Question about the timing of service principal creation for a Teams bot

石川敦己 235

When creating a bot resource from the Teams Developer Portal, a corresponding Microsoft Entra ID application with the same application ID as the bot is also created.

For a typical multi-tenant Microsoft Entra application, a service principal is created in an external tenant when a user from that tenant first accesses the application.

Reference: Understand user and admin consent and make appropriate code changes

Question: For a Teams bot published to the store, when is the service principal for the bot resource (Microsoft Entra application) created? Is it at the timing when a user installs the Teams app in Teams?

Prasad-MSFT 8,416 Reputation points Microsoft Vendor

2025-01-27T13:35:54.6566667+00:00
For a Teams bot published to the Teams Store, the service principal for the bot resource (Microsoft Entra application) is created at the time when a user from an external tenant first interacts with the bot. This typically happens when:

User Installs the Teams App:

When a user from an external tenant installs the Teams app that includes the bot, the service principal for the bot is created in the user's tenant.

This allows the bot to operate within the user's tenant and handle interactions from users in that tenant.

User Interacts with the Bot:

If the bot is already installed as part of a Teams app, the service principal is created when a user from an external tenant first interacts with the bot (e.g., sends a message to the bot).
石川敦己 235 Reputation points

2025-01-28T04:03:03.03+00:00

Dear @Prasad-MSFT ,

Thank you for your detailed response. I am relieved to hear that the service principal is created at the time of installation. However, could you kindly share any documentation that explains the process described under "When a user installs the Teams app"?

As a concern, we are considering creating a one-way bot and do not plan to host the bot as a web server for interactive communication. All notifications are expected to be sent as proactive messages. In this case, I would like to confirm whether the service principal will still be created at the time of installation without any issues.
Prasad-MSFT 8,416 Reputation points Microsoft Vendor

2025-01-28T14:00:08.8+00:00
石川敦己
1.PFB the documentation where it is mentioned that, when a user from a different tenant signs in to the application for the first time, Microsoft Entra ID asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue.

https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent-and-make-appropriate-code-changes

2.Considering you plan to create a one-way bot that sends proactive messages and does not host a web server for interactive communication:

Proactive Messaging Feasibility: The service principal will still be created at the time of installation without any issues. Proactive messaging is supported as long as the bot has the necessary permissions to send messages to users or channels.

No Web Server Requirement: Hosting a web server for interactive communication is not mandatory for sending proactive messages.

Accepted answer

Prasad-MSFT 8,416 Reputation points Microsoft Vendor

2025-01-28T13:58:31.7233333+00:00
石川敦己,
1.PFB the documentation where it is mentioned that, when a user from a different tenant signs in to the application for the first time, Microsoft Entra ID asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue.

https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent-and-make-appropriate-code-changes

2.Considering you plan to create a one-way bot that sends proactive messages and does not host a web server for interactive communication:

Proactive Messaging Feasibility: The service principal will still be created at the time of installation without any issues. Proactive messaging is supported as long as the bot has the necessary permissions to send messages to users or channels.

No Web Server Requirement: Hosting a web server for interactive communication is not mandatory for sending proactive messages.

Thanks,

Prasad Das

*************************************************************************

If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Question about the timing of service principal creation for a Teams bot

0 additional answers

Your answer