Reputation: 115
Can Azure Bot App Reg for Microsoft Teams use Single Tenant?
Right now, I have MS Teams Bot running under App Registration configured to use "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
To begin with, I did a research on that topic and I am writing this question having in mind following resources:
- Comment on issue #9498 @ azure-sdk-for-net
- Azure Bot App Registration requiring multi-tenancy when single-tenant is prefered
- Bot Framework - App registration - Single tenant vs Multi tenant
All these answers, from my understanding, comes to this:
- prior to late 2021 only Multi-tenant apps as bot identity were supported
- now I should be able to use the Single-tenat for app registration, but that requires additional configuration
- moment when mentioned changes are in effect is a moment when Bot is trying to authenticate
As other bots imperatively (explicitly) authorize using ex. MicrosoftAppCredentials - MS Teams Bots have their authorization details configured declaratively in XML files like appsettings.json in bot service.
How can I use Single tenant App Registration with Azure Bot used in MS Teams? Or is it not possible currently?
EDIT:
For future reader: using the answer, I prepared two places where you can access TenantId of incoming activity to perform whitelisting validation (in Multi-tenant setup, because Single-tenant is still not working on Teams):
- In
BotController:
[HttpPost]
public async Task PostAsync()
{
// Here using
//this.Request.Headers["X-Ms-Tenant-Id"].ToString()
}
- In
TeamsActivityHandlerinstance method override:
internal class /***/ : TeamsActivityHandler
{
//any method that have access to TurnContext or Activity
public override Task /***/(ITurnContext<IInvokeActivity> turnContext, ...)
{
// Here using
//turnContext.Activity.Conversation.TenantId
}
}
Having the TenantId you can compare it to the allowed tenant and reject or allow accordingly.
Upvotes: 0
Views: 1491
Answers (1)
Reputation: 10804
I ran into this with another user on this site recently, where Proactive Messaging would not work because they had selected Single Tenant. It's a recent option, and it seems broken from my research - I would go with the MultiTenant option. If you really need to block the bot from being accessible from other tenants (which could well be recommended as it's possible for a bot to be access by any user in any Teams tenant, it might be best to white-list your Tenant Id(s). There's an old sample on how to do this here - haven't tested if it's still working: https://github.com/OfficeDev/microsoft-teams-sample-complete-csharp/blob/master/template-bot-master-csharp/middleware/Middleware.cs
Upvotes: 1
Related Questions
- How does Azure Bot Channel Registration authenticate my Teams app
- Can BOT present in ASE environment can be deployed in MS Team app?
- Will my teams bot application work if my application in Azure active directory and Azure bot are in two different accounts?
- Microsoft Teams Manifest: can contentBotId be of different tenant
- Microsoft Teams Bot without Azure
- Adding an Azure-hosted Bot to Microsoft Teams Dev Portal
- Upload custom app in teams registered in another azure tenant
- Bot registration vs application registration in Azure
- Microsoft Bot Authentication for multiple customers and multi tenants
- Deploy Bot to MS Teams using Azure or App Studio?