Share via

Authorization denied error for multi-tenant bot – clarification on deprecation and cross-tenant support

Akshay Babar 25 Reputation points
2026-03-02T20:02:57.16+00:00

Hello Team,

We have created a new multi-tenant Microsoft Teams bot application in last week. and deployed it successfully on Microsoft Azure.

Current issue:

When we send a message from our backend server to the bot, and the bot tries to send the message to a Teams channel, we receive the following error:

"Authorization has been denied for this request."

We are able to successfully obtain the access token, but the message sending fails with this authorization error.

Question 1:

From online articles and discussions, we understand that multi-tenant bot creation has been deprecated after July 31, 2025.

However:

  • We created some multi-tenant bot in September 2025.

At that time, it was working correctly.

It has now started failing with the authorization error.

Could you please confirm:

  1. Is this failure related to the deprecation of multi-tenant bots?
  2. If this is because of deprecation, then how was it working when we created the existing bot in September 2025?

Question 2:

If the issue is due to multi-tenant deprecation and we need to switch to a single-tenant model:

How can we support users from other tenants?

Is it possible to distribute a custom Teams app package directly to specific tenants (without publishing to the Teams App Store)?

In a single-tenant bot setup, what is the recommended approach to support cross-tenant customers while maintaining proper service-to-service authentication?

We would appreciate clarification on the recommended architecture going forward.

Thank you.

Azure AI Bot Service
Azure AI Bot Service

An Azure service that provides an integrated environment for bot development.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karnam Venkata Rajeswari 1,475 Reputation points Microsoft External Staff Moderator
    2026-03-17T10:32:09.85+00:00

    Hello Akshay Babar,

    Thank you for your patience.

    As asked , is the authorization failure caused by multi‑tenant bot deprecation - No, not directly. The issue is caused by new authorization enforcement, not an immediate shutdown.

    The July 31, 2025 change deprecated creation of new multi‑tenant Teams bot registrations, but did not immediately disable existing bots. Those created earlier continued to function because existing identities and tokens were still accepted. Since then, Teams has gradually enforced stricter authorization and tenant validation, including:

    ·       Tenant‑bound serviceUrl validation

    ·       Resource‑Specific Consent (RSC) enforcement

    ·       Bot identity alignment with the target tenant and channel

    Because of this enforcement, legacy multi‑tenant assumptions can now result in runtime failures such as Authorization has been denied for this request. Token acquisition may still succeed, while message posting fails due to tenant‑level authorization checks.

    If it is still possible to create a new multi‑tenant Teams bot - No. creation of new multi‑tenant Teams bot registrations is no longer supported. The supported and recommended model is now single‑tenant bot registration. New multi‑tenant bot creation is no longer supported

    Will switching to single‑tenant break backend ↔ Teams messaging - No. Single‑tenant bots are the supported and stable path.

    A single‑tenant bot fully supports:

    ·       Messages from Teams to the backend service

    ·       Messages sent from the backend service to Teams channels

    This model provides more predictable authentication because:

    ·       Tokens are issued for a single tenant

    ·       Authorization aligns cleanly with Teams enforcement

    ·       Service‑to‑service authentication is explicit and stable

    If users from other tenants still be supported - Yes. Single‑tenant bots are the supported and stable path.

    Cross‑tenant usage is supported through direct app distribution, not through a multi‑tenant bot identity.

    Recommended approach:

    ·       Register the bot as single‑tenant

    ·       Distribute the Teams app package directly to approved customer tenants

    ·       Grant Resource‑Specific Consent (RSC) during installation.

    If publishing to the Teams App Store required - No. Cross‑tenant users are supported via direct app distribution and RSC. Custom distribution is fully supported.

    Supported distribution options are

    ·       Tenant app catalog upload

    ·       Admin‑approved custom app upload

    ·       Direct sharing of the app package (ZIP) with specific tenants

    If required troubleshooting steps after app installation - Backend‑to‑Teams messaging remains fully supported.

    After installation in a tenant or channel, the following step is required:

    ·       Add the bot to the target channel or conversation

    ·       Trigger at least one inbound event (for example, a mention or message)

    This allows Teams to:

    ·       Generate a tenant‑specific serviceUrl

    ·       Grant channel‑level permissions

    ·       Enable successful outbound messaging

    This behavior is expected and required under current authorization enforcement.

     

    References:

    Resource-specific Consent for Apps - Teams | Microsoft Learn

    Upload your custom app - Teams | Microsoft Learn

    Thank you!

    0 comments
  2. Yutaka_K_JP 1,650 Reputation points
    2026-03-06T12:59:03.5833333+00:00

    I think that… single‑tenant won’t break ur backend↔Teams flow at all, and cross‑tenant still works if u drop the bot once into the target channel so Teams rebuilds the serviceUrl then just allow the RSC.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.