How to handle SSO in Teams with the new Agents SDK Release?

Question

How to handle SSO in Teams with the new Agents SDK Release?

Kumble, Rahul 35

I am building a conversational chatbot for microsoft teams using the new Agents SDK in python, I built a different bot using the 0.3.2 release of the framework in the past where I would handle user consent and SSO in my messaging endpoint like so:


@AGENT_APP.activity("message")
async def on_message(context: TurnContext, _: TurnState) -> None:
    user_id: str = context.activity.from_property.aad_object_id
    token = None

    typing_indicator = TypingIndicator(interval=800)
    await typing_indicator.start(context)

    if token_cache.does_valid_token_exist(user_id):
        token: Optional[str] = token_cache.get_token(user_id)

    if not token:
        token_response: Optional[TokenResponse] = await AGENT_APP.auth.get_token(
            context, "GRAPH"
        )
        if token_response and token_response.token:
            token: str = token_response.token
            token_cache.add_user_token(user_id, token)
        else:
            async with AGENT_APP.auth.open_flow(context, "GRAPH") as flow:
                flow_response: FlowResponse = await flow.begin_or_continue_flow(
                    context.activity
                )

                if flow_response.sign_in_resource:
                    await context.send_activity(
                        create_oauth_signin_activity(flow_response)
                    )
                    return

    if user_id not in message_cache.cache:
        hist: List[Dict[str, str]] = await get_n_message_history(context, token, 10)
        message_cache.add_history(user_id, hist)

    message_cache.add_new_message(user_id, context.activity.text)

    async with httpx.AsyncClient() as client:
        agent_response: Response = await client.post(
            f"{API_BASE_URL}/v1/agent/messages",
            json={
                "user": context.activity.from_property.name,
                "history": message_cache.get_user_history(user_id),
            },
            timeout=30.0,
        )
        response: Dict = agent_response.json()

    bot_message: Optional[str] = response.get("message")

    if bot_message not in tools:
        message_cache.add_new_message(user_id, bot_message, True)
        await context.send_activity(f"{bot_message}")
        typing_indicator.stop()
    else:
        await context.send_activity(tools.get(bot_message)())
        typing_indicator.stop()

however since then, the open_flow() and access to FlowResponse or really any way to control the oauth flow has been removed according to this Pull Request . Since the framework is almost completely undocumented I would like to know what the new way of doing this is.

PS: even though there are no changes in my code, running the same code on a different bot instance gives me the following error banner when clicking on the oauth card:

This action can't be performed since the app does not exist or has been uninstalled.

I have cross referenced the previous bots config and there are almost no differences I would like to know how to fix this error as well because I noticed that clicking on the signin button on the card makes no network requests to the bot so I need to fix this issue as well.

1 answer

Your answer

Answer 1

Kha-N 5,295 Microsoft External Staff Moderator

Hi @Kumblerahul,

Welcome to Microsoft Q&A, and thank you for reaching out.

Please note that as a Microsoft Q&A moderator, I don’t have access to your specific configuration, and my testing environment is limited. I can only assist using available documentation and resources, but I’ll do my best to help.

Regarding the OAuth flow: From my research based on Microsoft’s official guidance on Team bot Authentication, currently, there isn’t an alternative approach to control OAuth flow.

As far as I know, in Teams native built-in, OAuth/SSO is handled through Invoke activities (not Event activities). Your bot should forward the invoke to the appropriate dialog or handler. The Teams client attempts token exchange first and only fall back to a sign-in card if necessary. This is the model the Agents SDK follows, the SDK manages card emission and token exchange rather than requiring you to control the flow manually.

About the error when running the same Python script on a different bot, could you clarify the purpose of the second bot compared to the first? Depending on the use case, the script might behave differently due to functional differences.

Additionally, as I checked, based on this StackOverflow thread, ensure the following domains are listed in the validDomains section of your app manifest:

token.botframework.com
login.microsoftonline.com

This often resolves the “app does not exist or has been uninstalled” error when clicking the sign-in button.

This link will take you to StackOverflow, which is outside Microsoft’s domain. Please note that Microsoft is not responsible for the accuracy, security, or advertising on external sites.

At this point, I don’t have further insights beyond what’s documented. I’ve researched, but due to environment limitations and lack of official documentation, I couldn’t uncover new findings. Therefore, I recommend checking GitHub discussions or Microsoft Tech Community forums, where experienced developers share practical solutions and troubleshooting tips. These platforms often provide valuable perspectives that can help resolve such issues.

