Hello, community!
Could you please help me to solve the puzzle? I'm developing a multi-tenant SaaS teams bot which I'm going to publish to the Teams Store. This bot will support SSO, we need to get access to some of the Graph resources on behalf of the users (calendar specifically).
So the default behavior of Teams Toolkit Extension for VS Code is to use two accounts for:
- Computing. Where all execution logic, BotService, etc will be deployed
- M365 account. Where the AAD App Registration is created and the teams bot is sideloaded to the specified teams account.
And for the M365 account during development, the recommended way is to use Microsoft 365 Developer Program. And as far as I understand for single-tenant applications the right way is to use the account of the administrator of that tenant.
We don't find any documentation on the right way to configure the TeamsFx toolkit for the multi-tenant production bot, as far as:
- developer account will expire in 90 days and it's non-sense to rely on the idea it will be auto-prolonged
- we don't need to install automatically our bot to this single-tenant as far as its purpose is to be used within any organization, not within ours.
And we have multiple ideas on how to solve it:
- Create an M365 account for our organization and deploy the App Registration via Teams Toolkit. What's the reason we need additional account for only AAD App Registration, isn't it just another resource within Azure Cloud?
- Deploy everything to the single Azure Account, the same where computing occurs. Does it require us to avoid TeamsFx deployment strategy and build our own? Or there're some options to make it work out of the box?
What's the recommended way and tools for multi-tenant SaaS bot with SSO production deployment ? Is there any documentation that I missed?
