編輯

共用方式為


Use certificate or MSI for app authentication

You can use certificate- or MSI-based authentication to validate your bot app instead of bot ID and secret. This authentication resolves the compliance concerns related to the use of Microsoft Entra ID and bot secret.

Prerequisites

Ensure that you have a Teams bot app deployed to Azure with the following resources:

  • An Azure bot.
  • An Entra ID with a secret used for bot authentication.
  • A resource that hosts your bot app, such as Azure App Service, Azure Functions.

To update your bot app to use certificate-based authentication:

  1. Create and upload certificate in Azure AD
  2. Update the bot app code
  3. Delete bot secret

Create and upload certificate in Azure AD

To use a certificate for bot authentication:

  1. Prepare a certificate and private key.

  2. Go to Azure portal.

  3. Select App registrations.

    Screenshot shows the Azure services to select App registrations.

  4. Select your registered app.

  5. In the left pane, under Manage, select Certificates & secrets.

  6. Under Certificates, select Upload certificate.

    Screenshot shows the certificates and secrets option.

    The Upload a certificate window appears.

    Note

    Upload a certificate (public key) with one of the following file types: .cer, .pem, .crt.

  7. Upload the certificate you prepared.

  8. Enter Description.

  9. Select Add.

    Screenshot shows the upload certificate option.

Update the bot app code

Follow the steps to update the bot app code:

  1. Open your bot app project in Visual Studio or Visual Studio Code.

  2. Update your code.

        const credentialsFactory = new ConfigurationServiceClientCredentialFactory({
        MicrosoftAppId: config.botId,
        CertificatePrivateKey: '{your private key}',
        CertificateThumbprint: '{your cert thumbprint}',
        MicrosoftAppType: "MultiTenant",
        });
    
        const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(
        {},
        credentialsFactory
        );
    
        const adapter = new CloudAdapter(botFrameworkAuthentication);
    
  3. Ensure you test your bot to confirm the operation aligns with the updated authentication.

Delete bot secret

Ensure that your bot app uses the certificate for authentication before you delete the bot secret.

To delete the bot secret:

  1. Go to Azure portal.

  2. Select App registrations.

    Screenshot shows the Azure services to select App registrations.

  3. Select your registered app.

  4. In the left pane, under Manage, select Certificates & secrets.

  5. Delete the secrets from Entra.

    Screenshot shows the delete client secret value.

Your bot app now uses the certificate for authentication.

See Also