Share via

Teams app fail to acquire SSO token

Erin Cruz 125 Reputation points
2026-04-03T02:44:12.0233333+00:00

I’m building a Teams app that uses SSO via the Teams JavaScript SDK (getAuthToken), but the call intermittently fails with errors like “Failed to fetch token” or returns an empty response. The app is properly registered in Azure AD and works in some environments but not others.

Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

0 comments
Answer accepted by question author
  1. Dora-T 11,940 Reputation points Microsoft External Staff Moderator
    2026-04-03T04:59:29.7333333+00:00

    Hi Erin Cruz

    Based on your scenario, you may review the following points:

    • Ensure the webApplicationInfo section in your Teams app manifest matches your Microsoft Entra app registration exactly. In particular, the id must be the Application (client) ID, and the resource must match the Application ID URI defined under Expose an API. Any mismatch can lead to token acquisition failures or inconsistent behavior across environments.
    • As an additional check, if the issue occurs intermittently, you may capture and decode the token using jwt.ms when it is successfully returned to confirm it is issued for the expected app and tenant. This can help identify whether there are differences between environments or tenants.

    Disclaimer: This link may reference Microsoft-related content but is not hosted on an official Microsoft domain (such as *.microsoft.com). Please note that Microsoft is not responsible for the accuracy, security, or advertising on this site.

    • SSO tokens are short-lived and managed by the Teams SDK. In normal scenarios, getAuthToken() handles token refresh automatically. If you encounter intermittent failures, try invoking getAuthToken() again at the point of need rather than relying on a previously obtained token.

    I hope this helps.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sayali-MSFT 5,281 Reputation points Microsoft External Staff Moderator
    2026-04-03T05:02:32.2366667+00:00

    Hello Erin Cruz,
    The most common cause is client-side timing issues, where getAuthToken() is called before microsoftTeams.app.initialize() completes or during component lifecycle events. Since Teams manages token caching and refresh internally, tokens should only be requested when needed — not pre-fetched, cached manually, or polled.

    Another frequent cause is Teams manifest and Entra app mismatch, where webApplicationInfo.id and resource must exactly match the Azure App Client ID and Application ID URI. Even small differences like subdomains, casing, or api:// vs https:// can break SSO in certain tenants. Similarly, domain or iframe origin mismatches—such as hosting the app on a different domain than the configured resource—commonly cause Dev-vs-Prod failures.

    Tenant-specific consent differences can also block token issuance, especially in environments with MFA, Conditional Access, guest users, or missing admin consent. In these cases, silent SSO fails and interactive authentication fallback must handle errors like interaction_required or AADSTS50058.

    Additional causes include incorrect Application ID URI configuration, missing verified domains, or service principal not provisioned in the target tenant, which leads to errors like AADSTS7000229.

    When tokens are successfully retrieved, decoding them (e.g., via jwt.ms) helps validate claims such as aud, tid, scp, and preferred_username, which can quickly confirm whether the app is connected to the correct Entra configuration.

    Reference Document-

    1. https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/tab-sso-code
    2. https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/tab-sso-troubleshooting
    3. https://learn.microsoft.com/en-us/microsoftteams/platform/teams-sdk/teams/app-authentication/troubleshooting?tabs=typescript
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.