Error when deploying Single Tenant Bot to Teams

Question

Error when deploying Single Tenant Bot to Teams

Jumeaux, Coline 5

Since Microsoft deprecated Multi Tenant Bots this summers, we are facing difficulties when deploying our Azure AI Bot to Teams.

We are using the bot framework SDK for the backend of our chatbot, which handles authentication via OAuth prompt.

Previously, we had a multi tenant Azure Bot, and everything worked smoothly. If we create a new Single Tenant Bot and simply "plug it" into our setup, we get an error, both in Bot Framework Emulator and when deploying to Teams.

In BFE:

File "../.venv/lib/python3.12/site-packages/botframework/connector/token_api/aio/operations_async/_user_token_operations_async.py", line 100, in get_token
    raise models.ErrorResponseException(self._deserialize, response)
botframework.connector.token_api.models._models_py3.ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
{"message": "127.0.0.1 [16/Sep/2025:10:32:27 +0100] \"POST /api/messages HTTP/1.1\" 200 131 \"-\" \"node-fetch/1.0 (+https://github.com/bitinn/node-fetch)\"", "timestamp": "2025-09-16T11:32:30.920615+02:00", "remote_address": "127.0.0.1", "request_start_time": "[16/Sep/2025:10:32:27 +0100]", "first_request_line": "POST /api/messages HTTP/1.1", "response_status": 200, "response_size": 131, "request_header": {"Referer": "-", "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"}}

In the Teams deployment:

File "/src/.venv/lib/python3.12/site-packages/botframework/connector/aio/operations_async/_conversations_operations_async.py", line 529, in reply_to_activity
 raise models.ErrorResponseException(self._deserialize, response)
botbuilder.schema._models_py3.ErrorResponseException: Operation returned an invalid status code 'Unauthorized'

What we have done to troubleshoot:

Modified the code in botbuilder to bypass OAuth:
1. When setting the SPN (and corresponding app type) to "Single Tenant" we get an error message in BFE (400) "The Bot's Microsoft App ID or Microsoft App Password is incorrect"
2. When setting the SPN (and corresponding app type) to "Multi Tenant": Testing in BFE works as it should, but deploying to Teams DOESN'T WORK (same error as above, "Unauthorized")
Followed exactly the setup for Single Tenant from this guide that was suggested in another issue: https://support.cognigy.com/hc/en-us/articles/6422293904540-Azure-Bot-Services-Advanced-Deployment-with-SSO-Microsoft-Teams-Azure-Active-Directory-Portal
1. BFE doesn't work
2. Teams deployment doesn't work
3. Testing the OAuth connection in Azure Portal doesn't work

We would like to request support from Microsoft/other users from the community:

Updated documentation and step-by-step guide for deploying an Azure Bot to Teams, in the new single tenant configuration, which includes:
- How to set up the app registration, including the API permissions, and authentication
- How to set up the Azure Bot, including testing of OAuth connection in the single tenant configuration.
- If needed, how to modify the backend code in the botbuilder python framework
- Updated guide to test using Bot framework emulator.

Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-16T16:21:47.2966667+00:00

Hi Jumeaux, Coline,
Microsoft has deprecated the creation of multi-tenant bots as of July 31, 2025. Organizations migrating their existing multi-tenant Azure Bots to single-tenant configurations need to follow updated best practices and architecture patterns. Single-tenant bots restrict authentication to users within their own Azure Active Directory (Azure AD) tenant, which means the bot only directly serves users in that tenant. To allow users from other tenants to use the bot, these external users must be invited as guest users into the home tenant, or the bot must be published through the Microsoft Teams App Store (AppSource), where Microsoft facilitates consent and provisioning across tenants. This shift replaces the previous multi-tenant model where bots could be accessed directly by multiple tenants without additional consent workflows.

The migration process involves several critical steps beginning with the Azure AD app registration changes. In the Azure portal, the bot app’s “Supported account types” setting must be changed from multi-tenant (“Accounts in any organizational directory”) to single-tenant (“Accounts in this organizational directory only”). A new client secret should be generated under the “Certificates & secrets” section to replace the one used in multi-tenant setup. The OAuth redirect URI for Bot Framework authentication must be confirmed or set to https://token.botframework.com/.auth/web/redirect. These updates ensure that the app registration aligns with single-tenant restrictions and authentication flows.

