Share via

Unable to Send Proactive Response from Skill Bot to Copilot Studio (401/403 due to Auth Token)

Prateek Singh 0 Reputation points
2025-05-19T06:35:38.1066667+00:00

I’ve created a Teams app that runs on a backend Python service, where it:

  • Receives an incoming request from a user.
  • Starts background threads for processing.
  • Sends back multiple adaptive card responses using the conversation ID.
  • Handles authentication in the backend (Teams token flow working fine).

This works well when the app is used directly in Microsoft Teams.

I’ve added this app as a skill to Copilot Studio and I receive the initial request from Copilot successfully and i'm able to send a base response (i.e., the response to the POST request).

But when I try to send follow-up responses using the same conversation ID and service URL provided in the original Copilot request, I consistently get 401 Unauthorized or 403 Forbidden errors.

I suspect this is because I don’t have the correct auth token to post to the Copilot conversation.

My questions:

  • How do I obtain the correct auth token (JWT/Bearer) that is accepted by Copilot Studio to send proactive messages back using the skill bot?
  • What is the token audience (aud) and scopes I should be using for proactive messages to Copilot?
  • Are there any special steps for setting up Bot Framework credentials or manifest settings specifically for Copilot skill bots?

Additional Details:

  • Backend: Python (Flask)
  • Sending responses using Bot Framework SDK methods and conversation_id + service_url from the incoming activity.
  • This works fine for Teams, but not when triggered via Copilot.

Things Tried:

  • Bot Framework docs on proactive messaging.
  • Setting skill as per Copilot Studio documentation.
  • Tried generating tokens using Azure AD App registration (Client credentials flow), but they fail to authenticate with Copilot.
Microsoft Copilot Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ayush Giri 245 Reputation points Microsoft External Staff
    2025-05-19T14:00:58.32+00:00

    Hello Prateek,

    You're hitting a known challenge when trying to send proactive messages from a skill bot back to Copilot Studio. While similar to Microsoft Teams messaging, Copilot Studio introduces stricter auth/identity handling — especially for skill bots. Here’s a concise guide to answer your questions and get it working.

    What’s Going Wrong

    You're getting 401/403 errors because:

    The auth token you're using is either invalid or has the wrong audience (aud) for Copilot Studio.

    You're treating Copilot like Teams — but Copilot does not accept the same token audience as Teams (like api.botframework.com).

    Proactive messages require a specific token issued for the Copilot channel, not just a generic Bot Framework or Azure AD token.

    Solutions and Steps

    1. Use the Bot Framework Skill Protocol for Proactive Messages

    Proactive messages must be sent using the Bot Framework protocol using the correct OAuth token, matching Copilot’s expected audience.

    1. Use the Right OAuth Token (Audience + Scope)

    When sending proactive messages to Copilot, you must:

    Acquire a token for the Microsoft App ID of your bot.

      Use the **Bot-to-Bot token flow** (`https://api.botframework.com/.default` scope).
  
     Set **audience (aud)** to `https://api.botframework.com`.

    Token acquisition example: Use the client credentials flow with your bot's App ID and Secret:

    bash
Copy
POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=YOUR_BOT_APP_ID
&client_secret=YOUR_BOT_SECRET
&grant_type=client_credentials
&scope=https://api.botframework.com/.default
    1. Use the Right Headers for the Outbound POST

    Your proactive POST should include:

    http
Copy
Authorization: Bearer <token_from_above>
Content-Type: application/json

    And post to:

    plaintext
Copy
{service_url}/v3/conversations/{conversation_id}/activities

    Use the serviceUrl and conversation.id from the initial Copilot request.

    1. Register the Bot App Correctly

    Ensure:

    The bot is registered in Azure Bot Channels Registration (not just a regular AAD app).

    It has the Microsoft App ID and Secret configured.

    • Channel settings allow Copilot/Skill access (you may need to explicitly allow trusted service URLs).You're hitting a known challenge when trying to send proactive messages from a skill bot back to Copilot Studio. While similar to Microsoft Teams messaging, Copilot Studio introduces stricter auth/identity handling — especially for skill bots. Here’s a concise guide to answer your questions and get it working. ✅ What’s Going Wrong You're getting 401/403 errors because:
      • The auth token you're using is either invalid or has the wrong audience (aud) for Copilot Studio.
      • You're treating Copilot like Teams — but Copilot does not accept the same token audience as Teams (like api.botframework.com).
      • Proactive messages require a specific token issued for the Copilot channel, not just a generic Bot Framework or Azure AD token.
      Solutions and Steps
      1. Use the Bot Framework Skill Protocol for Proactive Messages
      • Proactive messages must be sent using the Bot Framework protocol using the correct OAuth token, matching Copilot’s expected audience.
      1. Use the Right OAuth Token (Audience + Scope)
      • When sending proactive messages to Copilot, you must:
        • Acquire a token for the Microsoft App ID of your bot.
        • Use the Bot-to-Bot token flow (https://api.botframework.com/.default scope).
        • Set audience (aud) to https://api.botframework.com.
      Token acquisition example:
      Use the client credentials flow with your bot's App ID and Secret: 
        bash
  Copy
  POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

    Content-Type: application/x-www-form-urlencoded

    client_id=YOUR_BOT_APP_ID &client_secret=YOUR_BOT_SECRET &grant_type=client_credentials &scope=https://api.botframework.com/.default

      
  3. **Use the Right Headers for the Outbound POST**
  
  Your proactive POST should include:
  
  ```yaml
  http
  Copy
  Authorization: Bearer <token_from_above>
Content-Type: application/json

    And post to:

      plaintext
  Copy
  {service_url}/v3/conversations/{conversation_id}/activities

    Use the serviceUrl and conversation.id from the initial Copilot request.

    1. Register the Bot App Correctly

    Ensure:

    • The bot is registered in Azure Bot Channels Registration (not just a regular AAD app).
    • It has the Microsoft App ID and Secret configured.
    • Channel settings allow Copilot/Skill access (you may need to explicitly allow trusted service URLs).

    Thanks,
    Ayush

    *************************************************************************  

If the response is helpful, please click "**Accept Answer**" and upvote it. You can share your feedback via [Microsoft Teams Developer Feedback]([https://aka.ms/CopilotDevCommunityResponsesFeedback](https://aka.ms/CopilotDevCommunityResponsesFeedback"https://aka.ms/copilotdevcommunityresponsesfeedback")) link. Click [here](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR0MlFOZ25nZChVViMrDjqJ9UN0dNSTA4WVo2S05JQ1M4TVlYMjROSjhURSQlQCN0PWcu"https://forms.office.com/pages/responsepage.aspx?id=v4j5cvggr0grqy180bhbr0mlfoz25nzchvvimrdjqj9un0dnsta4wvo2s05jq1m4tvlymjrosjhursqlqcn0pwcu") to escalate.   
  2. Ayush Giri 245 Reputation points Microsoft External Staff
    2025-05-19T14:07:22.17+00:00

    If the response is helpful, please click on "upvote" button. You can share your feedback via Microsoft Copilot Developer Feedback link. Click here to escalate.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.