SingleTenant bot gets empty 401 from api.botframework.com/api/usertoken/GetToken despite valid bearer token

[Karthik0295]

Steps to Reproduce

Environment

• SDK version: botbuilder 4.23.3
• Node.js: 22.22.0
• Platform: Microsoft Teams
• Bot Type: SingleTenant
• Channel: msteams
• OS: macOS / Windows Server 2019 (Azure)

---

Describe the Bug

A SingleTenant Azure Bot registered in Azure returns an empty 401 Unauthorized
from:

• https://api.botframework.com/api/usertoken/GetToken
• https://api.botframework.com/api/usertoken/GetTokenStatus

Despite presenting a valid bearer token with correct claims.

The bot successfully acquires its own token from the tenant-specific endpoint,
but api.botframework.com rejects it with an empty 401 and no error message.

---

Steps to Reproduce

1. Create an Azure Bot resource with msaAppType: SingleTenant
2. Register app in Azure AD as AzureADMyOrg
3. Configure an OAuth connection in the Azure Bot resource
4. Implement OAuthPrompt in a Teams bot using botbuilder SDK v4.23.3
5. Set ConfigurationBotFrameworkAuthentication with explicit SingleTenant config

---

Expected Behavior

/api/usertoken/GetToken should:

• Return the user token, or
• Return 404 if no token is cached

A 401 should not occur when the token is valid.

---

Actual Behavior

[sayali-MSFT]

Hello @Karthik0295 ,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[sayali-MSFT]

Hello @Karthik0295 ,
Historically, most bots have used the Multi-Tenant Entra/AAD app type to acquire tokens in the Bot Framework tenant. However, recent security reviews have identified significant risks with this approach: Cross-Tenant communication Risks (SFI-TI 3.2.2: AAD Entra apps with cross-tenant violations), Broader Attack Surface, and reduced Security Controls.
To mitigate these risks and enhance customer security, Azure Bot Service is deprecating the Multi-Tenant bot type. All new bot registrations must use either the Single Tenant bot or User-Assigned Managed Identity type.

 
How to Register a New Bot as Single Tenant?
 
1.When creating an Entra app, make sure that it’s still multi-tenant (this is the AAD app). This is what that looks like

Notice that this app is still multi-tenant (option 3) - this will make sure your bot still works beyond Bot Authentication, especially for SSO flows if you’re using the same App.
 

2.Register Your Azure Bot Resource as Single Tenant:

• In the Azure portal, select Single Tenant as the bot type.
• Enter the App Tenant ID for the tenant where your AAD app is registered.
• Save your changes.

 3.Update Your Bot Configuration:

• In your bot’s code (Bot Framework SDK v4 or Teams AI SDK), set MicrosoftAppType to "SingleTenant" and fill in MicrosoftAppTenantId with your tenant’s ID.

            { 
  

  "MicrosoftAppType": "SingleTenant",
"MicrosoftAppTenantId": ""
}

Reference: Microsoft-Teams-Samples/samples/bot-conversation/csharp/appsettings.json at main · OfficeDev/Micros…

• For JS apps, set the value of tenantId in your .env file.
  Reference: Microsoft-Teams-Samples/samples/bot-conversation/nodejs/.env at main · OfficeDev/Microsoft-Teams-Sa…

Test Before Migrating Production Bots: We recommend testing your configuration with a test app before applying changes to production bots. Once you switch your app type to Single Tenant, there is no rollback option provided by Entra.
 
 
Additional Resources

• Create an Azure Bot resource in the Azure portal – Bot Service
• Register a Bot Framework bot with Azure – Bot Service
• Microsoft-Teams-Samples/samples/bot-conversation/csharp/appsettings.json at main · OfficeDev/Micros…
• https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/bot-conversation-sso-quickstart/csharp_dotnetcore/BotConversationSsoQuickstart

[Karthik0295]

But My bot was created as Single Tenant itself.
I am getting this issue in Single tenant Configuration

My Bot Token is completely valid.
But but api.botframework.com still returns 401 with an empty body.

Just wanted to understand why is that?

[sayali-MSFT]

Hello @Karthik0295 ,sure. We will check this with internal team and let you know the update.

[sayali-MSFT]

Hello @Karthik0295 ,
Could you please go through the document below?
https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication?tabs=node-js%2Cdotnet-sample#create-the-resource-group

hope it is helpful!!!