On the bot backend side, code changes are essential to handle authentication and token acquisition correctly in single-tenant mode. The OAuth token request endpoint must specify the tenant ID, for example, using URLs such as https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token replacing the generic multi-tenant endpoints. The Microsoft App ID and password (client secret) used by the bot must match the single-tenant app registration. Any OAuth prompt flows or token handling in the Bot Framework SDK code should be updated accordingly. Importantly, testing with Bot Framework Emulator requires configuring it to use the single-tenant bot credentials and the appropriate tenant URLs to avoid unauthorized errors. Simply bypassing OAuth or mixing multi-tenant credentials will cause token validation failures and unauthorized errors both locally and during Teams deployment.

For deployment to Microsoft Teams, single-tenant bots can only serve users within their tenant boundary unless published externally. The recommended approach for broader user access is to package the bot as a Teams app and publish it through the Microsoft Teams App Store (AppSource). This publication enables external tenants to find, consent, and install the bot app, effectively enabling cross-tenant usage. This is the supported and future-proof model replacing the old multi-tenant bot usage pattern. Teams app manifest files and Azure Bot channel settings must be updated to reference the single-tenant app registration and permissions to avoid deployment errors related to unauthorized identities.

For reference: Connect a bot to Microsoft Teams
https://learn.microsoft.com/en-us/answers/questions/5492711/migrating-from-multi-tenant-to-single-tenant-azure
https://learn.microsoft.com/en-us/answers/questions/5495938/bot-depreciated-july-31st
Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-17T02:43:50.4233333+00:00

Hi Jumeaux, Coline,
Did you get any chance to check the response. Thank you!
Jumeaux, Coline 5 Reputation points

2025-09-17T07:12:07.8466667+00:00

Hi @Pavankumar Purilla , thanks for your response.

I am following it to troubleshoot.
The first thing I did was changing the Azure AD app registration “Supported account types” setting to single-tenant (“Accounts in this organizational directory only”). I then created a new secret, and used it in my bot config in the backend. The MicrosoftAppType is also set to "SingleTenant" in my config and I have provided the tenant ID. I then created a new Bot configuration in the BFE, using the newly created secret, however I still get the following error upon connecting: "The Bot's Microsoft App ID or Microsoft App Password is incorrect" (see attached screenshot).

Is there any other configuration that I am missing? You wrote: "Importantly, testing with Bot Framework Emulator requires configuring it to use the single-tenant bot credentials and the appropriate tenant URLs to avoid unauthorized errors." Where should the tenant URLs be specified in the settings of the BFE?

We will be using the Bot only in our tenant btw so we will not need to approve external tenants access. At the moment we are side loading the app for testing.
Jumeaux, Coline 5 Reputation points

2025-09-17T07:23:28.4633333+00:00

However the deployment to Teams works now!
Jumeaux, Coline 5 Reputation points

2025-09-22T08:04:46.5366667+00:00

@Pavankumar Purilla hi, do you have any update on the Bot Framework Emulator configuration for the single tenant scenario?
Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-22T16:18:36.9066667+00:00

Hi Jumeaux, Coline,
The configuration of the Bot Framework Emulator for single-tenant Azure Bots is slightly different from the previous multi-tenant setup. For single-tenant bots, all authentication must point explicitly to your Azure AD tenant rather than the generic multi-tenant endpoint. When testing locally, ensure that your Microsoft App ID and Microsoft App Password match those from your single-tenant Azure AD app registration, and that your bot configuration (for example, in the .env file) includes MicrosoftAppType=SingleTenant and MicrosoftAppTenantId=<your-tenant-id>. During sign-in through the Emulator, only accounts from the same tenant as the bot’s registration will authenticate; external accounts will be rejected. If your bot uses an OAuth connection, ensure that the connection in the Azure Bot resource is configured with the correct client ID, client secret, and tenant ID, and that the connection name in your code matches exactly. Additionally, confirm that the redirect URI https://token.botframework.com/.auth/web/redirect is included in your app registration. With these settings, the Emulator can successfully acquire tokens against your tenant using the single-tenant flow. If you continue to experience Unauthorized errors, please verify that the OAuth connection has been recreated for the single-tenant app registration and that the Emulator account is part of your tenant.
For reference: Add authentication to a bot
Jumeaux, Coline 5 Reputation points

2025-09-23T08:11:16.7733333+00:00

Hi @Pavankumar Purilla , thanks for your response, I have double checked all the requirements you specified above, and my setup is correct. I also logged in with my Azure account in the BFE, which belongs to the tenant where my bot is registered. However, there is still no change, I still get "The Bot's Microsoft App ID or Microsoft App Password is incorrect" when I connect to my Bot.

