Fix bicep files now that multi-tenant is no longer permitted (#292)

Fixes `Multitenant bot creation is deprecated. Please use SingleTenant
or UserAssignedMSI`.
MSFT deprecated Multi-Tenant app registrations (see
https://docs.azure.cn/en-us/bot-service/provision-and-publish-a-bot?view=azure-bot-service-4.0&tabs=userassigned%2Ccsharp).
<img width="800" height="691" alt="image"
src="https://github.com/user-attachments/assets/9b989c9e-5e58-4efb-aecb-9b40f0cbcab2"
/>

This requires certain updates to our bicep files to ensure that users
can still use ATK to provision new bots. I tested this change by
Creating a fresh new echo bot and using ATK to deploy it without any
manual effort.

Future versions of the CLI (@preview9 onward) will have this fixed, but
for now, you need to manually make the changes demonstrated in this PR.

OR If you prefer using Github Copilot, just use this prompt:

```
 Please update the Azure Bicep templates to migrate from app registration authentication to managed identity authentication for the Azure Bot Framework. You'll be working with two files that currently
   use the old app registration pattern.

  **File: infra/azure.bicep**

  The current file uses `botAadAppClientId` and `botAadAppClientSecret` parameters. Please make these changes:

  1. **Remove these parameters:**
     ```bicep
     @description('Required when create Azure Bot service')
     param botAadAppClientId string

     @secure()
     @description('Required by Bot Framework package in your bot project')
     param botAadAppClientSecret string

  2. Add new parameter after the existing parameters:
  param identityName string = resourceBaseName
  3. Add managed identity resource before the serverfarm resource:
  resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
    location: location
    name: identityName
  }
  4. Update the webApp resource:
    - Change comment from "Web App that hosts your bot" to "Web App that hosts your agent"
    - Update Node.js version from '~16' to '~18'
    - Replace the BOT_ID and BOT_PASSWORD app settings with:
    {
    name: 'BOT_ID'
    value: identity.properties.clientId
  }
  {
    name: 'BOT_TENANT_ID'
    value: identity.properties.tenantId
  }
  { 
    name: 'BOT_TYPE'
    value: 'UserAssignedMsi'
  }
    - Add identity configuration after the properties section:
    identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${identity.id}': {}
    }
  }
  5. Update the azureBotRegistration module parameters:
  Replace botAadAppClientId: botAadAppClientId with:
  identityClientId: identity.properties.clientId
  identityResourceId: identity.id
  identityTenantId: identity.properties.tenantId
  6. Add new outputs:
  output BOT_ID string = identity.properties.clientId
  output BOT_TENANT_ID string = identity.properties.tenantId

  File: infra/botRegistration/azurebot.bicep

  1. Replace the botAadAppClientId parameter with these three:
  param identityResourceId string
  param identityClientId string
  param identityTenantId string
  2. Update the botService resource properties:
  Replace msaAppId: botAadAppClientId with:
  msaAppId: identityClientId
  msaAppMSIResourceId: identityResourceId
  msaAppTenantId:identityTenantId
  msaAppType:'UserAssignedMSI'

  These changes eliminate the need for managing bot secrets and use Azure's managed identity for more secure authentication.
```

Author: heyitsaamir

.github/workflows/template-sync.yml

@@ -57,7 +57,8 @@ jobs:
 
           # Check template directories without matching test changes
           for dir in "${!template_dirs[@]}"; do
-            if [[ -z "${test_dirs[$dir]}" ]]; then
+            # Only check if the corresponding test directory exists
+            if [[ -d "tests/$dir" && -z "${test_dirs[$dir]}" ]]; then
               echo "::error::Changes detected in template directory but no corresponding test changes found (use skip-test-verification in PR description to skip this check)"
               echo "Template directory: packages/cli/templates/typescript/$dir"
               echo "Changed files:"
@@ -69,7 +70,8 @@ jobs:
 
