botframework on teams channel 1:1 Authentication AAD integrated

Question

I'm looking to connect my bot on teams channel but i didn't know the way to secure this for use only in our domains (organization).

I have test to look (authentication AAD) for the Azure Web App but it's doesn't work on teams or on webchat because the endpoint adresse it's not redirected.

I have test to implement AUTH card but it doesn't work on teams.

Note : I'm using botframework C# api BotBuilder 3.15.2.2

I have look other "ask" like : AAD authentication in Microsoft teams for Bot Framework

Is it possible to access custom tabs in 1:1 chats in MS Teams?

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/auth-flow-bot

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/auth-bot-AAD

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication

https://tsmatz.wordpress.com/2016/09/06/microsoft-bot-framework-bot-with-authentication-and-signin-login/

Sincerely, Pascal.

Edit : I have implemented the solution sugested by Adrian, below was a piece of C# code that implement this on the MessasController.cs (Post Function): Note ==> Adding access for localhost use

 //https://stackoverflow.com/questions/51090597/botframework-on-teams-channel-11-authentication-aad-integrated
 string tenantIdAAD = "";
 try
 {
     tenantIdAAD = activity.GetChannelData<TeamsChannelData>().Tenant.Id;
 }
 catch (Exception exception)
 {
     tenantIdAAD = "";
 }

 ConnectorClient connector = new ConnectorClient(new Uri(activity.ServiceUrl));

 if ([AAD_TenantID].TenantIdAAD.Equals(tenantIdAAD) || activity.ServiceUrl.StartsWith("http://localhost") )
 {
     await Conversation.SendAsync(activity, () => new Dialogs.RootDialog().LogIfException());
 }
 else
 {
     await connector.Conversations.ReplyToActivityAsync(activity.CreateReply("Access Denied"));
 }

Answer 1

The incoming message contains information that you can use to identify the user. A message looks like this:

{ ... "from": { "id": "29:1XJKJMvc5GBtc2JwZq0oj8tHZmzrQgFmB39ATiQWA85gQtHieVkKilBZ9XHoq9j7Zaqt7CZ-NJWi7me2kHTL3Bw", "name": "Richard Moe", "aadObjectId": "ae361bee-9946-4082-99dc-6994b00ceebb" }, "channelData": { "tenant": { "id": "72f988bf-86f1-41af-91ab-2d7cd011db47" } } }

The channelData.tenant.id identifies the organization (O365 tenant) that the user is part of, so you can look at that and reject messages that aren't from ones that you expect.

The message also has the AAD object ID of the sender in from.aadObjectId. The auth flow in the links above is useful if you need tokens to provide to other services so you can act on behalf of the user, but if all you need is the user's tenant and identity, the message has all you need.

(Remember to authenticate the incoming request first, before trusting any information in the message.)