Share via

Getting Keyerror, access_token while running teams bot using teams-ai library, hosted using Azure App Service

Arnav Gupta 20 Reputation points
2025-02-21T07:16:44.3966667+00:00

Used the teams-ai library's mathbot sample, used inbuilt teams toolkit provision and deploy pipelines.

App works well on local machine. Upon hosting on azure, gets this error in logs.

User's image

Getting a keyerror on access_token. However the BOT_ID and BOT_PASSWORD are configured normally in the Azure App environment variables. Moreover, the ID and password are correct, as I have ran a curl command manually and am receiving the access_token.

The app is set to be single tenant on both Azure and the Entra admin center with the correct tenant-ID.

App service and openai service have both been given user managed identities with contributor role assignments.

Does the mathbot sample have an inherent issue? Or do I need to configure something else on Azure?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bhargavi Naragani 5,270 Reputation points Microsoft External Staff Moderator
    2025-03-12T17:52:33.69+00:00

    Hi @Arnav Gupta,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Despite the fact that the BOT_ID and BOT_PASSWORD were configured as Azure App Service environment variables, the bot couldn't obtain the access_token. Moving into a multitenant configuration helped resolve this issue, but there is some confusion because the "Bot Type" section in the Azure portal appears empty when it correctly works. That's not typical behavior, and it should certainly be explained in documentation.

    After switching to multitenant, the bot was able to read from Teams but when attempting to send a message, it threw an "Unauthorized" exception. Getting the appropriate permissions and proper identity configuration in place for the Azure Bot Service and managed identities typically resolves this. You sometimes need to verify the messaging endpoint is properly configured in the bot registration too.

    Even if BOT_ID and BOT_PASSWORD were configured in the env files for deployment, the Azure Bot Service required them to be explicitly included in the App Service's environment variables. This is a known quirk. The best practice is always to include environment variables directly in the Azure App Service configuration so that deployment packaging problems are not encountered.

    https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal
    https://learn.microsoft.com/en-us/azure/bot-service/bot-service-quickstart-registration?view=azure-bot-service-4.0&tabs=userassigned
    https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/bot-sso-overview

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.