Share via

Azure AI Foundry published agent ActivityProtocol OAuth redirect fails after successful Entra sign-in

Clifford, Eric 0 Reputation points
2026-05-05T20:49:31.1066667+00:00

We have a Microsoft Foundry agent published to Microsoft 365 Copilot / Teams. The direct Foundry Responses API works, but the published channel path fails.

Any ideas? I am confused why I cannot simply access the agent in Teams or Web 365 Co-pilot? It lets me add it, but it will not respond to prompts? I must be missing something simple. as I have never had this issue with Co-pilot Studio agents, but I am really, really struggling with MS Foundry agents. They work great the Foundry playground, but not outside of that.

Agent:

SEUS-Engineering-Knowledge

Azure Foundry account/resource:

SEUS-AIFoundry-Secure

Project:

SEUS-AI-Engineering-Knowledge

Bot Service:

seus-engineering-knowledge46829

Published agent identity / Bot ID:

61814041-916f-4281-ad51-4b866a8cf0c2

ActivityProtocol endpoint:

https://SEUS-AIFoundry-Secure.services.ai.azure.com/api/projects/SEUS-AI-Engineering-Knowledge/applications/SEUS-Engineering-Knowledge/protocols/activityprotocol?api-version=2025-11-15-preview

Responses endpoint:

https://SEUS-AIFoundry-Secure.services.ai.azure.com/api/projects/SEUS-AI-Engineering-Knowledge/applications/SEUS-Engineering-Knowledge/protocols/openai/responses?api-version=2025-11-15-preview

Known working:

  1. Direct /protocols/openai/responses call returns a valid agent response.
  2. Azure Bot Service Direct Line conversation can be created.
  3. Direct Line messages reach the bot.
  4. The bot returns a Foundry sign-in card, proving Bot Service reaches the ActivityProtocol endpoint.

Known fixed/verified:

  1. Azure AI Studio App Enterprise Application/service principal now exists:

   appId: cb2ff863-7f30-4ced-ab89-a00194bcf6d9

   objectId: 4badc553-5a20-461d-8c0a-a5929514ea08

   accountEnabled: true

   appRoleAssignmentRequired: false

  1. Azure AI Studio App reply URLs include:

   https://api.agent-oauth.azureml.ms/agent-oauth/v1.0/redirect

  1. DA user has Azure AI User on the Foundry project scope.
  2. DA user has Azure AI User on the parent Foundry account scope.
  3. Published agent identity has Azure AI User on project scope and parent Foundry account scope.

Entra sign-in logs:

Application:

Azure AI Studio App

App ID:

cb2ff863-7f30-4ced-ab89-a00194bcf6d9

User:

******@screen-spe.com

Result:

conditionalAccessStatus: success

status.errorCode: 0

authenticationDetails.succeeded: true

token binding satisfied: true

resourceDisplayName: Azure Resource Manager

resourceId: 797f4846-ba00-4fd7-ba43-dac1f8f63013

Failure:

After successful Entra sign-in, Foundry OAuth redirect fails and the bot remains stuck at:

"Waiting for Foundry login to complete"

Browser/OAuth error:

OAuth redirection processing failed. Please re-login.

Request: GET eastus2.api.azureml.ms/agent-oauth/v1.0/redirect

Status Code: 400 BadRequest

Error Code: UserError

Reason Phrase: Authentication code has already been redeemed. Please re-login.

componentName: agent-asset

Latest correlation:

operation: b9ff10976712502fa69c81da69f63b13

request: c8d783d9a48da550

nested request: 2b4bc2c0b3fd94c2

environment: westus / eastus2

statusCode: 400

Impact:

The agent works via direct Foundry Responses API but cannot complete the published ActivityProtocol OAuth flow used by Teams/Microsoft 365 Copilot. Microsoft 365 Copilot shows the agent but it cannot answer.

Azure AI Bot Service
Azure AI Bot Service

An Azure service that provides an integrated environment for bot development.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. kagiyama yutaka 3,080 Reputation points
    2026-05-16T16:22:26.7166667+00:00

    I think the 400 code already redeemed means the redirect is using an auth code that is no longer valid, so restarting the sign‑in from a new browser profile is the safest way to issue a clean one. If it still fails, sharing the correlation IDs with Microsoft support is the correct next step.

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-05-05T20:49:49.26+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The agent-side OAuth flow is failing after Entra sign-in, so Teams/M365 Copilot never gets a completed ActivityProtocol login and the agent stays stuck at “Waiting for Foundry login to complete.” From the context, this class of issue is typically caused by one of:

    1. Missing/incorrect permissions or roles for the caller or the agent identity.
    2. Conditional Access blocking or interfering with token acquisition.
    3. Misconfigured OAuth / redirect URL or audience.

    Based on the provided details and the available guidance, use the following checks and fixes:

    1. Confirm caller has the right Foundry role
      The caller that is completing the OAuth flow must have at least Azure AI User on the Foundry project:
      • If the caller is the end user in Teams/M365 Copilot, ensure that user has Azure AI User on the Foundry project resource.
      • This is required for the agent to accept the token and complete the login.
        If this role is missing, the agent can return authentication or consent issues and tool calls will fail.
    2. Check Conditional Access impact
      Conditional Access can cause agents to appear unresponsive or stuck:
      • If Conditional Access policies block token acquisition for the tenant or the specific app, the agent will not start a conversation or respond, even though the Entra sign-in event shows as successful.
      • Work with the Entra admin to review Conditional Access policies targeting the “Azure AI Studio App” and the user. Ensure they allow token acquisition for this app and scenario.
      • After adjusting policies, retry the OAuth flow from a fresh browser session.
    3. Validate OAuth / redirect configuration
      The error Authentication code has already been redeemed indicates the redirect handler is receiving an authorization code that is either reused or not accepted for the expected audience:
      • Ensure the redirect URI in the Azure AI Studio App registration exactly matches the documented redirect endpoint (https://api.agent-oauth.azureml.ms/agent-oauth/v1.0/redirect) and that there are no extra or missing variants.
      • Confirm that the ActivityProtocol endpoint and the OAuth configuration are using the correct audience/resource for the token (for Foundry agents, tokens must be requested for https://ai.azure.com when calling the agent endpoint). A mismatched audience can cause 401/400 behavior in downstream calls.
    4. Verify agent identity and downstream permissions
      For published agents, if the agent identity is missing permissions, tool calls and authentication flows can fail after sign-in:
      • Ensure the agent’s managed identity (or published agent identity) has the required RBAC roles on any Azure resources it accesses.
      • Role assignment changes can take up to ~10 minutes to propagate; after changes, wait and retry.
    5. Re-run the flow from a clean session
      Because the error says the code has already been redeemed:
      • Close all browser windows, clear cookies for Microsoft/Entra domains, or use a fresh InPrivate/Incognito session.
      • Start a new conversation with the agent in Teams or M365 Copilot, trigger the sign-in again, and complete it once without reusing the same redirect URL.
    6. If tool calls still fail after consent
      If consent appears to complete but the agent still cannot respond or tools fail:
      • Confirm the user has the required permissions in the underlying services the agent calls.
      • Confirm again that the user has at least Azure AI User on the Foundry project.

    If, after these steps, the OAuth redirect still returns Authentication code has already been redeemed for new sign-in attempts, capture the latest correlation IDs and raise a support ticket, as this pattern can also indicate a backend issue (similar to other transient Foundry/Teams integration problems that required a hotfix).

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.