Can I do a ‘privileged on-behalf-of’ request with Azure AD access token from MS Teams?

When building apps for Teams, your web-app is delivered inside an iFrame, which means that you need to use the Teams SDK to perform sign-in.

The Teams SDK provides a couple of different ways to do this, but in an ideal world, you would want to use this methodology, which performs a non-interactive SSO (essentially swapping the access token that you used to authenticate into Teams, for an access token for your application) and provides you with an Azure AD access token for your application. More details on this can be found in this article – Single sign-on support for tabs - Teams | Microsoft Docs

All this is great, but I am wanting to ascertain if it is possible, within Auth0, to submit this access token to a protected endpoint and for it to return an Auth0 access token for a specific user (which our APIs accept). When speaking to Microsoft they have referred to this type of OAuth flow as a ‘privileged on-behalf-of’ request, where you communicate with an endpoint, submit a secret/API key, and that endpoint returns an access token.

Inside the Azure AD SSO token that teams issues, we should have enough information to identify the user, and if they already exist in Auth0, we just want to be granted an access token for that user, and then to return it back to the client to call our APIs.

I’ve scoured the documentation, but I can’t find any way to do this in Auth0 – is this possible? If so, how? If not, why?

The other option that we have is to use an older way of handling sign-ins with the Teams SDK, (using this - Authentication for tabs using Azure Active Directory - Teams | Microsoft Docs ) but this requires user-input and is not a great user experience. In an ideal world, we just want to be able to work with the Azure AD access tokens, as these will always be available for users who are accessing our app via Teams.

TLDR: We have an MS Teams application with an embedded web app. Our users are already logged into MS Teams - so if they are SSO users who have signed up via Azure AD, can we use that to auto login via auth0?

1 Like

We have the same requirement - is there a way to implement this with Auth0?
Do you have a documentation?

We are also trying to use Auth0 as a singular source of login. And are also trying to use on-behalf-of in order to make API calls into 3rd party services that are already tied to Windows Azure Active Directory.