BotBuilder-MicrosoftTeams icon indicating copy to clipboard operation
BotBuilder-MicrosoftTeams copied to clipboard
verified publisher icon OfficeDev

Microsoft.Bot.Builder.Teams.TeamsInfo.GetMeetingInfoAsync throws AADSTS53003 conditional access

Open brijshah2709 opened this issue 9 months ago • 2 comments

We have a bot which implements OnTeamsMeetingEndAsync to post back adaptive card with meeting insights when meeting ends.

As a pre-requisite to gather data we call GetMeetingInfoAsync to get meeting data and its throwing below exception.

Ask: Since this code run after meeting is ended in async manner, how can we handle incremental consent? is there a way to handle this behavior out of box with bot sdk?

"ResponseBody":"\"{\\\"error\\\":\\\"invalid_grant\\\",\\\"error_description\\\":\\\"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 16e97462-d90d-4923-bc74-18a689b50700 Correlation ID: f5d6644e-c73a-4bc7-8cee-8335e95c98d5 Timestamp: 2025-03-01 05:34:27Z\\\",\\\"error_codes\\\":[53003],\\\"timestamp\\\":\\\"2025-03-01 05:34:27Z\\\",\\\"trace_id\\\":\\\"16e97462-d90d-4923-bc74-18a689b50700\\\",\\\"correlation_id\\\":\\\"f5d6644e-c73a-4bc7-8cee-8335e95c98d5\\\",\\\"error_uri\\\":\\\"https://login.microsoftonline.com/error?code=53003\\\",\\\"suberror\\\":\\\"message_only\\\",\\\"claims\\\":\\\"{\\\\\\\"access_token\\\\\\\":{\\\\\\\"capolids\\\\\\\":{\\\\\\\"essential\\\\\\\":true,\\\\\\\"values\\\\\\\":[\\\\\\\"3d79d567-88b8-4901-ae54-01418818a0e8\\\\\\\"]}}\\\"}\"","Headers":"[{\"Key\":\"Cache-Control\",\"Value\":[\"no-store, no-cache\"]},{\"Key\":\"Pragma\",\"Value\":[\"no-cache\"]},{\"Key\":\"Strict-Transport-Security\",\"Value\":[\"max-age=31536000; includeSubDomains\"]},{\"Key\":\"X-Content-Type-Options\",\"Value\":[\"nosniff\"]},{\"Key\":\"P3P\",\"Value\":[\"CP=\\\"DSP CUR OTPi IND OTRi ONL FIN\\\"\"]},{\"Key\":\"client-request-id\",\"Value\":[\"f5d6644e-c73a-4bc7-8cee-8335e95c98d5\"]},{\"Key\":\"x-ms-request-id\",\"Value\":[\"16e97462-d90d-4923-bc74-18a689b50700\"]},{\"Key\":\"x-ms-ests-server\",\"Value\":[\"2.1.20203.5 - WUS3 ProdSlices\"]},{\"Key\":\"x-ms-clitelem\",\"Value\":[\"1,53003,0,,\"]},{\"Key\":\"x-ms-srs\",\"Value\":[\"1.P\"]},{\"Key\":\"Content-Security-Policy-Report-Only\",\"Value\":[\"object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-ugLFFZgKx3nUslY5sZSsYQ' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outloo[Truncated]-fb0b2f53943647e28af8736540529605","IsRetryable":"false","ErrorCode":"\"invalid_grant\"","CorrelationId":"\"f5d6644e-c73a-4bc7-8cee-8335e95c98d5\"","AdditionalExceptionData":{},"Message":"\"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 16e97462-d90d-4923-bc74-18a689b50700 Correlation ID: f5d6644e-c73a-4bc7-8cee-8335e95c98d5 Timestamp: 2025-03-01 05:34:27Z The returned error contains a claims challenge. For additional info on how to handle claims related to multifactor authentication, Conditional Access, and incremental consent, see https://aka.ms/msal-conditional-access-claims. If you are using the On-Behalf-Of flow, see https://aka.ms/msal-conditional-access-claims-obo for details.\"","Data":{},"InnerException":"null","HelpLink":"null","Source":"\"Microsoft.Identity.Client\"","HResult":"-2146233088","StackTrace":"\"

brijshah2709 avatar Mar 02 '25 23:03 brijshah2709

@brijshah2709 ,Thank you for your inquiry about your Teams app development issue!

We are checking the issue. We will get back to you shortly.

sayali-MSFT avatar Mar 03 '25 07:03 sayali-MSFT

@brijshah2709, the error you are encountering is related to Conditional Access policies blocking token issuance for your bot. This can be due to various factors such as multifactor authentication (MFA) requirements, location-based access controls, or other conditional access rules set by your organization. To handle this situation, you need to manage Conditional Access policies and handle incremental consent, especially in scenarios where the bot needs to access resources after a meeting ends.

Reference Document- 1.https://learn.microsoft.com/en-us/entra/identity-platform/v2-conditional-access-dev-guide#handle-conditional-access-claims 2.https://learn.microsoft.com/en-us/entra/identity-platform/msal-overview 3.https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

sayali-MSFT avatar Mar 04 '25 08:03 sayali-MSFT