MS Teams single tenant support (demisto#40611)

* Initial single tenant support

* add UTs

* Bump version

* Add debug logs and multi-tenant note in docs

* Add graph_only mode to reset_auth for token expiry errors

* fix reset_auth_command description

* More doc fixes to reset_auth

* Update Packs/MicrosoftTeams/Integrations/MicrosoftTeams/README.md

Co-authored-by: Richard Bluestone <[email protected]>

* Add debug log for tenant ID being saved

---------

Co-authored-by: Richard Bluestone <[email protected]>

Author: 2 people

Packs/MicrosoftTeams/Integrations/MicrosoftTeams/MicrosoftTeams.py

@@ -34,7 +34,6 @@ class FormType(Enum):  # Used for 'send-message', and by the MicrosoftTeamsAsk s
 PARAMS: dict = demisto.params()
 BOT_ID: str = PARAMS.get("credentials", {}).get("identifier", "") or PARAMS.get("bot_id", "")
 BOT_PASSWORD: str = PARAMS.get("credentials", {}).get("password", "") or PARAMS.get("bot_password", "")
-TENANT_ID: str = PARAMS.get("tenant_id", "")
 APP: Flask = Flask("demisto-teams")
 PLAYGROUND_INVESTIGATION_TYPE: int = 9
 GRAPH_BASE_URL: str = "https://graph.microsoft.com"
@@ -354,7 +353,7 @@ def error_parser(resp_err: requests.Response, api: str = "graph") -> str:
         if api == "graph":
             error_codes = response.get("error_codes", [""])
             if set(error_codes).issubset(TOKEN_EXPIRED_ERROR_CODES):
-                reset_graph_auth(error_codes, response.get("error_description", ""))
+                reset_auth(error_codes, response.get("error_description", ""), graph_only=True)
 
             error = response.get("error", {})
             err_str = (
@@ -374,10 +373,13 @@ def error_parser(resp_err: requests.Response, api: str = "graph") -> str:
         return resp_err.text
 
 
-def reset_graph_auth(error_codes: list = [], error_desc: str = ""):
+def reset_auth(error_codes: list = [], error_desc: str = "", graph_only: bool = False):
     """
-    Reset the Graph API authorization in the integration context.
-    This function clears the current graph authorization data: current_refresh_token, graph_access_token, graph_valid_until
+    Reset the cached API authorization data in the integration context.
+    This function clears the current authorization data: current graph/bot tokens, token validity, refresh tokens and bot type
+    :param error_codes: Error codes to log when resetting after token expiration
+    :param error_desc: Error description to output when resetting after token expiration
+    :param graph_only: Boolean to determine if only graph tokens should be reset
     """
 
     integration_context: dict = get_integration_context()
@@ -386,6 +388,10 @@ def reset_graph_auth(error_codes: list = [], error_desc: str = ""):
     integration_context.pop("graph_valid_until", "")
     integration_context[AUTHCODE_TOKEN_PARAMS] = "{}"
     integration_context[CREDENTIALS_TOKEN_PARAMS] = "{}"
+    if not graph_only:
+        integration_context.pop("bot_access_token", "")
+        integration_context.pop("bot_valid_until", "")
+        integration_context.pop("bot_type", "")
     set_integration_context(integration_context)
 
     if error_codes or error_desc:
@@ -397,14 +403,14 @@ def reset_graph_auth(error_codes: list = [], error_desc: str = ""):
             "parameter and then run !microsoft-teams-auth-test to re-authenticate"
         )
 
-    demisto.debug("Successfully reset the current_refresh_token, graph_access_token and graph_valid_until.")
+    demisto.debug("Successfully reset the cached API authorization data.")
 
 
-def reset_graph_auth_command():
+def reset_auth_command():
     """
-    A wrapper function for the reset_graph_auth() which resets the Graph API authorization in the integration context.
+    A wrapper function for the reset_auth() which resets the cached API authorization in the integration context.
     """
-    reset_graph_auth()
+    reset_auth()
     return_results(CommandResults(readable_output="Authorization was reset successfully."))
 
