{"id":22808,"date":"2024-09-04T09:25:11","date_gmt":"2024-09-04T16:25:11","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=22808"},"modified":"2024-09-05T00:02:07","modified_gmt":"2024-09-05T07:02:07","slug":"introducing-nested-app-authentication-an-improved-authentication-protocol-for-your-teams-app","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/introducing-nested-app-authentication-an-improved-authentication-protocol-for-your-teams-app\/","title":{"rendered":"Introducing Nested App Authentication: An improved authentication protocol for your Teams app"},"content":{"rendered":"<div>\n<p>Nested App Authentication (NAA) is a new authentication protocol for\u00a0<u><a id=\"OWA8223a840-4c76-322b-cb5e-91f2c44e46a9\" class=\"x_OWAAutoLink\" title=\"Original URL: https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/tabs\/what-are-tabs?tabs=desktop%2Cdesktop1%2Cpersonal. Click or tap if you trust this link.\" href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/tabs\/what-are-tabs?tabs=personal\" data-auth=\"Verified\" data-linkindex=\"1\" data-ogsc=\"rgb(5, 99, 193)\">Personal Tab Teams apps<\/a><\/u> that run in Teams, Outlook, and Microsoft 365. NAA simplifies the authentication process to facilitate single sign-on (SSO) across these host environments and provides several advantages over the existing on-behalf-of (OBO) authentication model, enabling the development of dynamic, user-focused applications.<\/p>\n<p>Today, to\u00a0<u><a id=\"OWA05faa070-1a42-94fc-163b-c3423689f948\" class=\"x_OWAAutoLink\" title=\"Original URL: https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/concepts\/authentication\/authentication. Click or tap if you trust this link.\" href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/concepts\/authentication\/authentication\" data-auth=\"Verified\" data-linkindex=\"2\" data-ogsc=\"rgb(5, 99, 193)\">add authentication<\/a><\/u> to your Personal Tab app you must leverage authentication APIs from Teams JS to do on-behalf-of (OBO) token fetching. This approach involves multiple network calls and requires\u00a0registering a backend for your app. We\u2019ve heard developer feedback about the costs and complexities of this protocol and today we are excited to offer an improved experience. Nested App Authentication addresses these challenges and improves the auth experience for developers by:<\/p>\n<\/div>\n<ul>\n<li data-ogsc=\"rgb(0, 0, 0)\">Leveraging the common\u00a0<u><a id=\"OWA9e9cb980-4f30-1e6a-0b12-a37971ed64c6\" class=\"x_OWAAutoLink\" title=\"Original URL: https:\/\/github.com\/AzureAD\/microsoft-authentication-library-for-js\/tree\/dev. Click or tap if you trust this link.\" href=\"https:\/\/github.com\/AzureAD\/microsoft-authentication-library-for-js\/tree\/dev\" data-auth=\"Verified\" data-linkindex=\"3\" data-ogsc=\"rgb(5, 99, 193)\">Microsoft Authentication Library (MSAL.js)<\/a><\/u>\u00a0to align on a single authentication protocol for all contexts your app runs in &#8211; whether that\u2019s as a standalone web page or embedded in native or web host application. NAA is also supported for\u00a0<u><a id=\"OWA45131d0a-8c51-a49d-0228-89ee701060ed\" class=\"x_OWAAutoLink\" title=\"Original URL: https:\/\/devblogs.microsoft.com\/microsoft365dev\/new-nested-app-authentication-for-office-add-ins-legacy-exchange-tokens-off-by-default-in-october-2024\/. Click or tap if you trust this link.\" href=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/new-nested-app-authentication-for-office-add-ins-legacy-exchange-tokens-off-by-default-in-october-2024\/\" data-auth=\"Verified\" data-linkindex=\"4\" data-ogsc=\"rgb(5, 99, 193)\">Office Add-Ins<\/a><\/u>\u00a0to provide further consistency across M365.<\/li>\n<li data-ogsc=\"rgb(0, 0, 0)\">Reducing developer overhead by eliminating the need to set up a middle-tier service by allowing you to call services with an access token from your own client code, as well removing the need to\u00a0<u><a id=\"OWA9f4ec3bb-a432-3bbe-b2f4-3e3779a781d9\" class=\"x_OWAAutoLink\" title=\"Original URL: https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/m365-apps\/extend-m365-teams-personal-tab?tabs=manifest-teams-toolkit#update-azure-ad-app-registration-for-sso. Click or tap if you trust this link.