Add graph template and oauth config to python CLI (#336)

1. In `.vscode` remove configuration for starting app in test tools.
2. Add `aad.manifest.json` to add:
```
      "resourceAppId": "Microsoft Graph",
      "resourceAccess": [
        {
          "id": "User.Read",
          "type": "Scope"
        }
      ]
```
3. Make bot SINGLE TENANT in `azurebot.bicep`.
```
    msaAppId: botAadAppClientId
    msaAppType: 'SingleTenant'
    msaAppTenantId: tenantId
```
4. Add `botServicesMicrosoftGraphConnection` resource in
`azurebot.bicep` with correct scopes:
    `scopes: 'User.Read'`
5. With the graph template, user can do sign in with graph and view
profile and mail info.

<img width="911" height="457" alt="Screenshot 2025-09-08 162127"
src="https://github.com/user-attachments/assets/073bc1b3-4298-4593-ae11-88509201f7da"
/>
<img width="816" height="518" alt="Screenshot 2025-09-08 162145"
src="https://github.com/user-attachments/assets/d5503c35-e7fa-4264-bbeb-3dbf2974491e"
/>

CAVEAT: currently need to create Service Principal manually when app is
registered.
Should be automated soon.
<img width="453" height="95" alt="Screenshot 2025-09-08 162906"
src="https://github.com/user-attachments/assets/2a55fe5d-92f6-4382-ac7f-df049c4b953e"
/>

---------

Co-authored-by: Mehak Bindra <[email protected]>

Author: MehakBindra

packages/cli/configs/atk/oauth/python/.vscode/launch.json

@@ -0,0 +1,78 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Launch Remote (Edge)",
+      "type": "msedge",
+      "request": "launch",
+      "url": "https://teams.microsoft.com/l/app/${{TEAMS_APP_ID}}?installAppPackage=true&webjoin=true&${account-hint}",
+      "presentation": {
+        "group": "remote",
+        "order": 1
+      },
+      "internalConsoleOptions": "neverOpen"
+    },
+    {
+      "name": "Launch Remote (Chrome)",
+      "type": "chrome",
+      "request": "launch",
+      "url": "https://teams.microsoft.com/l/app/${{TEAMS_APP_ID}}?installAppPackage=true&webjoin=true&${account-hint}",
+      "presentation": {
+        "group": "remote",
+        "order": 2
+      },
+      "internalConsoleOptions": "neverOpen"
+    },
+    {
+      "name": "Launch App (Edge)",
+      "type": "msedge",
+      "request": "launch",
+      "url": "https://teams.microsoft.com/l/app/${{local:TEAMS_APP_ID}}?installAppPackage=true&webjoin=true&${account-hint}",
+      "presentation": {
+        "group": "all",
+        "hidden": true
+      },
+      "internalConsoleOptions": "neverOpen"
+    },
+    {
+      "name": "Launch App (Chrome)",
+      "type": "chrome",
+      "request": "launch",
+      "url": "https://teams.microsoft.com/l/app/${{local:TEAMS_APP_ID}}?installAppPackage=true&webjoin=true&${account-hint}",
+      "presentation": {
+        "group": "all",
+        "hidden": true
+      },
+      "internalConsoleOptions": "neverOpen"
+    },
+    {
+        "name": "Start",
+        "type": "debugpy",
+        "request": "launch",
+        "program": "${workspaceFolder}/src/main.py",
+        "console": "integratedTerminal"
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Debug (Edge)",
+      "configurations": ["Launch App (Edge)", "Start"],
+      "preLaunchTask": "Start Teams App Locally",
+      "presentation": {
+        "group": "all",
+        "order": 1
+      },
+      "stopAll": true
+    },
+    {
+      "name": "Debug (Chrome)",
+      "configurations": ["Launch App (Chrome)" , "Start"],
+      "preLaunchTask": "Start Teams App Locally",
+      "presentation": {
+        "group": "all",
+        "order": 2
+      },
+      "stopAll": true
+    }
+  ]
+}