           # Check test directories without matching template changes
           for dir in "${!test_dirs[@]}"; do
-            if [[ -z "${template_dirs[$dir]}" ]]; then
+            # Only check if the corresponding template directory exists
+            if [[ -d "packages/cli/templates/typescript/$dir" && -z "${template_dirs[$dir]}" ]]; then
               echo "::error::Changes detected in test directory but no corresponding template changes found (use skip-test-verification in PR description to skip this check)"
               echo "Test directory: tests/$dir"
               echo "Changed files:"

packages/cli/configs/atk/basic/csharp/TeamsApp/infra/azure.bicep

@@ -3,22 +3,21 @@
 @description('Used to generate names for all resources in this file')
 param resourceBaseName string
 
-@description('Required when create Azure Bot service')
-param botAadAppClientId string
-
-@secure()
-@description('Required by Bot Framework package in your bot project')
-param botAadAppClientSecret string
-
 param webAppSKU string
 
 @maxLength(42)
 param botDisplayName string
 
 param serverfarmsName string = resourceBaseName
 param webAppName string = resourceBaseName
+param identityName string = resourceBaseName
 param location string = resourceGroup().location
 
+resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  location: location
+  name: identityName
+}
+
 // Compute resources for your Web App
 resource serverfarm 'Microsoft.Web/serverfarms@2021-02-01' = {
   kind: 'app'
@@ -29,7 +28,7 @@ resource serverfarm 'Microsoft.Web/serverfarms@2021-02-01' = {
   }
 }
 
-// Web App that hosts your bot
+// Web App that hosts your agent
 resource webApp 'Microsoft.Web/sites@2021-02-01' = {
   kind: 'app'
   location: location
@@ -46,32 +45,44 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
         }
         {
           name: 'WEBSITE_NODE_DEFAULT_VERSION'
-          value: '~16' // Set NodeJS version to 16.x for your site
+          value: '~20' // Set NodeJS version to 20.x for your site
         }
         {
           name: 'RUNNING_ON_AZURE'
           value: '1'
         }
         {
           name: 'BOT_ID'
-          value: botAadAppClientId
+          value: identity.properties.clientId
         }
         {
-          name: 'BOT_PASSWORD'
-          value: botAadAppClientSecret
+          name: 'BOT_TENANT_ID'
+          value: identity.properties.tenantId
+        }
+        { 
+          name: 'BOT_TYPE' 
+          value: 'UserAssignedMsi'
         }
       ]
       ftpsState: 'FtpsOnly'
     }
   }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identity.id}': {}
+    }
+  }
 }
 
 // Register your web service as a bot with the Bot Framework
 module azureBotRegistration './botRegistration/azurebot.bicep' = {
   name: 'Azure-Bot-registration'
   params: {
     resourceBaseName: resourceBaseName
-    botAadAppClientId: botAadAppClientId
+    identityClientId: identity.properties.clientId
+    identityResourceId: identity.id
+    identityTenantId: identity.properties.tenantId
     botAppDomain: webApp.properties.defaultHostName
     botDisplayName: botDisplayName
   }
@@ -80,3 +91,5 @@ module azureBotRegistration './botRegistration/azurebot.bicep' = {
 // The output will be persisted in .env.{envName}. Visit https://aka.ms/teamsfx-actions/arm-deploy for more details.
 output BOT_AZURE_APP_SERVICE_RESOURCE_ID string = webApp.id
 output BOT_DOMAIN string = webApp.properties.defaultHostName
+output BOT_ID string = identity.properties.clientId
+output BOT_TENANT_ID string = identity.properties.tenantId

packages/cli/configs/atk/basic/csharp/TeamsApp/infra/botRegistration/azurebot.bicep

@@ -8,7 +8,9 @@ param botDisplayName string
 
 param botServiceName string = resourceBaseName
 param botServiceSku string = 'F0'
-param botAadAppClientId string
+param identityResourceId string
+param identityClientId string
+param identityTenantId string
 param botAppDomain string
 
 // Register your web service as a bot with the Bot Framework
@@ -19,7 +21,10 @@ resource botService 'Microsoft.BotService/botServices@2021-03-01' = {
   properties: {
     displayName: botDisplayName
     endpoint: 'https://${botAppDomain}/api/messages'
-    msaAppId: botAadAppClientId
+    msaAppId: identityClientId
+    msaAppMSIResourceId: identityResourceId
+    msaAppTenantId: identityTenantId
+    msaAppType: 'UserAssignedMSI'
   }
   sku: {
     name: botServiceSku

packages/cli/configs/atk/basic/typescript/infra/azure.bicep

@@ -3,22 +3,21 @@
 @description('Used to generate names for all resources in this file')
 param resourceBaseName string
 
