Right now, I have MS Teams Bot running under App Registration configured to use "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
To begin with, I did a research on that topic and I am writing this question having in mind following resources:
- Comment on issue #9498 @ azure-sdk-for-net
- Azure Bot App Registration requiring multi-tenancy when single-tenant is prefered
- Bot Framework - App registration - Single tenant vs Multi tenant
All these answers, from my understanding, comes to this:
- prior to late 2021 only Multi-tenant apps as bot identity were supported
- now I should be able to use the Single-tenat for app registration, but that requires additional configuration
- moment when mentioned changes are in effect is a moment when Bot is trying to authenticate
As other bots imperatively (explicitly) authorize using ex. MicrosoftAppCredentials
- MS Teams Bots have their authorization details configured declaratively in XML files like appsettings.json
in bot service.
How can I use Single tenant App Registration with Azure Bot used in MS Teams? Or is it not possible currently?
EDIT:
For future reader: using the answer, I prepared two places where you can access TenantId of incoming activity to perform whitelisting validation (in Multi-tenant setup, because Single-tenant is still not working on Teams):
- In
BotController
:
[HttpPost]
public async Task PostAsync()
{
// Here using
//this.Request.Headers["X-Ms-Tenant-Id"].ToString()
}
- In
TeamsActivityHandler
instance method override:
internal class /***/ : TeamsActivityHandler
{
//any method that have access to TurnContext or Activity
public override Task /***/(ITurnContext<IInvokeActivity> turnContext, ...)
{
// Here using
//turnContext.Activity.Conversation.TenantId
}
}
Having the TenantId you can compare it to the allowed tenant and reject or allow accordingly.
CodePudding user response:
I ran into this with another user on this site recently, where Proactive Messaging would not work because they had selected Single Tenant. It's a recent option, and it seems broken from my research - I would go with the MultiTenant option. If you really need to block the bot from being accessible from other tenants (which could well be recommended as it's possible for a bot to be access by any user in any Teams tenant, it might be best to white-list your Tenant Id(s). There's an old sample on how to do this here - haven't tested if it's still working: https://github.com/OfficeDev/microsoft-teams-sample-complete-csharp/blob/master/template-bot-master-csharp/middleware/Middleware.cs