Federated Credentials

[tracyboehrer]

Fixes #6828

At the moment, this ONLY works on the Microsoft tenant.

1. Deploy multi or single tenant bot (eg, ARM templates or manually)
2. Create ManagedIdentity, record the Client ID and the Object ID
3. Add ManagedIdentity to the App Service "Identity" tab
4. In App Registration, under "Certificates & secrets", add a new Federated Credential
   1. Scenario is "Other issuer"
   2. Issuer: "https://login.microsoftonline.com/{tenantId}/v2.0"
   3. Subject: {msi-object-id}
5. In appsettings, update:
   • MicrosoftAppType: {SingleTenant | MultiTenant}
   • MicrosoftAppId: {app-id}
   • MicrosoftAppClientId: {msi-client-id}
   • MicrosoftAppTenantId: {tenantid-for-singletenant-only}

In Startup.cs, add:

services.AddSingleton<ServiceClientCredentialsFactory>(
    new FederatedServiceClientCredentialsFactory(_configuration["MicrosoftAppId"], _configuration["MicrosoftAppClientId"], _configuration["MicrosoftAppTenantId"]));

There will need to be a follow-on PR/commit to integrate this with ConfigurationServiceClientCredentialFactory to make it config based.

[tracyboehrer]

@sw-joelmut I've tested this with Single and Multi Tenant. I have not tested for Skills. Can you add this testing to your queue?

[tracyboehrer]

Confirmed to be only available on the Microsoft tenant. Future support for non-MS tenants unknown.

[BruceHaley]

✔️ No Binary Compatibility issues for Microsoft.Bot.Connector.dll

[stepro]

@tracyboehrer it turns out that the Teams.AI library is hardcoded to use the ConfigurationServiceClientCredentialFactory:

https://github.com/microsoft/teams-ai/blob/main/dotnet/packages/Microsoft.TeamsAI/Microsoft.TeamsAI/Application/TeamsAdapter.cs#L58

I'll post an issue in their repo to make this customizable, but any ETA on the follow up PR to pull in config? Either one of these would unblock me. Thanks!