Share via

Teams custom app fails authentication after switching from multi-tenant to single-tenant

Saad Alladmahi 60 Reputation points
2025-10-06T11:28:10.1366667+00:00

We recently changed our Teams custom app from a multi-tenant to a single-tenant Azure AD registration. After updating the appId and manifest in Teams, users are now receiving authentication errors when signing in.

The Azure AD app is configured as single-tenant, with delegated Microsoft Graph permissions granted and admin consented. However, existing users seem to still reference the previous multi-tenant configuration, and token acquisition fails in the Teams desktop client.

We’ve already reuploaded the manifest, cleared Teams cache, and reinstalled the app, but the issue persists. It appears that Teams is still caching the previous app registration or token context.

How can I fix that, and what we need to know about this situation ?

Thank you

Microsoft Teams | Development
0 comments
Answer accepted by question author
  1. Nivedipa-MSFT 3,846 Reputation points Microsoft External Staff Moderator
    2025-10-07T06:03:48.35+00:00

    @Saad Alladmahi -
    This issue is common when switching an Azure AD app registration from multi-tenant to single-tenant for a Teams custom app. Here’s what you need to know and how to resolve it:

    Why it happens:

    Teams and Azure AD may cache authentication context, tokens, and app registration metadata.

    Existing users may have cached tokens or references to the old multi-tenant app, causing token acquisition to fail after the switch.

    How to fix:

    1.Remove the old app registration completely:

    Delete or disable the previous multi-tenant Azure AD app registration if it’s no longer needed.

    2.Update the Teams app manifest:

    Ensure the manifest references the new single-tenant appId.

    Increment the manifest version to force Teams to recognize the update.

    3.Clear Teams and browser cache:

    For all affected users, clear Teams desktop cache:

    Quit Teams.

    Delete %appdata%\Microsoft\Teams (Windows) or ~/Library/Application Support/Microsoft/Teams (Mac).

    Restart Teams.

    Clear browser cache if using Teams web client.

    4.Reinstall the Teams app:

    Uninstall the app from Teams.

    Reinstall the updated app with the new manifest.

    5.Consent and permissions:

    Ensure admin consent is granted for all required Microsoft Graph permissions in the new single-tenant app.

    Users must belong to the tenant where the app is registered.

    6.Token acquisition:

    Verify your authentication code uses the correct appId and tenantId.

    For single-tenant apps, tokens will only be issued for users in the home tenant.

    Important considerations:

    • Users from other tenants will not be able to sign in to a single-tenant app.
    • If you need cross-tenant access, you must use a multi-tenant app registration.
    • Teams may take time to propagate manifest and app registration changes; allow up to 24 hours for full sync.

    References:

Answer accepted by question author
  1. Kudos-Ng 7,850 Reputation points Microsoft External Staff Moderator
    2025-10-06T12:23:33.8766667+00:00

    Hi Saad Alladmahi,

    Thank you for posting your question in the Microsoft Q&A forum. 

    Based on your description, it sounds like you’re experiencing authentication issues for users signing in to the app after switching your Teams custom app from multi-tenant to single-tenant.

    However, to better understand and help troubleshoot, could you clarify a few points:

    • Did you edit the existing app registration or create a brand-new single-tenant app registration?
    • What authentication flow are you using? Is it Teams SSO (on-behalf-of flow) or a different OAuth 2.0 flow?
    • When you attempt to retrieve the token, do you see any specific error codes or messages?
    • You mentioned the issue occurs in the Teams desktop client. Have you tried the same scenario in Teams web?

    Additionally, I’ve come across some recent reports from other users facing authorization issues after switching from multi-tenant to single-tenant for Teams bots or custom apps. You might find these discussions relevant:

    A common pattern in these cases (and possibly yours) is that the app worked fine as multi-tenant, but after switching to single-tenant, authentication started failing. It also seems there is currently no definitive workaround that guarantees a fix. In this case, you may need to wait for an update to the Teams client from Microsoft or open a support ticket via the Azure portal to get accurate guidance and allow Microsoft to check backend logs for this issue.

    That said, I’ll wait for your updates and will continue to assist based on any official or publicly recommended information I can find.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.