-@description('Required when create Azure Bot service')
-param botAadAppClientId string
-
-@secure()
-@description('Required by Bot Framework package in your bot project')
-param botAadAppClientSecret string
-
 param webAppSKU string
 
 @maxLength(42)
 param botDisplayName string
 
 param serverfarmsName string = resourceBaseName
 param webAppName string = resourceBaseName
+param identityName string = resourceBaseName
 param location string = resourceGroup().location
 
+resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  location: location
+  name: identityName
+}
+
 // Compute resources for your Web App
 resource serverfarm 'Microsoft.Web/serverfarms@2021-02-01' = {
   kind: 'app'
@@ -29,7 +28,7 @@ resource serverfarm 'Microsoft.Web/serverfarms@2021-02-01' = {
   }
 }
 
-// Web App that hosts your bot
+// Web App that hosts your agent
 resource webApp 'Microsoft.Web/sites@2021-02-01' = {
   kind: 'app'
   location: location
@@ -42,36 +41,48 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
       appSettings: [
         {
           name: 'WEBSITE_RUN_FROM_PACKAGE'
-          value: '1' // Run Azure APP Service from a package file
+          value: '1' // Run Azure App Service from a package file
         }
         {
           name: 'WEBSITE_NODE_DEFAULT_VERSION'
-          value: '~16' // Set NodeJS version to 16.x for your site
+          value: '~20' // Set NodeJS version to 20.x for your site
         }
         {
           name: 'RUNNING_ON_AZURE'
           value: '1'
         }
         {
           name: 'BOT_ID'
-          value: botAadAppClientId
+          value: identity.properties.clientId
         }
         {
-          name: 'BOT_PASSWORD'
-          value: botAadAppClientSecret
+          name: 'BOT_TENANT_ID'
+          value: identity.properties.tenantId
+        }
+        { 
+          name: 'BOT_TYPE' 
+          value: 'UserAssignedMsi'
         }
       ]
       ftpsState: 'FtpsOnly'
     }
   }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identity.id}': {}
+    }
+  }
 }
 
 // Register your web service as a bot with the Bot Framework
 module azureBotRegistration './botRegistration/azurebot.bicep' = {
   name: 'Azure-Bot-registration'
   params: {
     resourceBaseName: resourceBaseName
-    botAadAppClientId: botAadAppClientId
+    identityClientId: identity.properties.clientId
+    identityResourceId: identity.id
+    identityTenantId: identity.properties.tenantId
     botAppDomain: webApp.properties.defaultHostName
     botDisplayName: botDisplayName
   }
@@ -80,3 +91,5 @@ module azureBotRegistration './botRegistration/azurebot.bicep' = {
 // The output will be persisted in .env.{envName}. Visit https://aka.ms/teamsfx-actions/arm-deploy for more details.
 output BOT_AZURE_APP_SERVICE_RESOURCE_ID string = webApp.id
 output BOT_DOMAIN string = webApp.properties.defaultHostName
+output BOT_ID string = identity.properties.clientId
+output BOT_TENANT_ID string = identity.properties.tenantId

packages/cli/configs/atk/basic/typescript/infra/botRegistration/azurebot.bicep

@@ -8,7 +8,9 @@ param botDisplayName string
 
 param botServiceName string = resourceBaseName
 param botServiceSku string = 'F0'
-param botAadAppClientId string
+param identityResourceId string
+param identityClientId string
+param identityTenantId string
 param botAppDomain string
 
 // Register your web service as a bot with the Bot Framework
@@ -19,7 +21,10 @@ resource botService 'Microsoft.BotService/botServices@2021-03-01' = {
   properties: {
     displayName: botDisplayName
     endpoint: 'https://${botAppDomain}/api/messages'
-    msaAppId: botAadAppClientId
+    msaAppId: identityClientId
+    msaAppMSIResourceId: identityResourceId
+    msaAppTenantId:identityTenantId
+    msaAppType:'UserAssignedMSI'
   }
   sku: {
     name: botServiceSku

packages/cli/configs/atk/embed/typescript/infra/azure.bicep

@@ -3,22 +3,21 @@
 @description('Used to generate names for all resources in this file')
 param resourceBaseName string
 
