Azure Bot Services: Advanced Deployment with SSO (Microsoft Teams): SSO and Graph API Nodes


Creating a Sample SSO Flow

Each Flow is different, therefore there are many ways on how to build a Logic with verifying the SSO status, requesting permissions, doing a Token Exchange and revoking the permissions. This Flow can be taken as an example or an inspiration.

Install the Microsoft Graph Extension


Open your Cognigy AI UI and go to the Extensions. Depending on your configuration, you can either pick the Microsoft Graph Extension from the Marketplace or upload the extension.

The extension can be downloaded from our public repository:

Instructions on how to add extensions can be found here:

Building a SSO Flow


We start building a Flow by adding a Lookup Node that will look for text. I called one case request and one revoke. Here we can add nodes for requesting and revoking permissions, everything else will be handled in the Default path.


Click the Plus icon below the request case and open the extensions. There should be a Microsoft Extension with these three nodes. If this extension is missing, make sure the FEATURE_USE_MICROSOFT_SSO flag is properly set in your environment. Add a Get Token node and do the same below the Revoke node with an Invalidate Token node.

When requesting tokens, the Flow will be executed again as soon as the permissions are granted. When the Invalidate Token node gets triggered, this doesn’t happen so we add a Say node for confirmation.


Now we add a Token Status node to the Default path, add a Say node to the Not Granted branch and add a Get User Details node from the Microsoft Graph Extension to the Granted branch.



In the Get User Details node, we add the Microsoft: SSO Token Snippet to the Microsoft Access Token field.

We add another Say node with this text below:

Hi {{}}, your job title is {{}}


Your Flow should now look like this:


How does it work?

  1. The user sends a message such as “Hi” to the bot. It goes through the Lookup node, into the Default path, through the Token Status node into the Not Granted path and the user receives a message “No valid Token”.
  2. The user sends a message “request” to the bot. Now the token request is started and the user gets a consent notification:blobid7.png
  3. The user confirms the consent, and the flow is triggered again with a valid token. Now the message takes the Granted path, the Get User Details node uses the token to call the Graph API, retrieves some user properties and stores them in the input. The Say node takes the properties and returns a personalized message such as “Hi Christian, your job title is Developer”.

  4. For the next 59 minutes all messages will have a valid token that can be used to call the Graph API, afterwards it needs to be renewed. If you ask the same user again, he won’t need to grant the permissions again and gets a new valid token immediately.

  5. If the user sends a message “revoke” he will receive a message “Token invalidated” and upcoming messages go the Not Granted path until a new token is requested.

Even though the user invalidates the token, he still doesn’t need to grant permissions again. The user can do so only by doing it manually at



Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful