Blocker in Implementing SSO for Teams Bot – Clarification Needed on Federated Credentials Setup

[anand-maq]

Hi Team,

We are implementing Single Sign-On (SSO) for our Microsoft Teams bot and are following the official Microsoft documentation:

Bot SSO Overview: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-sso

Bot Authentication Setup: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication

Federated Credentials for Bots: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-federated-credential?view=azure-bot-service-4.0&tabs=csharp

❗ Problem

The standard bot SSO flow requires creating an App Registration and using either:

Certificate authentication, or

Client secrets

Both options are restricted in our organization due to security policies.

Therefore, our only possible approach is to use Federated Credentials.

❓ Blocker – Missing clarity on subject identifier

The documentation states that Federated Credential configuration requires:

Issuer

https://login.microsoftonline.com/{customer-tenant-ID}/v2.0

Subject Identifier

/eid1/c/pub/t/{base64 encoded customer tenant ID}/a/{base64 encoded first-party app client ID}/{unique-identifier-for-projected-identity}

We can determine all parts except the last parameter:
{unique-identifier-for-projected-identity}

The documentation does not explain what this value is, how it is generated, or where it comes from. This missing detail is blocking our progress.

❓ Additional Context – Using a Managed Identity

Our bot uses a User Assigned Managed Identity (UAMI) instead of a traditional App Registration.

Azure now exposes “Federated Credentials” directly in the Managed Identity blade, which raises two questions:

Can Federated Credentials be used directly with a Managed Identity (bypassing the need for App Registration)?

Does this approach support the Bot Framework SSO token exchange flow, or is an App Registration still required behind the scenes?

📌 Request

We would appreciate guidance on:

How to correctly construct the subject identifier

Whether UAMI + federated credentials is a supported pattern for Teams Bot SSO

Any internal limitations or unsupported scenarios we should be aware of

This clarification is essential for us to finalize our authentication design and proceed with implementation.

Thanks,
Anand

[hitxsh]

Hi, I have been facing the same issue. Was it resolved?

[anand-maq]

yes we need to use same value in both place .
example:
in OAuth Settings : unique-identifier = 12345567
then in Federated Credential
unique-identifier-for-projected-identity will be 1234567