Bot Framework - App registration - Single tenant vs Multi tenant

AlexisParratte-1984 26 Reputation points
2021-03-10T21:25:39.64+00:00

Hi,

We are trying to deploy a bot built with the bot framework in our organization but we failed to understand why it is necessary to register the App as a Multi-Tenant App. The bot will only be used in our organization and the user would sign-in only from our organization, so we would prefer to deploy it as a single-tenant application.
Is that possible ?

My reference for that is this documentation
https://learn.microsoft.com/en-us/azure/bot-service/bot-service-quickstart-registration?view=azure-bot-service-4.0#manual-app-registration

76482-image.png

Thanks

Azure AI Bot Service
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
751 questions
Accepted answer
  1. YutongTie-MSFT 46,991 Reputation points
    2021-03-11T05:10:22.673+00:00

    Hi there,

    I just check with the pm, the multi-tenant organization is what enables the Azure Bot Service servers (in the botframework.com tenant) to authenticate requests coming from the bot (registered in the customer's tenant) through our servers. It's part of our service to service authentication protocol. it is not used for other purposes, and not to have any claims added to it for other access.

    To authenticate users, you should utilize the user auth features in the bot service, you can sign in to AAD or Auth based authentication servers if you prefer.

    Thanks,
    Yutong

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wandee, Teeraphan 1 Reputation point
    2021-12-13T09:08:04.467+00:00

    @YutongTie-MSFT

    When we deploy Web App Bot, is it possible to configure the app registration as Single Tenant instead? Does it have to always be Multi tenant?

    However, when I tried to deploy Azure Bot, it asked me to choose the app type -- user-assign managed identity, single tenant and multi-tenant. Does it mean that if I choose the single tenant app type, I can set the app registration as the Single Tenant?

    Could you please help clarify it?

    Thank you.

    0 comments
  2. Kiran Kulkarni 1 Reputation point
    2022-02-03T19:50:18.743+00:00

    Until late last year only multi-tenant apps as bot identity were supported. Recently, support for both single-tenant and user-assigned MSI as bot identity has also been added. This support is currently limited to bots written using .NET or JS SDKs. For more details and to get started see links below:

    Create an Azure Bot resource in the Azure portal
    https://learn.microsoft.com/en-us/azure/bot-service/abs-quickstart?view=azure-bot-service-4.0&tabs=userassigned

    Tutorial - Deploy a basic bot using Azure Bot Service - Bot Service
    https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-tutorial-deploy-basic-bot?view=azure-bot-service-4.0&tabs=csharp%2Cuserassigned

    Deploy your bot - Azure Bot Service - Bot Service
    https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-deploy-az-cli?view=azure-bot-service-4.0&tabs=csharp%2Cuserassigned

  3. J.C. Bartle 6 Reputation points
    2022-03-02T18:33:21.89+00:00

    Hello, all. Wanted to consolidate some information into one comment / answer in case someone comes across this later.

    Previously, when selecting Single Tenant, my bot would fail to work at all or certain actions would fail. That has largely been taken care of my following Microsoft's guidance of redeploying your bot using the Bot Framework version 4.15 or later per this documentation:

    https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-deploy-az-cli

    However, I still ran into an issue post-deployment which I didn't discover until later. A portion of my bot requires getting an authentication token, and that started throwing the same error I had been encountering before:

    "Failed to acquire token for client credentials. (AADSTS700016: Application with identifier '<app_id>' was not found in the directory 'Bot Framework'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."

    The relevant code is: 

    MicrosoftAppCredentials credentials = new MicrosoftAppCredentials(_appId, _appSecret);  
var tokenString = await credentials.GetTokenAsync().ConfigureAwait(false);  
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenString);  
var responseMessage = await httpClient.GetAsync(uri);

    Changing the first line of code to this corrects the issue: 

    MicrosoftAppCredentials credentials = new MicrosoftAppCredentials(_appId, _appSecret, _tenantId, httpClient);

    My only theory on this is that credentials for bots are validated against the 'Bot Framework' tenant by default. When you switch to single tenant, your bot isn't registered in the 'Bot Framework' tenant. So you have to explicitly specify that you want to authenticate against your own tenant in order for the token to be retrieved successfully.

  4. Ken Hu 0 Reputation points
    2023-04-17T02:02:10.3033333+00:00

    I have the exact same problem, If I choose "Single Tenant" as supported account type when registering my app, then I will get the following error: [onTurnError] unhandled error: Error: Get Token request returned http error: 400 and server respons
    e: {“error”:“unauthorized_client”,“error_description”:“AADSTS700016: Application with identifier ‘d5
    7e1c79-7716-441c-972c-47090b9dfc1e’ was not found in the directory ‘Bot Framework’. Bot Framework is 4.18.0

    0 comments