How to get access_as_user token for multi-tenant bots (in the new world of Single Tenant Bots)

[GauravES]

We are an ISV focused on enterprise. Our chatbot is somewhat custom to each customer and not a candidate for the App Store. Each customer gets their own instance of the app with their own branding. For support reasons, we register the Azure AD app and bot in our own ISV Azure AD tenant, and then our customer O365 Admins will consent to the app permissions as well as upload the Teams manifest provided by us to their org app store. Customers themselves may have multiple Teams tenants (Company merges, splits, acquisitions, dev/prod tenants) and they repeat the process for each tenant they own.

The chatbot is a Teams App (C#/.NET Bot Framework). Associated Azure AD App registration is multi-tenant (users from any org). Bot Services registration had been multi-tenant. Our Bot has SSO enabled, and we were able to (silently) get an access token for users in multiple tenants where our app was deployed (with admin consent). Our bot then used the user access token retrieved from the bot framework to access Graph on behalf of the user (to say create Meetings in their own tenant)

We follow to the letter the instructions provided for enabling SSO in the Teams App, updating the Teams App Manifests with the proper connection strings etc. All this worked fine till end of 2025 when bots could be multi-tenant.

Now that that is deprecated and Bots must be single tenant, is there a mechanism for our bots in the above configuration to get an access token [FOR A USER IN A DIFFERENT TENANT than the bot] to use with Graph in the user tenant?

1. Silently as before
2. Perhaps using an OAuth Card mechanism

Messaging with the bot from multiple tenants is working fine, it is just the process of getting an access token for a user in a foreign tenant that is failing (Our apps are consented to by the admins in the foreign tenant and the Teams App manifest are likewise loaded and permitted)

Legacy bots that were already multi tenant are working fine. Its just the new bot registrations that can only be single tenant that are unable to get the access token on behalf of a user.

[MattB-msft]

@GauravES
"Now that that is deprecated and Bots must be single tenant,"
This is not correct, The host application identity can still be a multi tenant identity, it just cannot be created by AzureBotService and Live be registered in botframework.com.

In this case, you would still create the app identity as multi tenant and follow the same procedures you did before with the difference that the ABS registration is not multi tenant.

Using the Agents SDK, it will send a tenant scoped request for the SSO and exchanging leg, while for the ABS integration it will send a authentication request using the tenant of your ABS registration.

Which Language are you using for your implementation?

[GauravES]

That's what I meant. App Reg is multi-tenant but Bot Registration is Single Tenant (it's a misleading label since the bot can in fact be multi tenant in practice)

Our language is C#.

If there is an update code sample that would be great.

We had better luck with specifying the OAuth URL in Bot's App settings. For example "OAuthUrl": "https://europe.token.botframework.com/" for a "single tenant" bot registered in Europe.

[tracyboehrer]

"Now that that is deprecated and Bots must be single tenant, is there a mechanism for our bots in the above configuration to get an access token [FOR A USER IN A DIFFERENT TENANT than the bot] to use with Graph in the user tenant?"

The only way is to use an external App Reg that is multi-tenant. i.e., Create a multi-tenant App Reg and assign permissions. The OAuth Connection on the Azure Bot would use that.

However, Teams SSO will not work in that case. You will be able to get a token, but you either have to disable SSO or leave the "Token Exchange Url" on the OAuth Connection blank. The user will see a sign in card and select an account.

"AgentApplication": {
    "UserAuthorization": {
      "DefaultHandlerName": "auto",
      "AutoSignin": true,
      "Handlers": {
        "auto": {
          "Settings": {
            "AzureBotOAuthConnectionName": "multi-oauth-connection",
            "EnableSso": "false"
          }
        }
    }
  },