Forum Discussion

chetanoptimus's avatar
chetanoptimus
Copper Contributor
Sep 01, 2025
Solved

Enabling Cross-Tenant Authentication for Teams Apps with Single-Tenant Bot

Hello Team,

 

I am working on implementing authentication for a Teams application using the Microsoft 365 Agents SDK. Following Microsoft’s current guidance, I have:

  • Registered a single-tenant Azure AD bot.
  • Integrated Azure AD authentication.
  • Prepared for AppSource distribution as the long-term supported method for cross-tenant availability.

However, I am still facing challenges in reliably enabling sign-in for external users from other tenants. Specifically:

  • The cross-tenant sign-in flow remains unclear.
  • Validating authentication across multiple tenants is difficult without official end-to-end guidance.
  • Existing samples and documentation primarily address single-tenant or internal-only scenarios.

As of now, authentication for external users is still difficult to get working and validate consistently across tenants.

Could you provide detailed guides, samples, or best practices for:

  1. Enabling authentication for external users in this single tenant + AppSource distribution model.
  2. Recommended patterns for testing cross-tenant authentication before AppSource submission.
  3. Any roadmap considerations for simplifying this scenario.

This would help ensure Teams apps can meet compliance requirements while still delivering a smooth sign-in experience for users across organizations.

 

Thank You,

Chetan

  • Hello chetanoptimus​ 

    Please note that you can (you should actually) use two Azure AD / Entra ID App Registration.

    The first one is associated with the Azure Bot Service. It secures the communication from Azure Bot Service to your backend (channel-to-bot access). You can be single-tenant here as external users are not involved. If your backend is running on Azure (such as Azure App Service), you can even use Managed Identities which is ideal as you won't have to rotate secrets or certificates. See Provision an agent in Azure Bot Service using User-Assigned Managed Identity | Microsoft Learn

    The second App Registration can be used for multi-tenant user authentication (needed to publish your app in the store / App Source) and has to be multi-tenant to serve its purpose.
    This App Registration can be configured in Azure Bot Service (OAuth Connection Settings) and consumed in Agents SDK through the Auto SignIn feature (see Configure your .NET Agent to use OAuth | Microsoft Learn). Or it can be configured directly through the Agents SDK with one of the auth types supported in the authentication provider (see Configure authentication in a .NET agent | Microsoft Learn).

    Most documentation articles or samples are using the same App Registration for both needs (and are focusing on single-tenant scenario indeed) but having two App Registration should be prioritized as far as I'm concerned.

    I hope this helps.

4 Replies

  • Hello chetanoptimus​ 

    Please note that you can (you should actually) use two Azure AD / Entra ID App Registration.

    The first one is associated with the Azure Bot Service. It secures the communication from Azure Bot Service to your backend (channel-to-bot access). You can be single-tenant here as external users are not involved. If your backend is running on Azure (such as Azure App Service), you can even use Managed Identities which is ideal as you won't have to rotate secrets or certificates. See Provision an agent in Azure Bot Service using User-Assigned Managed Identity | Microsoft Learn

    The second App Registration can be used for multi-tenant user authentication (needed to publish your app in the store / App Source) and has to be multi-tenant to serve its purpose.
    This App Registration can be configured in Azure Bot Service (OAuth Connection Settings) and consumed in Agents SDK through the Auto SignIn feature (see Configure your .NET Agent to use OAuth | Microsoft Learn). Or it can be configured directly through the Agents SDK with one of the auth types supported in the authentication provider (see Configure authentication in a .NET agent | Microsoft Learn).

    Most documentation articles or samples are using the same App Registration for both needs (and are focusing on single-tenant scenario indeed) but having two App Registration should be prioritized as far as I'm concerned.

    I hope this helps.

  • @chetanoptimus - Thanks for bringing this issue to our attention. 
    A single-tenant Azure AD app cannot support cross-tenant sign-in, even if distributed via AppSource.

    We appreciate your input. To ensure your idea is considered for future updates, we recommend submitting it through the Teams Feedback PortalFeature requests are reviewed by the engineering team and may be prioritized based on various factors, including the number of requests received. 

    If you have any additional thoughts or feedback, please feel free to share them with us. Your contributions are valuable and help improve the product! 

    Thank you again for your valuable suggestion! 

    Thanks, 

    Nivedipa

    --------------------------------------------------------------------------------------------------------------------- 

    If the response is helpful, please click "**Mark as Best Solution**" and like it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate. 

Resources