I have seen here that single tenant app type is not supported in the Bot Framework Emulator Screenshot 2025-09-23 at 10.09.40.png

Can you please confirm if this is the case, or if support has been provided now that multi-tenant app has been deprecated for Azure Bot services?
Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-24T08:55:29.8633333+00:00

Hi Jumeaux, Coline,
Thank you for confirming your setup details. At this time, the Bot Framework Emulator does not fully support the Single Tenant app type for authentication flows. This means that while multi-tenant apps were previously supported for local testing, the Emulator cannot yet handle token acquisition against a single tenant. As a result, you may continue to see errors such as “The Bot's Microsoft App ID or Microsoft App Password is incorrect” even if your configuration is correct.

For testing purposes, we recommend using the “Test in Web Chat” feature in the Azure portal, or deploying the bot to Teams to validate end-to-end authentication in the single-tenant context. Microsoft is aware of the dependency on multi-tenant apps for Emulator scenarios, and the current guidance is that single-tenant bots are supported in production channels but not in the Emulator.
For reference: Add authentication to a bot

1 answer

Your answer

Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-17T02:43:50.4233333+00:00

Hi Jumeaux, Coline,
Did you get any chance to check the response. Thank you!
Jumeaux, Coline 5 Reputation points

2025-09-17T07:12:07.8466667+00:00

Hi @Pavankumar Purilla , thanks for your response.

I am following it to troubleshoot.
The first thing I did was changing the Azure AD app registration “Supported account types” setting to single-tenant (“Accounts in this organizational directory only”). I then created a new secret, and used it in my bot config in the backend. The MicrosoftAppType is also set to "SingleTenant" in my config and I have provided the tenant ID. I then created a new Bot configuration in the BFE, using the newly created secret, however I still get the following error upon connecting: "The Bot's Microsoft App ID or Microsoft App Password is incorrect" (see attached screenshot).

Is there any other configuration that I am missing? You wrote: "Importantly, testing with Bot Framework Emulator requires configuring it to use the single-tenant bot credentials and the appropriate tenant URLs to avoid unauthorized errors." Where should the tenant URLs be specified in the settings of the BFE?

We will be using the Bot only in our tenant btw so we will not need to approve external tenants access. At the moment we are side loading the app for testing.
Jumeaux, Coline 5 Reputation points

2025-09-17T07:23:28.4633333+00:00

However the deployment to Teams works now!
Jumeaux, Coline 5 Reputation points

2025-09-22T08:04:46.5366667+00:00

@Pavankumar Purilla hi, do you have any update on the Bot Framework Emulator configuration for the single tenant scenario?
Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-22T16:18:36.9066667+00:00

Hi Jumeaux, Coline,
The configuration of the Bot Framework Emulator for single-tenant Azure Bots is slightly different from the previous multi-tenant setup. For single-tenant bots, all authentication must point explicitly to your Azure AD tenant rather than the generic multi-tenant endpoint. When testing locally, ensure that your Microsoft App ID and Microsoft App Password match those from your single-tenant Azure AD app registration, and that your bot configuration (for example, in the .env file) includes MicrosoftAppType=SingleTenant and MicrosoftAppTenantId=<your-tenant-id>. During sign-in through the Emulator, only accounts from the same tenant as the bot’s registration will authenticate; external accounts will be rejected. If your bot uses an OAuth connection, ensure that the connection in the Azure Bot resource is configured with the correct client ID, client secret, and tenant ID, and that the connection name in your code matches exactly. Additionally, confirm that the redirect URI https://token.botframework.com/.auth/web/redirect is included in your app registration. With these settings, the Emulator can successfully acquire tokens against your tenant using the single-tenant flow. If you continue to experience Unauthorized errors, please verify that the OAuth connection has been recreated for the single-tenant app registration and that the Emulator account is part of your tenant.
For reference: Add authentication to a bot
Jumeaux, Coline 5 Reputation points

2025-09-23T08:11:16.7733333+00:00

Hi @Pavankumar Purilla , thanks for your response, I have double checked all the requirements you specified above, and my setup is correct. I also logged in with my Azure account in the BFE, which belongs to the tenant where my bot is registered. However, there is still no change, I still get "The Bot's Microsoft App ID or Microsoft App Password is incorrect" when I connect to my Bot.