 
@@ -850,20 +856,44 @@ def get_bot_access_token() -> str:
     """
     integration_context: dict = get_integration_context()
     access_token: str = integration_context.get("bot_access_token", "")
-    valid_until: int = integration_context.get("bot_valid_until", int)
+    valid_until: int = integration_context.get("bot_valid_until", 0)
+    bot_type: str = integration_context.get("bot_type", "multi-tenant")
     if access_token and valid_until and epoch_seconds() < valid_until:
         return access_token
-    url: str = "https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token"
+
     data: dict = {
         "grant_type": "client_credentials",
         "client_id": BOT_ID,
         "client_secret": BOT_PASSWORD,
         "scope": "https://api.botframework.com/.default",
     }
-    response: requests.Response = requests.post(url, data=data, verify=USE_SSL, proxies=PROXIES)
+
+    if bot_type == "multi-tenant":
+        demisto.debug("Attempting authentication to the multi-tenant bot framework url")
+        url: str = "https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token"
+        response: requests.Response = requests.post(url, data=data, verify=USE_SSL, proxies=PROXIES)
+        if response.json().get("error", "") == "unauthorized_client":
+            # Could not find bot-id in the common directory for multi-tenant bots, assume it is a single-tenant bot
+            demisto.debug("Failed to authenticate, falling back to single-tenant bot type")
+            bot_type = "single-tenant"
+
+    if bot_type == "single-tenant":
+        tenant_id = integration_context.get("tenant_id")
+        if not tenant_id:
+            raise ValueError(MISS_CONFIGURATION_ERROR_MESSAGE)
+        demisto.debug(f"Attempting authentication to the {tenant_id} tenant specific bot framework url")
+        url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
+        response = requests.post(url, data=data, verify=USE_SSL, proxies=PROXIES)
+
     if not response.ok:
+        if "bot_type" in integration_context:  # Clear cached bot type on authentication error to avoid issues
+            demisto.debug("Authentication failed, resetting cached bot type")
+            integration_context.pop("bot_type")
+            set_integration_context(integration_context)
+
         error = error_parser(response, "bot")
         raise ValueError(f"Failed to get bot access token [{response.status_code}] - {error}")
+
     try:
         response_json: dict = response.json()
         access_token = response_json.get("access_token", "")
@@ -874,6 +904,7 @@ def get_bot_access_token() -> str:
             expires_in -= time_buffer
         integration_context["bot_access_token"] = access_token
         integration_context["bot_valid_until"] = time_now + expires_in
+        integration_context["bot_type"] = bot_type
         set_integration_context(integration_context)
         return access_token
     except ValueError:
@@ -2670,16 +2701,20 @@ def member_added_handler(integration_context: dict, request_body: dict, channel_
     if not service_url:
         raise ValueError("Did not find service URL. Try messaging the bot on Microsoft Teams")
 
+    integration_context["bot_name"] = recipient_name
+
+    if tenant_id != integration_context.get("tenant_id"):
+        # Update the tenant id in context immediately to avoid errors
+        demisto.debug(f"Saving tenant ID to context: {tenant_id=}")
+        integration_context["tenant_id"] = tenant_id
+        set_integration_context(integration_context)
+
     for member in members_added:
         member_id = member.get("id", "")
         if bot_id in member_id:
-            # The bot was added to a team, caching team ID and team members
             demisto.info(f"The bot was added to team {team_name}")
         else:
-            demisto.info(f"Someone was added to team {team_name}")
-        integration_context["tenant_id"] = tenant_id
-        integration_context["bot_name"] = recipient_name
-        break
+            demisto.info(f"A user was added to team {team_name}")
 
     team_members: list = get_team_members(service_url, team_id)
 
