fix(msteams): use dynamic tenant ID for sts.windows.net JWT issuer

[mschaepers]

Summary

• The sts.windows.net issuer entry in BOT_FRAMEWORK_ISSUERS was hardcoded to a single tenant ID (d6d49420-f39b-4df7-a1dc-d59a935871db), causing JWT validation to reject tokens from all other SingleTenant bot deployments
• Changed the static string to a dynamic function (tenantId) => \https://sts.windows.net/${tenantId}/\`` matching the pattern used by the login.microsoftonline.com entry
• Updated the corresponding test to use the test credential's tenantId instead of the hardcoded value

Context

SingleTenant Azure Bot registrations (required since Microsoft deprecated MultiTenant after 2025-07-31) issue tokens with issuer https://sts.windows.net/{tenantId}/ (Azure AD v1 endpoint). The current code only accepts this issuer for one specific tenant, so every other SingleTenant deployment gets 401 Unauthorized on all incoming Bot Framework webhooks.

Fixes #64270

Test plan

• Existing test "validates a token with STS Windows issuer" now uses dynamic creds.tenantId instead of hardcoded UUID
• Verify vitest run --config vitest.extension-msteams.config.ts passes
• Deploy a SingleTenant bot and confirm incoming Teams messages no longer return 401

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes a long-standing bug where the sts.windows.net issuer entry in BOT_FRAMEWORK_ISSUERS was hardcoded to a single tenant UUID, causing all SingleTenant bot deployments (other than the one matching that specific UUID) to receive 401 Unauthorized on every incoming Bot Framework webhook. The fix converts the static string to a dynamic function (tenantId) => \https://sts.windows.net/${tenantId}/\`` — consistent with the existing pattern for the login.microsoftonline.com entry — and updates the corresponding test to use creds.tenantId.

Confidence Score: 5/5

This PR is safe to merge — the fix is minimal, targeted, and consistent with the established pattern already used for the Entra v2.0 issuer entry.

No P0 or P1 findings. The change is a one-line fix in sdk.ts plus a matching test update. The dynamic issuer function correctly scopes validation to the configured tenant (correct SingleTenant security behavior), the JWKS endpoint is shared and valid for both Azure AD v1 and v2.0, and all related code paths (allowedIssuers computation and resolveIssuerEntry) already handle function-based issuers correctly.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(msteams): use dynamic tenant ID for ..." | Re-trigger Greptile}

[steipete]

Closing this as implemented after Codex review.

Current main already includes the tenant-scoped sts.windows.net/{tenantId}/ issuer handling for Microsoft Teams JWT validation, plus regression tests for both the valid tenant-scoped issuer and rejection of the old hardcoded tenant. The same implementation is present in release v2026.4.23, so this PR is superseded by code already shipped on main/release.

What I checked:

• Current main uses dynamic STS issuer: BOT_FRAMEWORK_ISSUERS already defines the sts.windows.net issuer as a tenant-scoped function instead of a hardcoded UUID. (extensions/msteams/src/sdk.ts:652, 11804a484ded)
• Current main has regression coverage: The Teams JWT validator tests already cover accepting https://sts.windows.net/${creds.tenantId}/ and rejecting the old hardcoded tenant issuer. (extensions/msteams/src/sdk.test.ts:328, 11804a484ded)
• Latest release already contains the fix: Release commit a9797214338ba31c52c796adbb75afb16e0684a9 contains the same tenant-scoped STS issuer implementation in the Teams SDK. (extensions/msteams/src/sdk.ts:652, a9797214338b)
• Docs align with SingleTenant Teams setup: The public Teams setup docs already direct users to create a Single Tenant bot and capture tenantId, matching the tenant-scoped issuer behavior now in code. Public docs: docs/channels/msteams.md. (docs/channels/msteams.md:143, 11804a484ded)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 11804a484ded; fix evidence: release v2026.4.23, commit a9797214338b.