Thank you for your understanding.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Kumble, Rahul 35 Reputation points

2025-11-26T11:16:55.5233333+00:00
thank you for the prompt response. regarding the differences between the first and second bot there is no technical difference other than a few changes in unrelated subsystems. However, the reason I chose to manually handle auth flow is because adding the auth handler to the endpoint decorator was highly unreliable at the time, the code I have posted worked perfectly fine, I would get a FlowResponse and send an oauth card with the details, this worked fine, my invoke handler was not set up to handle anything other than adaptive card responses. however, since the 0.5.0 update all of this has changed and there is no documentation either.

My main goals here are:

On user message, check if there is a valid token in my cache, if not send an oauth sso card and cache the new token

fix the "This action can't be performed since the app does not exist or has been uninstalled." error banner on the oauth card because it appears that clicking on it does absolutely nothing because it just shows me the banner without making any network requests.

I would like to know the idiomatic way to handle these issues, because all the stuff I was relying on has either been made private or removed entirely. I tried using the get_token() and exchange_token() functions in the Authorization class however it appears they will always fail because get_token() just calls exchange_token() which only attempts to get a new token if there is already a token that has been cached internally by the framework, since I do not have this token at startup these functions are functionally useless.
Nivedipa-MSFT 3,946 Reputation points Microsoft External Staff Moderator

2025-11-26T12:49:07.2666667+00:00

@Kumble, Rahul - We will check and update you soon.
Kumble, Rahul 35 Reputation points

2025-11-27T06:14:12.1766667+00:00

Thank you, please let me know if you figure it out.
Kha-N 5,295 Reputation points Microsoft External Staff Moderator

2025-11-27T13:02:26.9233333+00:00
Hi @Kumblerahul,

Thank you very much for your response and patience.

For your first request, I looked into this further and found the Auto Sign-In sample on GitHub. Based on the instructions, the sample tries silent SSO first using the configured auth handler and only shows the sign-in card if consent is needed. This approach seems to align with your requirement, so I recommend giving the sample a try to confirm it works for your scenario.

For your second request, beyond my initial suggestion, here are some common troubleshooting steps you can try:

Re-sideload and restart the Teams client: Uninstall the app, close Teams completely, reopen, and sideload again to clear any stale cache.

Ensure the Teams app manifest matches your Bot ID: Any mismatch between the manifest and Azure Bot resource can cause the “app doesn’t exist” banner.

I hope this helps.

Warm thanks.
Kha-N 5,295 Reputation points Microsoft External Staff Moderator

2025-11-28T14:15:27.6366667+00:00

Hi @Kumblerahul,

I hope you are well.

I just want to follow up on your request. Were my suggestions able to help you?

Warm thanks.
Kha-N 5,295 Reputation points Microsoft External Staff Moderator

2025-12-01T07:47:44.8066667+00:00

Hi @Kumblerahul,

I hope you are well.

It’s been a while, so I just wanted to check in on your issue. Were my suggestions helpful in resolving it?

Warm thanks.
Kumble, Rahul 35 Reputation points

2025-12-01T08:16:33.1866667+00:00

Hi sorry for the late reply, but no unfortunately I was unable to fix the issue, I'd previously looked through the repo you sent and tried that to no avail. I'm really curious when documentation for the agents sdk will become available because the lack of it is making it really frustrating to work with, any further help would be much appreciated because this is an issue that I really need to sort out.
Kha-N 5,295 Reputation points Microsoft External Staff Moderator

2025-12-02T00:04:16.4166667+00:00

Hi @Kumblerahul,

Thank you very much for your response.

At this point, I regret to inform you that I don’t have any additional insights to share on this matter. I’ve conducted further research, but due to limitations in replicating the environment and the lack of official documentation, I haven’t been able to uncover new findings that match your need.

That said, I recommend exploring or starting discussions on platforms such as GitHub or Microsoft Tech Community, as mentioned previously. You’ll find alternative viewpoints and practical experiences shared by seasoned technical experts and tech enthusiasts that may help address your concerns.

Warm thanks.
Kha-N 5,295 Reputation points Microsoft External Staff Moderator

2025-12-03T00:31:19.4866667+00:00

Hi @Kumblerahul,

I hope you are well.

I just wanted to check in on your issue.

Have you had a chance to review or raise your questions on GitHub or the Microsoft Tech Community?

Warm thanks.
Kumble, Rahul 35 Reputation points

2025-12-03T10:06:24.6833333+00:00

@Kha-N I have raised an issue on github, waiting for a reply now. Thank you for all the help.
Kha-N 5,295 Reputation points Microsoft External Staff Moderator

2025-12-04T04:09:19.2933333+00:00

Hi @Kumblerahul,

Thank you so much for your update.

If you have any updates or new findings after this, please feel free to share them here. I’m eager to learn more about this.

Best regards.
Kumble, Rahul 35 Reputation points

2025-12-04T04:12:18.2266667+00:00

@Kha-N will definitely update here once I find the answer.

Share via

How to handle SSO in Teams with the new Agents SDK Release?

1 answer

Your answer