@@ -3358,14 +3393,11 @@ def test_module():
     """
     if not BOT_ID or not BOT_PASSWORD:
         raise DemistoException("Bot ID and Bot Password must be provided.")
-    if "Client" not in AUTH_TYPE:
-        raise DemistoException(
-            "Test module is available for Client Credentials only."
-            " For other authentication types use the !microsoft-teams-auth-test command"
-        )
 
-    get_bot_access_token()  # Tests token retrieval for Bot Framework API
-    return_results("ok")
+    raise DemistoException(
+        "Test module is unavailable for the Microsoft Teams Integration."
+        " Please use the !microsoft-teams-integration-health command to test connectivity."
+    )
 
 
 def generate_login_url_command():
@@ -3425,7 +3457,7 @@ def auth_type_switch_handling():
             f"The user switched the instance authentication type from {current_auth_type} to {AUTH_TYPE}.\n"
             f"Resetting the integration context."
         )
-        reset_graph_auth()
+        reset_auth()
         integration_context = get_integration_context()
         demisto.debug(f"Setting the current_auth_type in the integration context to {AUTH_TYPE}.")
         integration_context["current_auth_type"] = AUTH_TYPE
@@ -3560,7 +3592,7 @@ def main():  # pragma: no cover
         "microsoft-teams-channel-user-list": channel_user_list_command,
         "microsoft-teams-user-remove-from-channel": user_remove_from_channel_command,
         "microsoft-teams-generate-login-url": generate_login_url_command,
-        "microsoft-teams-auth-reset": reset_graph_auth_command,
+        "microsoft-teams-auth-reset": reset_auth_command,
         "microsoft-teams-token-permissions-list": token_permissions_list_command,
         "microsoft-teams-create-messaging-endpoint": create_messaging_endpoint_command,
         "microsoft-teams-message-update": message_update_command,

Packs/MicrosoftTeams/Integrations/MicrosoftTeams/MicrosoftTeams_test.py

@@ -307,7 +307,8 @@ def test_mirror_investigation(mocker, requests_mock):
     set_integration_context[0].pop(CREDENTIALS_TOKEN_PARAMS)
     set_integration_context[0].pop("bot_access_token")
     set_integration_context[0].pop("bot_valid_until")
-    assert set_integration_context[0] == expected_integration_context
+    for key, value in expected_integration_context.items():
+        assert set_integration_context[0].get(key) == value
     results = demisto.results.call_args[0]
     assert len(results) == 1
     assert results[0] == "Investigation mirrored successfully in channel incident-2."
@@ -3580,3 +3581,100 @@ def test_send_notification_with_raw_adaptive_card_from_TeamAsk(mocker, requests_
 