I have seen here that single tenant app type is not supported in the Bot Framework Emulator Screenshot 2025-09-23 at 10.09.40.png

Can you please confirm if this is the case, or if support has been provided now that multi-tenant app has been deprecated for Azure Bot services?
Pavankumar Purilla 11,575 Reputation points Microsoft External Staff Moderator

2025-09-24T08:55:29.8633333+00:00

Hi Jumeaux, Coline,
Thank you for confirming your setup details. At this time, the Bot Framework Emulator does not fully support the Single Tenant app type for authentication flows. This means that while multi-tenant apps were previously supported for local testing, the Emulator cannot yet handle token acquisition against a single tenant. As a result, you may continue to see errors such as “The Bot's Microsoft App ID or Microsoft App Password is incorrect” even if your configuration is correct.

For testing purposes, we recommend using the “Test in Web Chat” feature in the Azure portal, or deploying the bot to Teams to validate end-to-end authentication in the single-tenant context. Microsoft is aware of the dependency on multi-tenant apps for Emulator scenarios, and the current guidance is that single-tenant bots are supported in production channels but not in the Emulator.
For reference: Add authentication to a bot

Answer 1

Hi Jumeaux, Coline, Microsoft has deprecated the creation of multi-tenant bots as of July 31, 2025. Organizations migrating their existing multi-tenant Azure Bots to single-tenant configurations need to follow updated best practices and architecture patterns. Single-tenant bots restrict authentication to users within their own Azure Active Directory (Azure AD) tenant, which means the bot only directly serves users in that tenant. To allow users from other tenants to use the bot, these external users must be invited as guest users into the home tenant, or the bot must be published through the Microsoft Teams App Store (AppSource), where Microsoft facilitates consent and provisioning across tenants. This shift replaces the previous multi-tenant model where bots could be accessed directly by multiple tenants without additional consent workflows. The migration process involves several critical steps beginning with the Azure AD app registration changes. In the Azure portal, the bot app’s “Supported account types” setting must be changed from multi-tenant (“Accounts in any organizational directory”) to single-tenant (“Accounts in this organizational directory only”). A new client secret should be generated under the “Certificates & secrets” section to replace the one used in multi-tenant setup. The OAuth redirect URI for Bot Framework authentication must be confirmed or set to https://token.botframework.com/.auth/web/redirect. These updates ensure that the app registration aligns with single-tenant restrictions and authentication flows. On the bot backend side, code changes are essential to handle authentication and token acquisition correctly in single-tenant mode. The OAuth token request endpoint must specify the tenant ID, for example, using URLs such as https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token replacing the generic multi-tenant endpoints. The Microsoft App ID and password (client secret) used by the bot must match the single-tenant app registration. Any OAuth prompt flows or token handling in the Bot Framework SDK code should be updated accordingly. Importantly, testing with Bot Framework Emulator requires configuring it to use the single-tenant bot credentials and the appropriate tenant URLs to avoid unauthorized errors. Simply bypassing OAuth or mixing multi-tenant credentials will cause token validation failures and unauthorized errors both locally and during Teams deployment. For deployment to Microsoft Teams, single-tenant bots can only serve users within their tenant boundary unless published externally. The recommended approach for broader user access is to package the bot as a Teams app and publish it through the Microsoft Teams App Store (AppSource). This publication enables external tenants to find, consent, and install the bot app, effectively enabling cross-tenant usage. This is the supported and future-proof model replacing the old multi-tenant bot usage pattern. Teams app manifest files and Azure Bot channel settings must be updated to reference the single-tenant app registration and permissions to avoid deployment errors related to unauthorized identities. For reference: Connect a bot to Microsoft Teams https://learn.microsoft.com/en-us/answers/questions/5492711/migrating-from-multi-tenant-to-single-tenant-azure https://learn.microsoft.com/en-us/answers/questions/5495938/bot-depreciated-july-31st

Share via

Error when deploying Single Tenant Bot to Teams

1 answer

Your answer