Teams connector: incompatibility with Single Tenant Azure Bot (Multi-tenant bot creation deprecated by Microsoft)

[IonaGuyomarch]

Summary

Since mid-2025, Microsoft has deprecated the creation of Multi-Tenant Azure Bots.
All new Azure Bots must now be created as Single Tenant or User-Assigned Managed Identity.
This makes the Tock Teams connector non-functional for any new bot setup.

Problem

The TokenHandler in the Teams connector requests an OAuth2 token using botframework.com
as the tenant:

POST https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token

This works only for Multi-Tenant bots. For Single Tenant bots, the request must use
the specific Tenant ID instead:

POST https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

As a result, all token requests fail with HTTP 401.

Steps to reproduce

1. Create a new Azure Bot (only Single Tenant is available)
2. Create an App Registration with the corresponding App ID and secret
3. Configure the Teams connector in Tock Studio with the appId and password
4. Send a message → no response, 401 error in logs:

WARN ai.tock.bot.connector.teams.TeamsClient - Microsoft Login Api Error : 401

Expected behavior

The Teams connector should support Single Tenant Azure Bots by allowing
the configuration of a tenantId parameter, used in the OAuth2 token request.

Environment

• Tock version: 25.10.5
• Connector: Teams
• Azure Bot type: Single Tenant (Multi-tenant no longer available for new bots)
• App Registration signInAudience: AzureADandPersonalMicrosoftAccount

[zigzago]

@IonaGuyomarch please ask me if you need help to test the fix in the PR #2020

[IonaGuyomarch]

Hi @zigzago,
Thank you very much for your quick answer. Yes I would love to test the fix! But I'm not using Tock from source, I'm using the docker image — could you provide a test Docker image? Otherwise I'll give it a try to compile it from source
My setup is Docker on Windows with docker-compose-bot.yml.

[zigzago]

just pull the tock-docker repo and be sure to have

26.3.1-SNAPSHOT in your .env file. (TAG=26.3.1-SNAPSHOT)

You should get then the tenantId in the configuration box:

[IonaGuyomarch]

I succedded pulling the good version (I was using the 26.3.1 without the SNAPSHOT tag), and the error for the Single tenant configuration is OK.
The problem is that I'm still getting an error but this time concerning the Microsoft Login API Error : 401.
I tried several solutions but I'm still getting that error each time, any thoughts about this?

[zigzago]

You can take a look at the authentication code and may be see what is problematic:

tock/bot/connector-teams/src/main/kotlin/auth/AuthenticateBotConnectorService.kt

Line 142 in c069923

private fun checkTokenValidityFromConnectorService(

You can also try to turn on tock_default_log_level=DEBUG for the bot pod in the docker compose file, and see if there is any log that explains the issue.

HTH