\" href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/m365-apps\/extend-m365-teams-personal-tab?tabs=manifest-teams-toolkit#update-azure-ad-app-registration-for-sso\" data-auth=\"Verified\" data-linkindex=\"5\" data-ogsc=\"rgb(5, 99, 193)\">preauthorize your hosts<\/a><\/u>.<\/li>\n<li data-ogsc=\"rgb(0, 0, 0)\">Enables incremental and dynamic consent for scope permissions \u2013 allowing you to request tokens for any AAD-protected resource the user has consented to, without having to specify the resource in the app manifest or use the OBO flow.<\/li>\n<li data-ogsc=\"rgb(0, 0, 0)\">\n<div>Removes the reliance on third-party cookies for authenticating users in supported web-hosts, so when cookies are blocked the user can still authenticate without any UX interruptions to their workflow.<\/div>\n<\/li>\n<\/ul>\n<div>Nested App Authentication is available in public preview and we encourage you to try it now. For details on how to access the feature in preview state learn more <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/resources\/dev-preview\/developer-preview-intro?tabs=new-teams-client#desktop-or-web-client\">here<\/a>.<\/div>\n<h2>Adoption<\/h2>\n<div><\/div>\n<div>To adopt NAA in your app, follow these steps:<\/div>\n<ol start=\"1\" data-editing-info=\"{&quot;orderedStyleType&quot;:1}\">\n<li data-ogsc=\"rgb(0, 0, 0)\"><u><a id=\"OWA8d841791-b8bd-880f-8f77-b4d65e0510c2\" class=\"x_OWAAutoLink\" title=\"Original URL: https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/scenario-spa-app-registration. Click or tap if you trust this link.\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/scenario-spa-app-registration\" data-auth=\"Verified\" data-linkindex=\"7\" data-ogsc=\"rgb(5, 99, 193)\">Register your app with Entra ID<\/a><\/u>\u00a0(if you haven\u2019t already).<\/li>\n<li data-ogsc=\"rgb(0, 0, 0)\">Update your redirect URIs to support trusted brokers.<\/li>\n<li data-ogsc=\"rgb(0, 0, 0)\">Add a fallback authentication method.<\/li>\n<li data-ogsc=\"rgb(0, 0, 0)\">Test your app across environments*.<\/li>\n<\/ol>\n<div>\n<p>Read the detailed documentation <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/platform\/concepts\/authentication\/nested-authentication?tabs=js1%2Cjs2%2Cjs3\">here<\/a> or get started with a <a href=\"https:\/\/github.com\/OfficeDev\/Microsoft-Teams-Samples\/tree\/main\/samples\/tab-nested-auth\/nodejs\">sample app<\/a>.<\/p>\n<\/div>\n<div data-ogsc=\"rgb(0, 0, 0)\">\n<p>*Please note that while it\u2019s still in public preview we recommend checking the support status using the Teams JS SDK and providing a fallback experience for any Microsoft host applications your app runs in that aren\u2019t yet enabled.<\/p>\n<p>We are excited to announce Nested App Authentication as a new way to secure your extended Teams apps and provide a better user experience. We look forward to you trying it out and giving us your feedback.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Learn how Nested App Authentication simplifies the authentication process and enables single sign-on across supported Microsoft first-party applications.<\/p>\n","protected":false},"author":151303,"featured_media":22828,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,128],"tags":[310],"class_list":["post-22808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-365-developer","category-microsoft-teams","tag-nested-app-authentication"],"acf":[],"blog_post_summary":"<p>Learn how Nested App Authentication simplifies the authentication process and enables single sign-on across supported Microsoft first-party applications.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/22808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/151303"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=22808"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/22808\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/22828"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=22808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=22808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=22808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}