packages/cli/configs/atk/oauth/python/.vscode/tasks.json

@@ -0,0 +1,82 @@
+// This file is automatically generated by M365 Agents Toolkit.
+// The teamsfx tasks defined in this file require M365 Agents Toolkit version >= 5.0.0.
+// See https://aka.ms/teamsfx-tasks for details on how to customize each task.
+{
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Start Teams App Locally",
+      "dependsOn": [
+        "Validate prerequisites",
+        "Start local tunnel",
+        "Provision",
+        "Deploy",
+        "setup-env"
+      ],
+      "dependsOrder": "sequence"
+    },
+    {
+      "label": "Validate prerequisites",
+      "type": "teamsfx",
+      "command": "debug-check-prerequisites",
+      "args": {
+        "prerequisites": [
+          "python",
+          "m365Account",
+          "portOccupancy"
+        ],
+        "portOccupancy": [
+          3978
+        ]
+      }
+    },
+    {
+      "label": "Start local tunnel",
+      "type": "teamsfx",
+      "command": "debug-start-local-tunnel",
+      "args": {
+        "type": "dev-tunnel",
+        "ports": [
+          {
+            "portNumber": 3978,
+            "protocol": "http",
+            "access": "public",
+            "writeToEnvironmentFile": {
+              "endpoint": "BOT_ENDPOINT",
+              "domain": "BOT_DOMAIN"
+            }
+          }
+        ],
+        "env": "local"
+      },
+      "isBackground": true,
+      "problemMatcher": "$teamsfx-local-tunnel-watch"
+    },
+    {
+      "label": "Provision",
+      "type": "teamsfx",
+      "command": "provision",
+      "args": {
+        "env": "local"
+      }
+    },
+    {
+      "label": "Deploy",
+      "type": "teamsfx",
+      "command": "deploy",
+      "args": {
+        "env": "local"
+      }
+    },
+    {
+      "label": "setup-env",
+      "type": "shell",
+      "command": "uv sync",
+      "problemMatcher": [],
+      "group": {
+          "kind": "build",
+          "isDefault": true
+      }
+    }
+  ]
+}

packages/cli/configs/atk/oauth/python/README.md

@@ -0,0 +1,42 @@
+# M365 Agents Toolkit Configuration: Oauth
+
+Use this if you want to enable user authentication in your Teams application.
+
+## How to update scopes
+
+1. In the `aad.manifest.json` file, update the `requiredResourceAccess` list to add the required scopes.
+
+2. In the `infra/botRegistration/azurebot.bicep` file, under the `botServicesMicrosoftGraphConnection` resource, update the `properties.scopes` string to be a comma-delimeted list of the required scopes.
+
+### Example
+
+If you want to add the `People.Read.All` and `User.ReadBasic.All` scopes.
+
+1. Your `requiredResourceAccess` property should look like:
+
+```json
+"requiredResourceAccess": [
+    {
+        "resourceAppId": "Microsoft Graph",
+        "resourceAccess": [
+            {
+                "id": "People.Read.All",
+                "type": "Scope"
+            }
+        ]
+    },
+    {
+        "resourceAppId": "Microsoft Graph",
+        "resourceAccess": [
+            {
+                "id": "User.ReadBasic.All",
+                "type": "Scope"
+            }
+        ]
+    },
+]
+```
+
+2. Update the `properties.scopes` to be `People.Read.All,User.ReadBasic.All`.
+
+Refer [here](https://learn.microsoft.com/en-us/graph/permissions-reference) for in-depth Microsoft Graph permissions reference.

packages/cli/configs/atk/oauth/python/aad.manifest.json.hbs

@@ -0,0 +1,65 @@
+{
+  "id": "$\{{AAD_APP_OBJECT_ID}}",
+  "appId": "$\{{BOT_ID}}",
+  "name": "{{ toPascalCase name }}$\{{APP_NAME_SUFFIX}}",
+  "accessTokenAcceptedVersion": 2,
+  "signInAudience": "AzureADMultipleOrgs",
+  "optionalClaims": {
+    "idToken": [],
+    "accessToken": [
+      {
+        "name": "idtyp",
+        "source": null,
+        "essential": false,
+        "additionalProperties": []
+      }
+    ],
+    "saml2Token": []
+  },
+  "requiredResourceAccess": [
+    {
+      "resourceAppId": "Microsoft Graph",
+      "resourceAccess": [
+        {
+          "id": "User.Read",
+          "type": "Scope"
+        }
+      ]
+    }
+  ],
+  "oauth2Permissions": [
+    {
+      "adminConsentDescription": "Allows Teams to call the app's web APIs as the current user.",
+      "adminConsentDisplayName": "Teams can access app's web APIs",
+      "id": "$\{{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}",
+      "isEnabled": true,
+      "type": "User",
+      "userConsentDescription": "Enable Teams to call this app's web APIs with the same rights that you have",
+      "userConsentDisplayName": "Teams can access app's web APIs and make requests on your behalf",
+      "value": "access_as_user"
+    }
+  ],
+  "preAuthorizedApplications": [
+    {
+      "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
+      "permissionIds": [
+        "$\{{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"
+      ]
+    },
+    {
+      "appId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346",
+      "permissionIds": [
+        "$\{{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"
+      ]
+    }
+  ],
+  "identifierUris": [
+    "api://botid-$\{{BOT_ID}}"
+  ],
+  "replyUrlsWithType": [
+    {
+      "url": "https://token.botframework.com/.auth/web/redirect",
+      "type": "Web"
+    }
+  ]
+}

