In Bot Framework - Getting HTTP Status Code Forbidden in Web Chat

Gaurav Chayal 1 Reputation point
2021-09-14T12:40:35.653+00:00

I have created a bot in botframework and configured Teams channel with it but while testing, we are getting no response with error as "There was an error sending this message to your bot: HTTP status code Forbidden" inside webchat logs.

131972-uat-botissue.jpg

I have seen some other similar questions regarding the botframework issues.
I am concerned regarding following options:

  1. if it is mandatory to use "MultiTenant" support type? Because right now I am using "SingleTenant"
    My reference for that is this documentation
    https://learn.microsoft.com/en-us/azure/bot-service/bot-service-quickstart-registration?view=azure-bot-service-4.0#manual-app-registration
  2. Is it mandatory to allow-list of following URLs in that firewall?
    login.botframework.com (Bot authentication)
    login.microsoftonline.com (Bot authentication)
    westus.api.cognitive.microsoft.com (for Luis.ai NLP integration)
    *.botframework.com (channels)
    state.botframework.com (backward compatibility)
    login.windows.net (Windows login)
    login.windows.com (Windows login)
    sts.windows.net (Windows login)
    reference official doc : https://learn.microsoft.com/en-us/azure/bot-service/bot-service-resources-faq-security?view=azure-bot-service-4.0#which-specific-urls-do-i-need-to-allow-list-in-my-corporate-firewall-to-access-bot-framework-services

And if we need to change the support type to "Multitenant", I need some reasoning for that

  1. why we need "Multitenant" if we are working in the single tenant network?
  2. why there's option of "Singletenant" if "Multitenant" is mandatory?

because IT team is not allowing this option and concerned about security.
Kindly tell if there would be some other possibilities for the issues.

Azure AI Bot Service
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
745 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,557 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,835 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,438 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. romungi-MSFT 41,866 Reputation points Microsoft Employee
    2021-09-15T06:56:17.56+00:00

    @Gaurav Chayal The reason for using multi-tenant is because

    “A bot’s App Registration is multi-tenant due to the architecture of the Bot Service so that a token can be generated that points to api.botframework.com resource (which is hosted on the botframework tenant). botframework.com is a single-tenant resource so in order for us to grant access to the bot service’s connector resources, we create the token against the bot's app registration (hence the need for the multi-tenant registration). This app registration should only be used for this service-to-service bot authentication pattern. It should have no access to other claims, etc. If you need the app registration to have access to other resources, you should create a separate app registration to use.”

    So the registration and access to the URLs are required to ensure the bot works as expected.

    3 people found this answer helpful.
    0 comments
  2. Gaurav Chayal 1 Reputation point
    2021-09-15T11:39:41.377+00:00

    @romungi-MSFT
    Thanks, for the reply but still the explanation is not clear.

    132386-tenant.jpg

    In the above screenshot it is clearly mentioned that use "SingleTenant" if the target audience is internal to organization.
    and use "Multitenant" if target audience are multiple organization(like schools or businesses)
    So, It is obvious to choose options according to tenants.

    Then, Why "SingleTenant" option is available if "MultiTenant" is mandatory to use?
    Also can't find any official documentation for strictly using Multitenant while configuring Teams Channel with Bot in BotFramework .
    Security Team needs proper proof and documentation for making registration as Multitenant.

  3. Gaurav Chayal 1 Reputation point
    2021-10-18T14:34:19.937+00:00

    Hi @romungi-MSFT , hope you are doing well.
    We need your help again.

    So now, we are stuck in proceeding further for Teams Adapter.
    Our IT team have turned support type app. into Multitenant and there are no outbound traffic blocking for URL Access.
    We were concerned about those two requirements and now they are fulfilled but still the issue is same.
    We are getting error as "There was an error sending this message to your bot : HTTP status code Forbidden".

    I have checked the required URL in the browser, they are accessible.
    Is any other way to check if the URL Access are working fine?
    Please guide for the next step we can check and what are the other possibilities for this issue.

    141419-uat-botissue.jpg