a pop-up and.

A

So that pop-up code is here under consent, pop-up sure, and uh so I by breaking this out, I got more code so uh sorry about that. But but then what is happening inside of that pop-up is- uh and I did this without- I just decided not to use msl or anything. Hopefully it makes it clear for people.

A

This is just doing it directly in the code we're going to do we're going to create a request for azure id with a tenant id and notice that we're using off code flow and not implicit flow, so you'll, those those other demos that require you to check the implicit flow box. They would have implicit here, but.

C

I have.

A

Code, which is the off code flow I've got my scopes and, um and then I'm going to redirect so the way azure id and oauth works is that some things are handled with a web service call like like you're on behalf of flow other things are handled with a redirect.

B

Right, I'm.

A

Going to redirect over to teams inside I'm running inside the little pop-up now and.

C

That gives.

A

Teams a chance, uh sorry and that gives azure id a chance to interact with the user, so it.

C

Can.

A

It could do do whatever it needs in this case, it's going to be the consent yeah and it's going to send them back to popup, end.html and popup. End is going to be here. All it does is notify success which goes back to my tab, passing it the um it doesn't even have anything to pass it honestly. It's just we're done. The consent is done because then, what's going to happen is the tab is going to run again, it's going to run through all the same code that you saw before.

B

It's going.

A

To succeed because I really consent right. In fact, if I didn't.

B

Give a consent.

A

Yeah, it will come back with the samer and I will be asked again and again until I consent or.

B

Nice give up.

A

Right and so that's that's the whole thing.

B

That's that's.

A

Amazing.

B

And one thing I would say is: um I saw a tenant id um in that url that you sent. uh Basically that's what sends back um the like. You said: it's all redirection right. So if you want, if you're using a multi-tenanted app, you probably can you don't have to send the tenant id right, you can replace it with comments and that would but go ahead and open the pop-up in that way.

A

Yeah, so I registered my app as a single tenant and that's why I had to.

B

Right but.

A

You did.

B

The.

A

Multi-Tenant, so that's again, we've got a whole video on um how multi-tenant works so that people can watch that and figure out which one they, which one is appropriate for them. Yes,.

B

Go on go and have a look yeah.

A

There you go.

B

Awesome.

A

So all right, so that's the that's the other demo and uh we'll point people to the uh to the source code for both kind of the the the simple one which is probably best if you, if you know that the admin will have already consented.

A

I like how I like that yours is simpler right, um but then, if you need to uh to allow the user to consent- or even if you just want to prompt the admin inside the app instead of asking him or her to go to the uh m to the azure id.

B

Admin.

A

Page then you can, then you can do it using this other app that I that I've updated.

B

Honestly, I feel so light now like I was thinking. Oh my god, it's so complicated! All these things I mean with us breaking up the sample into showing the token related stuff, and then you showing the redirection part. I think now it breaks down a bit and it's more easier to follow so.

A

Hopefully,.

B

Yeah.

A

Leave us a co uh comment in the in the comments and let us know if this helped, because I get that this is I mean you, you said you were screaming at one point I know I've. I definitely had more hair at you know when I pulled a little bit of it out trying to get this stuff to work the first time. So uh you know I get it. I get that it's tricky and I'm uh you know we're really doing this for the developers to try to make it easier for them.

B

Yes totally, um I appreciate um everyone watching this, um like bob mentioned, put a comment, and let us know what worked, what didn't work um and also um what is your take on sso? Let us know.

A

That'd be great and don't forget to like the video, if you liked it and um and to subscribe to the channel. If you want to see more videos on microsoft, 365 and we'll see you on the next episode of microsoft, 365 code, decode.

B

See ya.