     send_message()
     assert send_message_request.last_request.json() == {"type": "message", "attachments": [expected_request_attachment]}
+
+
+def test_get_bot_access_token_multi_tenant_success(mocker, requests_mock):
+    """
+    Given:
+        - A multi-tenant bot configuration.
+    When:
+        - Calling get_bot_access_token.
+    Then:
+        - Ensure a token is successfully retrieved using the multi-tenant endpoint.
+    """
+    from MicrosoftTeams import get_bot_access_token
+
+    mocker.patch.object(demisto, "getIntegrationContext", return_value={})
+    mocker.patch.object(demisto, "setIntegrationContext")
+
+    requests_mock.post(
+        "https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token",
+        json={"access_token": "multi_tenant_token", "expires_in": 3600},
+    )
+
+    token = get_bot_access_token()
+    assert token == "multi_tenant_token"
+
+
+def test_get_bot_access_token_single_tenant_success(mocker, requests_mock):
+    """
+    Given:
+        - A single-tenant bot configuration with a tenant_id.
+    When:
+        - Calling get_bot_access_token.
+    Then:
+        - Ensure a token is successfully retrieved using the single-tenant endpoint.
+    """
+    from MicrosoftTeams import get_bot_access_token
+
+    mocker.patch.object(demisto, "getIntegrationContext", return_value={"bot_type": "single-tenant", "tenant_id": tenant_id})
+    mocker.patch.object(demisto, "setIntegrationContext")
+
+    requests_mock.post(
+        f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
+        json={"access_token": "single_tenant_token", "expires_in": 3600},
+    )
+
+    token = get_bot_access_token()
+    assert token == "single_tenant_token"
+
+
+def test_get_bot_access_token_fallback_to_single_tenant(mocker, requests_mock):
+    """
+    Given:
+        - A multi-tenant bot configuration.
+        - The multi-tenant endpoint returns an 'unauthorized_client' error.
+        - A tenant_id is available in the context.
+    When:
+        - Calling get_bot_access_token.
+    Then:
+        - Ensure the code falls back to the single-tenant endpoint and retrieves a token.
+    """
+    from MicrosoftTeams import get_bot_access_token
+
+    mocker.patch.object(demisto, "getIntegrationContext", return_value={"tenant_id": tenant_id})
+    set_context_mocker = mocker.patch.object(demisto, "setIntegrationContext")
+
+    requests_mock.post(
+        "https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token",
+        json={"error": "unauthorized_client"},
+        status_code=400,
+    )
+    requests_mock.post(
+        f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
+        json={"access_token": "fallback_token", "expires_in": 3600},
+    )
+
+    token = get_bot_access_token()
+    assert token == "fallback_token"
+    # Verify that the bot_type was updated in the context for future use
+    updated_context = set_context_mocker.call_args[0][0]
+    assert updated_context.get("bot_type") == "single-tenant"
+
+
+def test_get_bot_access_token_single_tenant_no_tenant_id(mocker):
+    """
+    Given:
+        - A single-tenant bot configuration but no tenant_id.
+    When:
+        - Calling get_bot_access_token.
+    Then:
+        - Ensure a ValueError is raised.
+    """
+    from MicrosoftTeams import get_bot_access_token, MISS_CONFIGURATION_ERROR_MESSAGE
+
+    mocker.patch.object(demisto, "getIntegrationContext", return_value={"bot_type": "single-tenant"})
+    mocker.patch.object(demisto, "setIntegrationContext")
+
+    with pytest.raises(ValueError, match=MISS_CONFIGURATION_ERROR_MESSAGE):
+        get_bot_access_token()

Packs/MicrosoftTeams/Integrations/MicrosoftTeams/README.md

@@ -45,7 +45,10 @@ Creating the Demisto Bot using Microsoft Azure Portal:
 1. Navigate to the [Create an Azure Bot page](https://portal.azure.com/#create/Microsoft.AzureBot).
 2. In the Bot Handle field, type **Demisto Bot**.
 3. Fill in the required Subscription and Resource Group, relevant links: [Subscription](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription), [Resource Groups](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal).
-4. For Type of App, select **Multi Tenant**.
+4. For Type of App, select **Single Tenant**.
+    - **Note ⚠️:** The **Multi Tenant** App type was deprecated by Microsoft.
+    Existing apps remain functional and do no require any changes.
+    You can change existing apps to a Single Tenant in the Azure portal's bot configuration, but it is not required.
 5. For Creation type, select **Create new Microsoft App ID** for Creation Type if you don't already have an app registration, otherwise, select **Use existing app registration**, and fill in you App ID.
     - **Note ⚠️:** if you choose **Use existing app registration**, make sure to delete the previous created bot with the same app id, remove it from the team it was added to as well.
 6. Click **Review + Create**, and wait for the validation to pass.

Packs/MicrosoftTeams/ReleaseNotes/1_5_39.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Microsoft Teams
+
+Added support for single-tenant Azure bot applications.

Packs/MicrosoftTeams/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Teams",
     "description": "Send messages and notifications to your team members.",
     "support": "xsoar",
-    "currentVersion": "1.5.38",
+    "currentVersion": "1.5.39",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",