packages/cli/configs/atk/oauth/python/infra/azure.local.bicep

@@ -0,0 +1,31 @@
+@maxLength(20)
+@minLength(4)
+@description('Used to generate names for all resources in this file')
+param resourceBaseName string
+
+@description('Required when create Azure Bot service')
+param botAadAppClientId string
+
+@secure()
+@description('Required by Bot Framework package in your bot project')
+param botAadAppClientSecret string
+
+@maxLength(42)
+param botDisplayName string
+
+param botAppDomain string
+param oauthConnectionName string
+param tenantId string
+
+module azureBotRegistration './botRegistration/azurebot.bicep' = {
+  name: 'Azure-Bot-registration'
+  params: {
+    resourceBaseName: resourceBaseName
+    botAadAppClientId: botAadAppClientId
+    botAppDomain: botAppDomain
+    botDisplayName: botDisplayName
+    botAddAppClientSecret: botAadAppClientSecret
+    oauthConnectionName: oauthConnectionName
+    tenantId: tenantId
+  }
+}

packages/cli/configs/atk/oauth/python/infra/azure.parameters.local.json.hbs

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "resourceBaseName": {
+      "value": "bot-$\{{RESOURCE_SUFFIX}}-$\{{TEAMSFX_ENV}}"
+    },
+    "botAadAppClientId": {
+      "value": "$\{{BOT_ID}}"
+    },
+    "botAadAppClientSecret": {
+      "value": "$\{{SECRET_BOT_PASSWORD}}"
+    },
+    "botDisplayName": {
+      "value": "{{ toPascalCase name }}-$\{{TEAMSFX_ENV}}"
+    },
+    "botAppDomain": {
+      "value": "$\{{BOT_DOMAIN}}"
+    },
+    "oauthConnectionName": {
+      "value": "$\{{OAUTH_CONNECTION_NAME}}"
+    },
+    "tenantId": {
+      "value": "$\{{AAD_APP_TENANT_ID}}"
+    }
+  }
+}

packages/cli/configs/atk/oauth/python/infra/botRegistration/azurebot.bicep

@@ -0,0 +1,67 @@
+@maxLength(20)
+@minLength(4)
+@description('Used to generate names for all resources in this file')
+param resourceBaseName string
+
+@maxLength(42)
+param botDisplayName string
+
+param botServiceName string = resourceBaseName
+param botServiceSku string = 'F0'
+param botAadAppClientId string
+param botAppDomain string
+param oauthConnectionName string
+param tenantId string
+
+@secure()
+param botAddAppClientSecret string
+
+// Register your web service as a bot with the Bot Framework
+resource botService 'Microsoft.BotService/botServices@2021-03-01' = {
+  kind: 'azurebot'
+  location: 'global'
+  name: botServiceName
+  properties: {
+    displayName: botDisplayName
+    endpoint: 'https://${botAppDomain}/api/messages'
+    msaAppId: botAadAppClientId
+    msaAppType: 'SingleTenant'
+    msaAppTenantId: tenantId
+  }
+  sku: {
+    name: botServiceSku
+  }
+}
+
+// Connect the bot service to Microsoft Teams
+resource botServiceMsTeamsChannel 'Microsoft.BotService/botServices/channels@2021-03-01' = {
+  parent: botService
+  location: 'global'
+  name: 'MsTeamsChannel'
+  properties: {
+    channelName: 'MsTeamsChannel'
+  }
+}
+
+resource botServicesMicrosoftGraphConnection 'Microsoft.BotService/botServices/connections@2022-09-15' = {
+  parent: botService
+  name: oauthConnectionName
+  location: 'global'
+  properties: {
+    serviceProviderDisplayName: 'Azure Active Directory v2'
+    serviceProviderId: '30dd229c-58e3-4a48-bdfd-91ec48eb906c'
+    clientId: botAadAppClientId
+    clientSecret: botAddAppClientSecret
+    scopes: 'User.Read'
+    parameters: [
+      {
+        key: 'tenantID'
+        value: 'common'
+      }
+      {
+        key: 'tokenExchangeUrl'
+        value: 'api://botid-${botAadAppClientId}'
+      }
+    ]
+  }
+}