Can Azure Bot App Reg for Microsoft Teams use Single Tenant?

Question

Right now, I have MS Teams Bot running under App Registration configured to use "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".

To begin with, I did a research on that topic and I am writing this question having in mind following resources:

• Comment on issue #9498 @ azure-sdk-for-net
• Azure Bot App Registration requiring multi-tenancy when single-tenant is prefered
• Bot Framework - App registration - Single tenant vs Multi tenant

All these answers, from my understanding, comes to this:

• prior to late 2021 only Multi-tenant apps as bot identity were supported
• now I should be able to use the Single-tenat for app registration, but that requires additional configuration
• moment when mentioned changes are in effect is a moment when Bot is trying to authenticate

As other bots imperatively (explicitly) authorize using ex. MicrosoftAppCredentials - MS Teams Bots have their authorization details configured declaratively in XML files like appsettings.json in bot service.

How can I use Single tenant App Registration with Azure Bot used in MS Teams? Or is it not possible currently?

EDIT:
For future reader: using the answer, I prepared two places where you can access TenantId of incoming activity to perform whitelisting validation (in Multi-tenant setup, because Single-tenant is still not working on Teams):

1. In BotController:

        [HttpPost]
        public async Task PostAsync()
        {
            // Here using 
            //this.Request.Headers["X-Ms-Tenant-Id"].ToString()
        }

2. In TeamsActivityHandler instance method override:

    internal class /***/ : TeamsActivityHandler
    {
        //any method that have access to TurnContext or Activity
        public override Task /***/(ITurnContext<IInvokeActivity> turnContext, ...)
        {
            // Here using
            //turnContext.Activity.Conversation.TenantId
        }
    }

Having the TenantId you can compare it to the allowed tenant and reject or allow accordingly.

Answer 1

I ran into this with another user on this site recently, where Proactive Messaging would not work because they had selected Single Tenant. It's a recent option, and it seems broken from my research - I would go with the MultiTenant option. If you really need to block the bot from being accessible from other tenants (which could well be recommended as it's possible for a bot to be access by any user in any Teams tenant, it might be best to white-list your Tenant Id(s). There's an old sample on how to do this here - haven't tested if it's still working: https://github.com/OfficeDev/microsoft-teams-sample-complete-csharp/blob/master/template-bot-master-csharp/middleware/Middleware.cs