Showing results for 
Search instead for 
Did you mean: 
Not applicable

How to configure SSO in PVA?



I am trying to connect SSO in PVA on the Sharepoint website. I see the below error on the chrome console.


I see a syntax error from the below line of code. I am following the SSO configuration by the doc provided below: ""


The below code is from the doc.


 var userID = clientApplication.account?.accountIdentifier != null ? ("Your-customized-prefix-max-20-characters" + clientApplication.account.accountIdentifier).substr(0,64) : (Math.random().toString() +,64)


I had posted by query before as well but no luck..


Can anyone please help me out here?





Hey HermanthN, per our conversation here's what we did with the relevant changes.  Apologies for the delay.


@using Microsoft.AspNetCore.Http
@using Microsoft.Extensions.Configuration
@inject IHttpContextAccessor HttpContextAssessor
@inject IConfiguration Configuration

    string userId = HttpContextAssessor.HttpContext.User.Claims.FirstOrDefault(user => user.Type == "preferred_username").Value;
    string redirectUri = Configuration.GetValue<string>("ConnectionStrings:redirectUri");
    string clientId = Configuration.GetValue<string>("AzureAd:ClientId");
    string botId = Configuration.GetValue<string>("ConnectionStrings:BotId");
    string authority = $"{Configuration.GetValue<string>("AzureAd:Instance")}{Configuration.GetValue<string>("AzureAd:TenantId")}";


This gets you the user name through httpcontextassessor that I mentioned earlier.  From here you can pass this as a login hint:


   function exchangeTokenAsync(resourceUri) {
        let requestObj = {
            scopes: [resourceUri, 'openid', 'profile'],
            loginHint: '@userId'
        return clientApplication.acquireTokenSilent(requestObj)
            .then(function (tokenResponse) {
                return tokenResponse.accessToken;
            .catch(function (error) {


Note the redirect URI, that's also relevant and passed in here:


var clientApplication;
    (function () {
        var msalConfig = {
            auth: {
                // Client/tenant ID from CosineADOSupport app registration
                clientId: '@clientId',
                authority: '@authority',
                redirectUri: '@redirectUri'
            cache: {
                cacheLocation: 'localStorage',
                storeAuthStateInCookie: false
        if (!clientApplication) {
            clientApplication = new Msal.UserAgentApplication(msalConfig);


That's pretty much the difference between our code.  Let me know if you have any other questions.

Not applicable

Hi @PaulCullivan 

Thank you for responding back. I have done the above code changes, I am passing the user.userName as a loginHint. Please find the below code.

function exchangeTokenAsync(resourceUri) 
        let user = clientApplication.getAccount();

        console.log("user.userName is: " + user.userName); // User Email ID
        document.getElementById("userName").innerHTML = "Welcome " +; // User Name

        let requestObj = {
          scopes: [resourceUri, "openid", "profile"],
          loginHint: user.userName,

        return clientApplication.acquireTokenSilent(requestObj).then(function (tokenResponse) {
            return tokenResponse.accessToken;
          }).catch(function (error) 
              console.log("Error from exchangeTokenAsync function" + error);


Below is the MSAL code.


var clientApplication;

      (function () {
        var msalConfig = {
            clientId:'<Canvas(SSO) App Client ID> ',
            authority:'<Directory ID>',
            redirectUri:'<My SharePoint website url were the bot is deployed>'
            cacheLocation: "localStorage",
            storeAuthStateInCookie: false,
        if (!clientApplication) 
          clientApplication = new Msal.UserAgentApplication(msalConfig);


Everytime my code enters into the if(id === "retry") block of code.


Errors from the logs:

id: retry - bot was not able to handle the invoke, so display the oauthCard

Error from exchangeTokenAsync functionClientAuthError: Token calls are blocked in hidden iframes

Failed to load resource: the server responded with a status of 502 ()


But I see my userName being fetched by the MSAL.



Below is the exchangeTokenAsync function



I am not sure why this always fails and displays the login card.

New Member



This thread has helped me progress through various errors so thanks everyone for that.

I believe I'm real close but am getting a 403 error when the direct line API is called.

 I have followed the PVA SSO guide and gone through all the steps - Configure single sign-on - Power Virtual Agents | Microsoft Docs.

Also, I'm somewhat confused by contradicting instructions.

Please note that the two steps (in italics from the SSO article) below seem to contradict each other as to which app the expose an API scope need to be added to. Step 1 says add it to the initial app reg. However, in the following section step 4, it refers to the canvas app


Which one should the scope be configured in? - Initial app reg or the canvas app?


Define a custom scope for your bot

  1. Open the app registration that you created when you configured authentication.

Step 4 refers to the Canvas app reg - Enter the full scope URI from the Expose an API blade for the canvas app registration in the Token exchange URL field. The URI will be in the format of api://1234-4567/




Can someone please help? @BoLi @PaulCullivan @Anonymous 

Thanks in advance.


Thanks, the document is indeed very confused and not clear. I will ask someone to update the doc. Thank you for pointing it out

Thank you @BoLi...appreciate it.


There are also several errors within the scripts provided within that article. I used this thread and one other to solve several of those.


I was wondering if you can help with the 403 error that I reported above somehow.

I think it just needs someone who has done this before to possibly advise as I'm confident that I have followed the article closely.


I'd be more than happy to provide my findings and contribute to improving the article by providing the correct working script etc.

Is there any chance we can connect virtually over a call? 




Wrong post apologies



I was wondering if you have figured out how to fix the 403 issue.  I am having the same problem.



Helpful resources

Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

Canadian Cloud 2022 768x460.png

Register for a free PVA chatbot creation workshop.

Learn how to respond rapidly to your customers and employees at scale, using intelligent conversational chatbots.

Top Solution Authors
Users online (2,088)