I
IIS
Guest
TL;DR: When provisioning a Bot Channel Registration with “Auto create App ID”, the associated secret cannot be retrieved. This is “by design” and there are 2 workarounds:
Intro
In a bot solution, there are 2 core applications that talk to each other, authenticating each to the other with tokens issues by Azure AD: the bot connector and the bot app/endpoint. You might want to review my article at Bot components: roles, diagrams, overview - Microsoft Tech Community - 393113 for illustrations and details.
Those authentication tokens originate from an Application Registration entry, that is present in the Azure Active Directory tenant; the tenant associated with the Subscription under which the bot is created. The App Registration is, basically, an App ID with one or more secrets, or passwords.
When creating a Bot Channel Registration, the provisioning wizard from the Azure Portal offers the option to automatically create the above mentioned, needed App Registration entry. It’s handy, but leads to a confusion later, in many cases:
Now where is the Secret/Password of the Application ID for my bot? Because I needed it in the configuration of my bot application...
This is where we hit a security feature in Azure AD for App Registration: an associated secret can only be retrieved at creation time; after that AppID password is persisted in the App Registration entry, it can no longer be consulted. Which directly leads to the question above.
Because the Bot Channel Registration wizard persists an AppID password for the bot connector side, but it never shows it, nor does it direct on how to get a (new) secret for the messaging endpoint side.
How it happens?
Let’s say you start creating a bot using the Bot Channel Registration provisioning template:
Click “next”...
Yes, please do create an App ID and password, meaning an App Registration entry in the current Azure AD tenant...
Now I’ll need the created password or secret of the Application ID, right? Because I need it in my bot app configuration...
Boom: cannot get the secret of the App Registration, due to a security enforcement.
How to work around?
Right, you still need the Application ID AND a secret to feed into the configuration of your bot app. Because your bot has to authenticate too, when it sends messages via the connector.
Solution number 1
Simply add a new secret that could be used on the bot app side, but watch it...
Grab the newly created secret immediately after adding it in the App Registration entry. You won’t get another chance!
Use the new secret in the configuration of your bot app, the messaging endpoint:
Solution number 2
Pre-define an App Registration.
Create the app registration prior to provisioning the Bot Channel Registration, because once the bot connector entry is created, the App Registration cannot be changed into the said Bot Channel Registration. See details in my article at How to create an app registration in Azure AD for a bot solution - Microsoft Tech Community - 810761.
Then use the App Registration ID and secret into the Bot Channel Registration creation wizard.
Of course, this means provisioning a new Bot, actually, from scratch. Depending on how much effort you put into configuring the initial bot, you might want to apply the first solution instead.
I hope it helps. Remember that song, “Don’t Worry, Be Happy”?
Continue reading...
- Simply add a new secret for the App ID, and use that in the bot app configuration, or
- Pre-define an Azure AD App Registration before creating the bot
Intro
In a bot solution, there are 2 core applications that talk to each other, authenticating each to the other with tokens issues by Azure AD: the bot connector and the bot app/endpoint. You might want to review my article at Bot components: roles, diagrams, overview - Microsoft Tech Community - 393113 for illustrations and details.
Those authentication tokens originate from an Application Registration entry, that is present in the Azure Active Directory tenant; the tenant associated with the Subscription under which the bot is created. The App Registration is, basically, an App ID with one or more secrets, or passwords.
When creating a Bot Channel Registration, the provisioning wizard from the Azure Portal offers the option to automatically create the above mentioned, needed App Registration entry. It’s handy, but leads to a confusion later, in many cases:
Now where is the Secret/Password of the Application ID for my bot? Because I needed it in the configuration of my bot application...
This is where we hit a security feature in Azure AD for App Registration: an associated secret can only be retrieved at creation time; after that AppID password is persisted in the App Registration entry, it can no longer be consulted. Which directly leads to the question above.
Because the Bot Channel Registration wizard persists an AppID password for the bot connector side, but it never shows it, nor does it direct on how to get a (new) secret for the messaging endpoint side.
How it happens?
Let’s say you start creating a bot using the Bot Channel Registration provisioning template:
Click “next”...
Yes, please do create an App ID and password, meaning an App Registration entry in the current Azure AD tenant...
Now I’ll need the created password or secret of the Application ID, right? Because I need it in my bot app configuration...
Boom: cannot get the secret of the App Registration, due to a security enforcement.
Oh, by the way, on a side note... don’t delete the existing secret, because that is used by the bot connector side. Remember the diagram at Bot components: roles, diagrams, overview - Microsoft Tech Community - 393113. If you delete that secret, you’re breaking the connector’s ability to authenticate to your bot app.
How to work around?
Right, you still need the Application ID AND a secret to feed into the configuration of your bot app. Because your bot has to authenticate too, when it sends messages via the connector.
Solution number 1
Simply add a new secret that could be used on the bot app side, but watch it...
Grab the newly created secret immediately after adding it in the App Registration entry. You won’t get another chance!
Use the new secret in the configuration of your bot app, the messaging endpoint:
Solution number 2
Pre-define an App Registration.
Create the app registration prior to provisioning the Bot Channel Registration, because once the bot connector entry is created, the App Registration cannot be changed into the said Bot Channel Registration. See details in my article at How to create an app registration in Azure AD for a bot solution - Microsoft Tech Community - 810761.
Then use the App Registration ID and secret into the Bot Channel Registration creation wizard.
Of course, this means provisioning a new Bot, actually, from scratch. Depending on how much effort you put into configuring the initial bot, you might want to apply the first solution instead.
I hope it helps. Remember that song, “Don’t Worry, Be Happy”?
Continue reading...