![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 8%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Anuj Arora,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand you are having issues configuring your Azure Bot for cross-tenant proactive messaging in Microsoft Teams.
Try to understand:
- Multi-Tenant App Registration is required for cross-tenant access.
- Single-Tenant App Registration restricts access to only one tenant, which is causing the authorization issues.
- So, do not rely on Single-Tenant App Registration for cross-tenant messaging.
However, the most reliable approach is to register your bot's Azure AD app as Multi-Tenant, which allows it to authenticate and interact with users across different customer tenants. You can do this by navigating to Azure Portal > App Registrations > Authentication, and selecting “Accounts in any organizational directory (Any Azure AD directory - Multitenant)”.
While your Azure Bot resource itself can remain Single-Tenant, what truly governs tenant access is the App Registration. The bot service uses this app to authenticate and authorize requests, so its multi-tenant configuration is what enables communication with external tenants.
But for production deployment, it's recommended to publish your bot to the Teams App Store (AppSource). This ensures discoverability and simplifies consent management for external organizations. Microsoft handles provisioning and tenant onboarding through AppSource, as clarified in @Aryan Parashar have stated.
To allow external tenants to grant permissions to your bot, you should provide an admin consent URL like: https://login.microsoftonline.com/common/adminconsent?client_id=<your-app-id>
This link enables tenant administrators to approve your bot’s access to their directory.
In your Teams App Manifest, ensure you include the webApplicationInfo section with your app ID and resource URI:
"webApplicationInfo": {
"id": "<your-app-id>",
"resource": "https://yourdomain.com"
}
This configuration is required for Teams to correctly route authentication and authorization requests to your bot. Refer to the Teams manifest schema documentation for full details.
Finally, your bot code must be capable of validating tokens from multiple tenants. Use the Microsoft Bot Framework SDK to handle token validation securely and ensure that your bot can process proactive messages without authorization failures.
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.