Hi Team,
We are implementing Single Sign-On (SSO) for our Microsoft Teams bot and are following the official Microsoft documentation:
Bot Authentication Setup: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication
❗ Problem
The standard bot SSO flow requires creating an App Registration and using either:
Certificate authentication, or
Client secrets
Both options are restricted in our organization due to security policies.
Therefore, our only possible approach is to use Federated Credentials.
❓ Blocker – Missing clarity on subject identifier
The documentation states that Federated Credential configuration requires:
Issuer
https://login.microsoftonline.com/{customer-tenant-ID}/v2.0
Subject Identifier
/eid1/c/pub/t/{base64 encoded customer tenant ID}/a/{base64 encoded first-party app client ID}/{unique-identifier-for-projected-identity}
We can determine all parts except the last parameter: {unique-identifier-for-projected-identity}
The documentation does not explain what this value is, how it is generated, or where it comes from. This missing detail is blocking our progress.
❓ Additional Context – Using a Managed Identity
Our bot uses a User Assigned Managed Identity (UAMI) instead of a traditional App Registration.
Azure now exposes “Federated Credentials” directly in the Managed Identity blade, which raises two questions:
Can Federated Credentials be used directly with a Managed Identity (bypassing the need for App Registration)?
Does this approach support the Bot Framework SSO token exchange flow, or is an App Registration still required behind the scenes?
📌 Request
We would appreciate guidance on:
How to correctly construct the subject identifier
Whether UAMI + federated credentials is a supported pattern for Teams Bot SSO
Any internal limitations or unsupported scenarios we should be aware of
This clarification is essential for us to finalize our authentication design and proceed with implementation.
Thanks, AnandHi Team,
We are implementing Single Sign-On (SSO) for our Microsoft Teams bot and are following the official Microsoft documentation:
Bot SSO Overview: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-sso
Bot Authentication Setup: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication
Federated Credentials for Bots: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-federated-credentials
❗ Problem
The standard bot SSO flow requires creating an App Registration and using either:
Certificate authentication, or
Client secrets
Both options are restricted in our organization due to security policies.
Therefore, our only possible approach is to use Federated Credentials.
❓ Blocker – Missing clarity on subject identifier
The documentation states that Federated Credential configuration requires:
Issuer
https://login.microsoftonline.com/{customer-tenant-ID}/v2.0
Subject Identifier
/eid1/c/pub/t/{
We can determine all parts except the last parameter:
{unique-identifier-for-projected-identity}
The documentation does not explain what this value is, how it is generated, or where it comes from. This missing detail is blocking our progress.
❓ Additional Context – Using a Managed Identity
Our bot uses a User Assigned Managed Identity (UAMI) instead of a traditional App Registration.
Azure now exposes “Federated Credentials” directly in the Managed Identity blade, which raises two questions:
Can Federated Credentials be used directly with a Managed Identity (bypassing the need for App Registration)?
Does this approach support the Bot Framework SSO token exchange flow, or is an App Registration still required behind the scenes?
📌 Request
We would appreciate guidance on:
How to correctly construct the subject identifier
Whether UAMI + federated credentials is a supported pattern for Teams Bot SSO
Any internal limitations or unsupported scenarios we should be aware of
This clarification is essential for us to finalize our authentication design and proceed with implementation.
Thanks,
Anand
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 68%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
