Top

PVA series – authentication in Power Virtual Agent


Today Microsoft already released some of the features, which were planned to be released on 2nd of December 2019, in their “new” product: Power Virtual Agent. One of them is “Authentication”. In this post I will help you to set up Azure Active Directory as an oAuth2.0 authentication endpoint.

How does authentication in PVA works?

Once you put authentication action in the conversation flow and conversation reaches that point:

Authenticate action in conversation flow

It will display a card with a button to the user, that once clicked will generate an OTP that user has simply to copy and paste into a chat window:

Authentication flow in Power Virtual Agent

Once user successfully logs in, the there are two variables that are being used in flow after that:

  1. IsLoggedIn – boolean variable, true if logged in (what a surprise :P)
  2. AuthToken – this is simply a bearer token generated for the user

Configuration

To access authentication settings of your bot you have to navigate to the following URL: https://powerva.microsoft.com/#/manage/authentication.

Important! You can define a single authentication endpoint per each bot.

The page is showing an empty form, actually not very easy to fill with information, if you are not an expert in Azure AD 🙂

Power Virtual Agent authentication configuration

Luckily, there is the documentation written quite well, that helps us to set values for these fields if we want to use AAD as the provider: https://docs.microsoft.com/en-us/power-virtual-agents/configuration-end-user-authentication

Field nameValue
Connection nameConnection name
Service ProviderPower Virtual Agents only supports generic OAuth2 providers.
Client IDClient ID of the Azure app (read further)
Client Secret Client Secret of the Azure app (read further)
Scope List delimiterUse: ,
Authorization URL Templatehttps://login.microsoftonline.com/common/ oauth2/v2.0/authorize
Authorization URL Query String Template?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}
Token URL Templatehttps://login.microsoftonline.com/common/oauth2/v2.0/token
Token URL Query String TemplateUse: ?
Token Body Templatecode={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
Refresh URL Templatehttps://login.microsoftonline.com/common/oauth2/v2.0/token
Refresh URL Query String TemplateUse: ?
Refresh Body Templaterefresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
ScopesFor the purpose of authentication it should be: openid

Azure app

Since the configuration requires the app’s client id and secret key, also the scope name, you have to configure that app in AAD.

To do that open https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps – app registrations blade under Azure AD blade. Next create “new registration”:

Next define its name and choose “Multitenant” option for the supported account types:

Once the app is registered, you must configure redirect URL. To do that do the following:

  1. Next go to the “Authentication” blade
  2. Click “Add a platform” button
  3. Type: “https://token.botframework.com/.auth/web/redirect”
  4. Select “Access tokens” option
  5. Hit “Configure”.

Next you have to also grant permissions for the app. To do that do the following:

  1. Go to “API permissions” blade
  2. Click “Add a permission” button
  3. Choose “Microsoft Graph”
  4. Hit “Delegated permissions”
  5. Select “openid” option
  6. Hit “Add permissions” button

Finally go to the “Certificates & secrets” and generate new secret key:

Then copy its value and paste it in the Power Virtual Agent configuration window. Finally go to the “Overview” blade to copy “Client ID” value:

That’s it! Azure App is registered and configured. Copy it’s key and id, and paste in the Power Virtual Agent configuration screen.

I hope this post will help to save hours of searching and figuring out how to configure the authentication with AAD for PVA. Leave me a comment if you need any support!


Tomasz Poszytek

Hi, I am Tomasz. I am expert in the field of process automation and business solutions' building using Power Platform. I am Microsoft MVP and Nintex vTE.

30 Comments
  • Shaun Leise

    This saved me hours, thank you!

    One thing I noticed:

    If you copy and paste the values from your table above for Authorization URL Template, Token URL Template and Refresh URL Template there is an erroneous space ” ” before the word oauth2 which needs to be removed for the URL’s to work correctly.

    November 30, 2019 at 5:20 am Reply
    • Tomasz Poszytek

      That is correct. I added there a new line to improve the layout. But sure, those white spaces should be removed.

      November 30, 2019 at 8:42 am Reply
  • joe Pirelli

    For MS AD (and possibly others) you will need to use the app custom endpoints instead of the ambiguously named ones.

    Something like this:
    https://login.microsoftonline.com/{appid guid}/oauth2/v2.0/authorize
    https://login.microsoftonline.com/{appid guid}/oauth2/v2.0/token

    December 4, 2019 at 6:38 am Reply
    • Tomasz Poszytek

      Actually the described configuration works just fine. Appid (clientid) is passed as a parameter.

      December 4, 2019 at 8:41 am Reply
  • Chamika

    this token cannot be used as access token for a custom api. to use that response_type should change to id_token+token. but once i change it gives me bad request while valid token is there in the redirect url

    December 9, 2019 at 8:31 pm Reply
    • Tomasz Poszytek

      I haven’t checked with custom API tbh. Did you try to reach out to Microsoft explaining your case?

      December 11, 2019 at 2:45 pm Reply
  • Bhaskar

    Added authentication feature and added bot to teams (Working fine on Web page and while testing it on PVA site)
    But login button doesn’t do anything in teams chat
    Am i missing something?

    January 9, 2020 at 11:33 am Reply
    • Tomasz Poszytek

      Once clicked it should automatically authenticate you. Not like when embedded on the page, when you need to copy and paste the confirmation code.

      January 9, 2020 at 11:44 am Reply
      • Bhaskar

        Yes, ideally it should log the user in automatically but nothing happens when I click on Login button
        https://imgur.com/0ffM7k4

        January 9, 2020 at 12:13 pm Reply
        • Tomasz Poszytek

          Does it work when you embedd the agent on regular page? Not in Teams?

          January 9, 2020 at 1:10 pm Reply
          • Bhaskar

            It is working in Microsoft sample website
            https://imgur.com/1hCPnTa

            January 9, 2020 at 2:38 pm
          • Tomasz Poszytek

            I have no idea then. Use option inside Power Platform admin center to raise a support ticket. That should definitely work.

            January 9, 2020 at 2:45 pm
          • Rooshan

            Hi Tomasz,
            Were you able to figure out Bhaskar’s issue? i have the same issue. the login button is not doing anything when i am using it inside MS teams for web, desktop and android versions. it is only working in iOS. I have no clue about the possible problem

            February 17, 2020 at 2:59 pm
          • Tomasz Poszytek

            Nope. No new information. I recommend contacting Microsoft Support for this one.

            February 18, 2020 at 9:04 am
  • Tomasz Poszytek

    I believe you saw this post of mine: https://poszytek.eu/en/microsoft-en/office-365-en/pva-en/pva-series-add-power-virtual-agent-to-teams/ – I tried it and this is working fine.

    January 9, 2020 at 2:47 pm Reply
  • Dhiraj Agarwal

    Very nice and clean article. We could able to follow and get our authentication stablished.

    January 24, 2020 at 11:59 pm Reply
  • Andrew

    hi Tomasz

    would you please show example of how to use the generated AuthToken for retrieving user name / email ?

    many thanks
    Andrew

    January 29, 2020 at 11:06 am Reply
  • Kevin

    Is there a way to pass the user variables to another a topic once user has been authenticated?

    April 27, 2020 at 1:32 am Reply
  • Tricia Sinclair

    Thank You Tomasz!! This really helped me alot!

    April 28, 2020 at 9:20 pm Reply
    • Tomasz Poszytek

      Hi Tricia 🙂 I am more than happy to help you! Keep safe.

      April 29, 2020 at 10:27 am Reply
  • Leo Perez

    Is there a way to trigger a topic if the authentication failed? I was able to configure my bot to use Single Sing-on, but my problem is when a user is anonymous. I want to display a generic message to the user if he/she was not authenticated instead of displaying the log in card. Can you help me with this one.

    I already tried the same code as the bot to initiate conversation / greetings, but I have no luck with it. I don’t know what webchat or direct line event should I use.

    August 12, 2021 at 3:56 am Reply
    • Tomasz Poszytek

      I haven’t been configuring SSO myself, but maybe there’s a way to access authenticated user’s variables and if empty – navigate to another topic?

      August 30, 2021 at 10:32 am Reply
  • Vikash Pathak

    Login button doesn’t work in iPhone.
    can you please let me know if there is nay workaround?

    September 20, 2021 at 2:04 pm Reply

Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.