Forum Discussion
Enabling Cross-Tenant Authentication for Teams Apps with Single-Tenant Bot
Hello chetanoptimus
Please note that you can (you should actually) use two Azure AD / Entra ID App Registration.
The first one is associated with the Azure Bot Service. It secures the communication from Azure Bot Service to your backend (channel-to-bot access). You can be single-tenant here as external users are not involved. If your backend is running on Azure (such as Azure App Service), you can even use Managed Identities which is ideal as you won't have to rotate secrets or certificates. See Provision an agent in Azure Bot Service using User-Assigned Managed Identity | Microsoft Learn
The second App Registration can be used for multi-tenant user authentication (needed to publish your app in the store / App Source) and has to be multi-tenant to serve its purpose.
This App Registration can be configured in Azure Bot Service (OAuth Connection Settings) and consumed in Agents SDK through the Auto SignIn feature (see Configure your .NET Agent to use OAuth | Microsoft Learn). Or it can be configured directly through the Agents SDK with one of the auth types supported in the authentication provider (see Configure authentication in a .NET agent | Microsoft Learn).Most documentation articles or samples are using the same App Registration for both needs (and are focusing on single-tenant scenario indeed) but having two App Registration should be prioritized as far as I'm concerned.
I hope this helps.
Hello chetanoptimus
Please note that you can (you should actually) use two Azure AD / Entra ID App Registration.
The first one is associated with the Azure Bot Service. It secures the communication from Azure Bot Service to your backend (channel-to-bot access). You can be single-tenant here as external users are not involved. If your backend is running on Azure (such as Azure App Service), you can even use Managed Identities which is ideal as you won't have to rotate secrets or certificates. See Provision an agent in Azure Bot Service using User-Assigned Managed Identity | Microsoft Learn
The second App Registration can be used for multi-tenant user authentication (needed to publish your app in the store / App Source) and has to be multi-tenant to serve its purpose.
This App Registration can be configured in Azure Bot Service (OAuth Connection Settings) and consumed in Agents SDK through the Auto SignIn feature (see Configure your .NET Agent to use OAuth | Microsoft Learn). Or it can be configured directly through the Agents SDK with one of the auth types supported in the authentication provider (see Configure authentication in a .NET agent | Microsoft Learn).
Most documentation articles or samples are using the same App Registration for both needs (and are focusing on single-tenant scenario indeed) but having two App Registration should be prioritized as far as I'm concerned.
I hope this helps.
Thanks, Benjiiim, this approach works as expected.