Your Microsoft Teams tab applications can now sign-in users using Google, Facebook, LinkedIn (or any OAuth provider)

Microsoft Teams tab applications have used OAuth 2.0 to enable users to authenticate themselves to Microsoft Azure Active Directory (Azure AD) for some time, and developers have been able to use this authentication information to validate users for 3rd party API calls as well.

There have been some feature enhancements that have removed friction points usually associated with authentication as well, such as silent authentication and Single Sign-On (SSO) authentication.

Now you can use third-party authentication services which support OAuth to sign users in. This means that you don’t have to use Azure AD, you can use any service that supports OAuth, such as Google, GitHub, Linked or Facebook.

This is thanks to new capabilities in the Teams JavaScript SDK (the beta version) and an updated authenticate function which now takes a isExternal parameter, and a url parameter to specify the URL of the third-party OAuth server.

The actual process of authentication is basically the same as for Azure AD and luckily most of the complexities are handled for you by the SDK, but the documentation lists the basic authentication flow:

The documentation also has good instructions on exactly how to implement third party OAuth authentication in your Teams app.

(Why) Should you use this?

It’s interesting to consider why this is needed. Teams is somewhat unusual in that developers can be 100% sure that every Teams user is also an Azure AD user and has an Azure AD identity. That means that making a user authenticate using a different service only makes sense if the tabbed application you are developing has a very strong affinity to that third-party OAuth provider, such that it makes sense to sign that user into the service anyway. For instance: a GitHub application that showed details from your GitHub account.

Or… (and I’ve only just thought about this as I’m typing it)… it could be that we are witnessing the first work being done to support Teams applications in places where users may not have an Azure AD identity, such as Teams Personal. We haven’t really seen much about apps in Teams Personal but it would make sense to support identities other than Azure AD because many consumers that don’t have enterprise accounts won’t have an Azure AD identity, but would have a third-party OAuth identity such as a Facebook or LinkedIn account. We shall see.