Azure Bot Services: Advanced Deployment with SSO (Microsoft Teams): SSO and Graph API Nodes


Creating an SSO Flow

There are different ways to create a logic that involves checking if Single Sign-On (SSO) is active, getting permissions, exchanging tokens, and revoking permissions.

In this tutorial, we provide an example of the SSO Flow. Use the empty Flow that you have created in the Prerequisites section.

Install the Microsoft Graph Extension

  1. Go to the Cognigy.AI interface.
  2. Select Manage > Extensions.
  3. Select the Microsoft Graph Extension from the Marketplace.
  4. On the Microsoft Graph window, click Install.

Alternatively, the Extension can be downloaded from the Cognigy public repository.

Building an SSO Flow

To build a Flow:

  1. Add a Lookup Node that will look for text.  Name one case request and another revoke.flow.png
  2. Add Nodes for requesting and revoking permissions, everything else will be handled in the Default path. Click the Plus icon below the request case and open the extensions.
  3. On the Extensions tab, find the Microsoft Extension with these three nodes. If this Extension is missing, make sure the FEATURE_USE_MICROSOFT_SSO flag is properly set in your environment.
  4. Add a Get Token Node under the request case and an Invalidate Token Node under the revoke case.
  5. When tokens are requested, the Flow will be executed again as soon as the permissions are granted. Add a Say Node to confirm that the Invalidate Token Node was triggered.say-node.png
  6. Add a Token Status Node to the Default path.
  7. Add a Say Node to the Not Granted branch.
  8. Add a Get User Details Node from the Microsoft Graph Extension to the Granted branch.nodes.png
  9. In the Get User Details Node, add the Microsoft: SSO Token Snippet to the Microsoft Access Token field.
  10. Add another Say Node with this text below:
    Hi {{}}, your job title is {{}}

Your Flow should look like this:


Check the Flow

  1. The user sends a message such as “Hi” to the bot. It goes through the Lookup node, into the Default path, through the Token Status node into the Not Granted path, and the user receives a message “No valid Token”.
  2. The user sends a message request to the bot.  The token request is started, and the user gets a consent notification.
  3. The user confirms the consent, and the flow is triggered again with a valid token. The message takes the Granted path, and the Get User Details Node uses the token to call the Graph API, retrieves some user properties and stores them in the input. The Say Node takes the properties and returns a personalized message such as “Hi Christian, your job title is Developer”.
  4. For the next 59 minutes, you can use the current token to call the Graph API. Once this period expires, the token must be renewed. If you make another request using the same user, they won't have to grant permission again and will receive a new token that's immediately valid.
  5. If the user sends a message revoke he will receive a message “Token invalidated” and upcoming messages go to the Not Granted path until a new token is requested.

Despite invalidating the token, the user is not required to grant permissions again. If they choose to do so, they can only do it manually via



Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful