Switching production Azure Bots from MultiTenant to SingleTenant in Teams

Neelu George 60 Reputation points
2026-06-09T12:32:39.2933333+00:00

We are using old MultiTenant Azure Bots in our production Teams messaging system, with MultiTenant Azure Apps.

Right now we are planning to switch these Bot type to SingleTenant, leaving the app as MultiTenant itself.

Our backend code is equipped to handle SingleTenant Bots with MultiTenant Apps as we are currently using this in dev environment.Sideloading of app is done in external tenants(not a store published one)

From our testing done, we could successfully migrate the type without breaking existing integrations.

Queries:

  1. Is just switching the type in Azure portal enough?
  2. Will the already integrated customers be affected with this change?If yes, do they need to re-authenticate?
  3. Is this the standard way to migrate the bot type?
  4. How long will it take for these changes to get effective in APIs once we switch?
Azure AI Bot Service
Azure AI Bot Service

An Azure service that provides an integrated environment for bot development.

0 comments No comments

2 answers

Sort by: Most helpful
  1. SRILAKSHMI C 19,550 Reputation points Microsoft External Staff Moderator
    2026-06-11T08:28:00.4066667+00:00

    Hello @Neelu George

    Thank you for reaching out to Microsoft Q&A.

    Switching an existing production Teams bot from Multi-tenant to Single-tenant is not just a cosmetic change in Azure it impacts authentication flow, token issuance, and tenant consent behavior in Microsoft Entra ID.

    Below is a consolidated response based on the supported bot configuration model.

    1. Is switching the type in Azure Portal enough?

    No, this is not sufficient by itself.

    For Azure Bot / Teams bot authentication, the effective behavior depends on multiple configuration parameters, not just the portal toggle.

    Key configuration values involved:

    • MicrosoftAppType (MultiTenant vs SingleTenant)
    • MicrosoftAppId
    • MicrosoftAppPassword
    • MicrosoftAppTenantId (required only for SingleTenant)

    For Single-tenant mode, you must also ensure:

    • A Single-tenant Entra ID app registration exists
    • MicrosoftAppTenantId is explicitly set
    • Bot registration and backend configuration are aligned with SingleTenant mode

    Switching only the portal setting without aligning app registration + bot configuration is not a complete or supported migration by itself.

    2. Will existing customers be affected?

    Yes, there can be impact depending on authentication flow and token lifecycle.

    Expected behavior:

    Existing tenants already using the bot:

    • May continue working temporarily due to cached sessions/tokens
    • But behavior is not guaranteed long-term

    After switching to Single-tenant:

    • Tokens issued for other tenants may fail validation
    • Possible issues:
      • 401 Unauthorized
      • consent failures
      • sign-in interruption in Teams

    In many cases, users may need to:

    • Re-consent to the application
    • Re-login in Teams
    • Re-establish bot conversation sessions

    Impact depends heavily on how your OAuth and bot authentication flow is implemented.

    3. Is this the standard migration approach?

    No, in-place conversion is not the recommended migration strategy.

    The commonly recommended approach is:

    Standard migration pattern:

    1. Create a new Single-tenant app registration in Microsoft Entra ID
    2. Configure bot with SingleTenant settings
    3. Update MicrosoftAppTenantId and related configuration
    4. Deploy and validate in parallel
    5. Gradually migrate tenants/users
    6. Decommission MultiTenant app after validation

    This avoids breaking existing multi-tenant trust relationships and minimizes production risk.

    4. How long do changes take to take effect?

    There is no fixed propagation SLA documented.

    Practical behavior:

    Azure portal change: immediate

    Token issuance changes: typically within minutes

    Teams client impact Can range from minutes to several hours due to:

    • cached tokens
    • active sessions
    • refresh token lifecycle

    Existing sessions may continue until token refresh or re-authentication occurs.

    Please refer this

    Provision and publish a bot (application service settings / MicrosoftAppType values): https://learn.microsoft.com/en-us/azure/bot-service/provision-and-publish-a-bot?view=azure-bot-service-4.0&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider&tabs=userassigned%2Ccsharp#update-project-configuration-settings

    Convert an existing skill from multitenant to single-tenant (standard migration steps + required values): https://learn.microsoft.com/en-us/azure/bot-service/skill-pva-convert-skill-single-tenant?view=azure-bot-service-4.0&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider

    Manage a bot (application service settings / MicrosoftAppType values and deprecation note for new multi-tenant bot creation): https://learn.microsoft.com/en-us/azure/bot-service/bot-service-manage-overview?view=azure-bot-service-4.0&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider&tabs=userassigned#application-service-settings

    Use the Azure portal to Create an Azure Bot resource (Multi-tenant creation deprecation note + where to find App ID/Tenant ID):https://learn.microsoft.com/en-us/azure/bot-service/abs-quickstart?view=azure-bot-service-4.0&wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider&tabs=userassigned

    I Hope this helps. Do let me know if you have any further queries.


    If this answers your query, please do click Accept Answer and Yes for was this answer helpful.

    Thank you!

    Was this answer helpful?


  2. F Anand Nathaniel 0 Reputation points
    2026-06-09T14:09:53.1166667+00:00

    This is a great question about migrating Azure Bot Service from multitenant to single tenant in a production Microsoft Teams environment. Let me address each of your queries:

    1. Is just switching the type in Azure portal enough?

    Not quite. You'll need to:

    a) Update the bot registration in Azure Portal (change the tenant type) b) Update the Microsoft App ID configuration to single tenant c) Potentially update your bot's manifest file if it references tenant-specific settings d) Verify your bot's endpoint configuration remains correct

    1. Will already integrated customers be affected? Do they need to re-authenticate?

    Good news based on your testing: Since you've successfully tested this migration without breaking existing integrations, the impact should be minimal. However, consider:

    a) Authentication tokens: Existing tokens should remain valid initially, but users may need to re-authenticate when their current tokens expire b) Bot functionality: The bot should continue working in existing conversations c) New installations: For sideloaded apps in external tenants with a single-tenant bot, you need to ensure the bot's app registration has the necessary permissions for those external tenants d) Best practice: Notify customers about the change and be prepared for potential re-authentication requests, even if your testing didn't show issues

    1. Is this the standard way to migrate bot type?

    Your approach is reasonable, but the standard migration path typically involves:

    a) Test in non-production first ✓ (you're doing this) b) Change the tenant type in Azure AD app registration c) Update bot registration to reflect the new tenant configuration d) Maintain the same App ID and Password/Secret (critical for continuity) e) Monitor for authentication issues post-migration f) Plan a maintenance window for the switchover

    Note: Keeping the App as multitenant while the bot is single tenant is unusual but can work. The standard approach is typically full single tenant (both app and bot) or full multitenant.

    1. How long for changes to take effect?

    a) Azure AD changes: Usually propagate within 5-15 minutes, but can take up to 24 hours for full global propagation b) Teams cache: May take 1-2 hours for Teams clients to refresh c) API availability: Should be immediate to 15 minutes for most endpoints d) Recommendation: Wait at least 30 minutes after making changes before declaring success, and monitor for 24 hours

    Additional Recommendations:

    Before migration:

    a) Document your current App ID, tenant ID, and bot configuration b) Have a rollback plan ready c) Test with a pilot customer group if possible d) Ensure your backend can handle both authentication patterns during transition

    During migration:

    a) Make changes during low-usage hours b) Monitor application insights/logs closely c) Have support team on standby

    After migration:

    a) Watch for authentication errors in logs b) Monitor Teams bot conversations for failures c) Be ready to guide users through re-authentication if needed

    Since you mentioned your backend already handles single tenant bots with multitenant apps in development, you're in a good position. Just ensure all configuration values (tenant IDs, app IDs) are correctly updated in your production environment to match the new single-tenant bot setup.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.