web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Limit end-user authent...
Copilot Studio
Answered

Limit end-user authentication (signInAudience) to organizational directory only

(0) ShareShare
ReportReport
Posted on by BenAffleck 25

Good day,

 

As per the documentation here, we need to configure the app registration for end-user authentication to allow "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". 

 

For better security, I tried changing this value to "Accounts in this organizational directory only (Customer - Single tenant),"
using the manifest editor. 

 

However, this seems to be not supported as the error message indicates on login:

 

{
 "error": {
 "code": "ServiceError",
 "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant
 }
}

 

Is there any way to limit the app registration to single-tenant only? 

 

This was one finding of a security audit, so I would also be interessted in the reason for this design decision. 

 

Many thanks.

Categories:
General topics
I have the same question (0)
  • Verified answer
    CU22081450-0 Profile Picture
    CU22081450-0 Most Valuable Professional on at

    Hi @BenAffleck ,

     

    Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

    That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 599

#2
chiaraalina Profile Picture

chiaraalina 170 Super User 2026 Season 1

#3
deepakmehta13a Profile Picture

deepakmehta13a 118

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt
Welcome to the Copilot Studio forum!

Product updates

Microsoft Power Platform Community release plans