-@description('Required when create Azure Bot service')
-param botAadAppClientId string
-
-@secure()
-@description('Required by Bot Framework package in your bot project')
-param botAadAppClientSecret string
-
 param webAppSKU string
 
 @maxLength(42)
 param botDisplayName string
 
 param serverfarmsName string = resourceBaseName
 param webAppName string = resourceBaseName
+param identityName string = resourceBaseName
 param location string = resourceGroup().location
 
+resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  location: location
+  name: identityName
+}
+
 // Compute resources for your Web App
 resource serverfarm 'Microsoft.Web/serverfarms@2021-02-01' = {
   kind: 'app'
@@ -29,7 +28,7 @@ resource serverfarm 'Microsoft.Web/serverfarms@2021-02-01' = {
   }
 }
 
-// Web App that hosts your bot
+// Web App that hosts your agent
 resource webApp 'Microsoft.Web/sites@2021-02-01' = {
   kind: 'app'
   location: location
@@ -46,32 +45,44 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
         }
         {
           name: 'WEBSITE_NODE_DEFAULT_VERSION'
-          value: '~16' // Set NodeJS version to 16.x for your site
+          value: '~20' // Set NodeJS version to 20.x for your site
         }
         {
           name: 'RUNNING_ON_AZURE'
           value: '1'
         }
         {
           name: 'BOT_ID'
-          value: botAadAppClientId
+          value: identity.properties.clientId
         }
         {
-          name: 'BOT_PASSWORD'
-          value: botAadAppClientSecret
+          name: 'BOT_TENANT_ID'
+          value: identity.properties.tenantId
+        }
+        { 
+          name: 'BOT_TYPE' 
+          value: 'UserAssignedMsi'
         }
       ]
       ftpsState: 'FtpsOnly'
     }
   }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identity.id}': {}
+    }
+  }
 }
 
 // Register your web service as a bot with the Bot Framework
 module azureBotRegistration './botRegistration/azurebot.bicep' = {
   name: 'Azure-Bot-registration'
   params: {
     resourceBaseName: resourceBaseName
-    botAadAppClientId: botAadAppClientId
+    identityClientId: identity.properties.clientId
+    identityResourceId: identity.id
+    identityTenantId: identity.properties.tenantId
     botAppDomain: webApp.properties.defaultHostName
     botDisplayName: botDisplayName
   }
@@ -80,3 +91,5 @@ module azureBotRegistration './botRegistration/azurebot.bicep' = {
 // The output will be persisted in .env.{envName}. Visit https://aka.ms/teamsfx-actions/arm-deploy for more details.
 output BOT_AZURE_APP_SERVICE_RESOURCE_ID string = webApp.id
 output BOT_DOMAIN string = webApp.properties.defaultHostName
+output BOT_ID string = identity.properties.clientId
+output BOT_TENANT_ID string = identity.properties.tenantId

packages/cli/configs/atk/embed/typescript/infra/botRegistration/azurebot.bicep

@@ -8,7 +8,9 @@ param botDisplayName string
 
 param botServiceName string = resourceBaseName
 param botServiceSku string = 'F0'
-param botAadAppClientId string
+param identityResourceId string
+param identityClientId string
+param identityTenantId string
 param botAppDomain string
 
 // Register your web service as a bot with the Bot Framework
@@ -19,7 +21,10 @@ resource botService 'Microsoft.BotService/botServices@2021-03-01' = {
   properties: {
     displayName: botDisplayName
     endpoint: 'https://${botAppDomain}/api/messages'
-    msaAppId: botAadAppClientId
+    msaAppId: identityClientId
+    msaAppMSIResourceId: identityResourceId
+    msaAppTenantId: identityTenantId
+    msaAppType: 'UserAssignedMSI'
   }
   sku: {
     name: botServiceSku