Setting up Signed-in Bots for Microsoft Teams

How to sign in your bot into a Microsoft teams account

This guide is for you if:

  • You need to join meetings that only allow signed-in Microsoft teams users

Limitations:

  • Signed-in bot names cannot be overridden - Signed-in Microsoft Teams bots get their name from the Microsoft Teams account used to sign-in the bot. This overrides the bot_name parameter in Create Bot endpoint
  • Signed-in Microsoft Teams bots must be in their own Organization - Signed-in Microsoft Teams bots must be in their own organization due to global organization-level permission changes

Signed-in Microsoft Teams Bot in 5 Steps

Step 1: Set up a new Microsoft 365 Business account

❗️

Do not create the bot account in your existing Microsoft business organization

Since the authenticated bot requires global organization-level permission changes, authenticated Teams bots should always use a new Microsoft account

Head to the Microsoft 365 Business page to buy the Microsoft 365 Business Basic license

https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products-b

After clicking "Buy Now", proceed to login with your admin account. Microsoft will then ask you to set up your account and pay for the license

Once done, you will need to sign into the M365 admin dashboard. Note that it may request you to set up MFA for this admin account

Step 2: Create the bot's account

Step 2.1: Create a new user for the bot

Next, give the bot an email, display name, and password. You do not need to apply roles/permissions or fill out any additional details

🚧

The bot display name and profile image cannot be overridden

Regardless of what you specify in your Create Bot request, the display name and profile photo will always be taken from the Microsoft account details defined in this section

As you go through the steps, Microsoft will ask if you'd like to assign a license to the user. You won't need to buy an additional license for the bot

Once you finish adding the new user for the bot, you will be given the bot's sign-in details. You will need to save the bot's email and password for later

Step 2.2: Reassign the Teams license to the bot user

First head to Billing > Licenses > Microsoft 365 Business Basic and select your admin account. Then you will see the option to unassign licenses

After this, reload the page you can reassign the license to the bot user. If you are prompted to buy another license after unassigning, wait a few minutes before refreshing the page. Microsoft may need some time to free up the license before you can reassign it

Step 3: Add the bot's sign-in credentials in the Recall dashboard

Head to the dashboard's Meeting Bot Setup > Microsoft Teams page and add the bot's email & password

🚧

We recommend keeping Login Mandatory option turned off.

The login mandatory option (if turned on) forces the bot to always login before joining the call. We recommend to keep this option off, as a result bot will attempt to login only for calls where signed in participants are mandatory

Leaving this enabled will mean that the bot's profile (name and picture) will be used every time the bot joins the call. This will override the bot_name setting you have set

Step 4: Update the Microsoft tenant's security settings

Step 4.1: Create a pay-as-you-go azure account

Sign into the admin portal using the admin account

https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account

Step 4.2: Disabling Security Defaults

Search for the Microsoft Entra ID product

Once in the Microsoft Entra Id product, disable the security defaults found in Overview > Properties > Manage Security Defaults and set Security Defaults to Disabled (not recommended). All tabs and fields can be seen in the image below

Step 4.3: Disable "Show keep user signed in"

Search for the Users product.

Once in the Users product, click on User Settings in the sidebar and disable the "Show keep users signed in" toggle. The path and toggle can be seen in the image below

Step 4.4: Set the bot's profile picture

After you create the new user, wait a few seconds and reload the page to see the new user. Then you can click on the profile to navigate to the bot's account to update the bot's profile picture

Step 5: Test the bot

Now that your new bot account is set up, you can try sending your bot to a new Microsoft Teams meeting

You can quickly test this by sending a bot using the interactive Create Bot api docs. Make sure you use a new Teams Meeting URL and the API key from the Recall account with your Microsoft Teams Business Account login credentials

When testing, select the "Login Mandatory" option in the Recall dashboard's Meeting Bot Setup > Teams > Signed-in Microsoft Teams credentials. Then you can send a bot to a Teams meeting to see it sign-in. Don't forget to disable this again after your test

Note that you the bot will only sign in for meetings that require signed-in participants

FAQs

Why does the bot sometimes have (Guest) and others (External) after the display name?

A bot has (Guest) next to the display name when the bot is not signed in.

A bot has (External) next to the display name when the bot is signed in.

If you want the bot to always show (External) instead of (Guest), you can enable the "Login Mandatory" checkbox in the Teams Web Credentials. Note that logging in the bots take a significantly longer time to join calls

Why does the bot have (Unverified) after the display name?

Microsoft released an update February 2024 that affects how Teams participants are displayed depending on their account's relationship with the organization.

This only affects the new version of teams (teams.microsoft.com), and is not applicable for the old version (teams.live.com).

Below is a summary of these changes:

No label: All participants who are part of the organizer’s organization.

External: All participants who are external to the organizer’s organization but have a trusted relationship with the organizer or their organization. This means the domain of the signed-in user is on the host's list of trusted domains

Unverified: All other participants will be seen with this label. This will include Microsoft Entra ID users who belong to organizations that do not have an explicit external access setup with the organizer’s organization, Microsoft Account (personal) users, users who are not using any Microsoft ID while joining meetings, and others.

This means that, by default, bot that join a Teams meetings hosted at teams.microsoft.com will have the Unverified suffix.

Would Microsoft Teams Essentials plan also work for setting this up or does this requires a Microsoft 365 Business Basic?

We haven't tested the Microsoft Teams Essentials plan ourselves so we can't say for certain but we recommend our devs use the Microsoft 365 Business Basic plan as this is what we used for setup and it contains all the required security settings and configurations needed for the bot to join calls

Is there a way to detect beforehand when a Signed-in Teams bot will be required for a user meeting

There is not a way for you to detect what kind of bot will be required for a meeting beforehand because the bot will need to attempt to sign in and encounter the "you need to sign in" page for us to know

That being said, we also have an option in the dashboard to make the bot sign in for every meeting (called "Login Mandatory"). If you leave this bot unchecked, it will only sign in for meetings that require participant sign-in

We generally recommend developers leave this box unchecked (do not sign in for every meeting, only when required) to keep the bot's join time as low as possible

Can we use our own Teams organization or do we need a new Teams organization for every customer?

We recommend creating a new organization for the bot, then all of your customers can invite this bot to their org (so you only need one new org for all your customers). We recommend creating a new organization for your bot because you need to update the org's security settings which you typically don't want to apply to your whole org

We also recommend having your customers tenants add the bots domain as a "trusted organization" in their security settings

Will Signed-in Teams bots work for Calendar V1, V2, scheduled bots, or ad-hoc bots?

This will work for all meetings (calendar v1/v2 meetings, scheduled meetings, or adhoc meetings). Once you configure it in the Recall dashboard, this gets applied to all your Teams bots moving forward