Integrate third party Apps in Teams ( Everbridge or Cornerstone) with SSO.

[xeroOrex]

I want to integrate the third-party apps from teams app store like Everbridge or CSOD Learn ( Cornerstone). PFB the queries I have.

1. Can we setup SSO on teams for these kinds of apps? If yes, what are the steps to allow SSO for these apps?
2. What kind of permissions needs to be consented by Admins from Azure?
3. Only buying the subscription or licensees of these apps are enough for me to allow the app to be used inside teams?

Also, in azure Enterprise application Gallery, I can see Everbridge app (Not CSOD Learn). I can see that we can set up SSO. Will this impact on teams app as well?

Do we have any documentation on this overall process?

[microsoft-github-policy-service]

Hi @xeroOrex! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.

Best regards, Teams Platform

[sayali-MSFT]

Hello @xeroOrex ,

Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[sayali-MSFT]

Hello @xeroOrex ,
Yes, you can set up SSO for third-party apps in Teams. The process involves configuring the app in Azure AD and ensuring the necessary permissions are granted.
Please refer below documentation for detailed processing:
1.Integrate third-party apps in Teams
2.Configure SSO for an enterprise application
3.Single sign-on to applications

[xeroOrex]

Thanks for the quick response @sayali-MSFT .

I understand I can integrate third party apps with SSO enabled. What I am more concerned about, is that it didn't ask for any consent.

For CSOD Learn (same for Everbridge), it directly added the app on my teams, where I can see it uses many permissions. Then it should at least ask for consent when user installs the app for the first time right or am I missing anything?

All I know this app is not blocked in my tenant and as an admin I should know if it uses any information that it should not have access.
Also, For CSOD Learn, I do not see any instance of this app getting created in "Enterprise Applications" section in my Azure Entra ID

[sayali-MSFT]

Hello @xeroOrex , According to the Microsoft documentation,
There are some scenarios where the SSO option isn't present for an enterprise application. If the application was registered using App registrations in the portal, then the single sign-on capability is configured to use OpenID Connect. In this case, the single sign-on option doesn't appear in the navigation under enterprise applications. OpenID Connect is an authentication protocol built on top of OAuth 2.0, which is an authorization protocol. OpenID Connect uses OAuth 2.0 to handle the authorization part of the process. When a user tries to log in, OpenID Connect verifies their identity based on the authentication performed by an authorization server. Once the user is authenticated, OAuth 2.0 is used to grant the application access to the user's resources without exposing their credentials.

Single sign-on isn't available when an application is hosted in another tenant. Single sign-on is also not available if your account doesn't have the required permissions (Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open single sign-on but might not be able to save.