Bot Framework REST API returns "Authorisation has been denied for this request"

Question

Bot Framework REST API returns "Authorisation has been denied for this request"

Nithish 10

I’m developing a multi-tenant Teams bot registered in Azure AD. The bot obtains an app-only access token via client_credentials from the botframework.com tenant:

POST https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token
scope = https://api.botframework.com/.default

The decoded JWT shows the correct aud (https://api.botframework.com) and the expected appid (our bot’s client ID).

Using that token, I call the Bot Connector REST endpoint to send a proactive Adaptive Card into a personal chat:


POST https://smba.trafficmanager.net/{region}/{tenantId}/v3/conversations/{conversationId}/activities
Authorization: Bearer <token>
Content-Type: application/json

Problem: Every POST returns HTTP 403 Forbidden with the plain-text error:

Authorization has been denied for this request.

No additional diagnostics are returned in the body or headers.

Troubleshooting done so far

Token validation
- Claims (aud, iss, appid, exp) all match Microsoft’s docs.
- Token lifetime and system clocks are in sync.
Request shape
- Confirmed correct Authorization: Bearer … header (no custom header names).
- Content-Type: application/json is set.
- URL and conversationId are copied verbatim from the incoming Teams activity.
- Tried minimal payload ({ "type":"message","text":"ping", … })—same 403.
Bot installation / permissions
- Bot is installed in the user’s personal scope; user can send messages to the bot.
- App registration is multi-tenant; API permissions for Microsoft Graph and Bot Framework are granted and admin-consented.

The weird part is, this was working fine till yesterday. I've been following the same flow for more than a year now and it hasn't caused a problem. Suddenly I'm getting this "Authorisation has been denied to this request" error responses. Any assistance would be appreciated.

1 answer

Your answer

Answer 1

Jack-Bu 2,145 Microsoft External Staff Moderator

Hi Nithish,

Thanks for reaching out to the Microsoft Q&A forum.

I understand how frustrating and disruptive it can be when a workflow that has been functioning smoothly for a year suddenly encounters the "Authorization has been denied to this request" error. I'm here to assist you in resolving this issue.

To better understand and address the problem, could you please provide the following information:

Can you confirm that the authentication token you're using is valid and hasn't expired?
Are there any Conditional Access policies or other tenant-level restrictions that might be preventing the request?
Has the service principal associated with your app registration been assigned the necessary roles within the target tenant?
Could you share the full body of the API request you're using for the multi-tenant Teams bot? This will help in pinpointing any potential issues.

If you have any updates or additional information, please don't hesitate to share. Your feedback is invaluable in helping me find the best solution for you.

Thank you for your understanding and patience as we work through this together!

Nithish 10 Reputation points

2025-06-18T15:37:50.5833333+00:00
Hi Jack, thanks for your reply. Please find my answers to the requested:

Is the authentication token valid and not expired?

Yes, I tried generating the token freshly for each request using the client_credentials flow from the botframework.com tenant.

Are there any Conditional Access policies or tenant-level restrictions in place?

There aren't any restrictions put in place. As informed, it was working fine for a year now until yesterday. I'm the admin of the tenant and I didn't modify anything recently as well. Please let me know if a specific setting is to be checked as well.

Has the service principal been assigned the necessary roles in the target tenant?

Yes, the corresponding service principal has the Cloud Application Administrator role assigned, which I think gets assigned by default. Should I be assigning something else, please let me know.

Could you share the full body of the API request?

Body - > {"attachments":[{"contentType":"application/vnd.microsoft.card.adaptive","content":{"$schema":"http://adaptivecards.io/schemas/adaptive-card.json","msteams":{"width":"full"},"type":"AdaptiveCard","body":[{"horizontalAlignment":"left","size":"Medium","weight":"Bolder","text":"Sign in with Microsoft credentials","type":"TextBlock","wrap":false,"isSubtle":false},{"horizontalAlignment":"left","size":"Small","weight":"default","text":"You will be redirected to the ServiceDesk Plus login page after authorization","type":"TextBlock","wrap":false,"isSubtle":false}],"actions":[{"type":"Action.OpenUrl","title":"Sign in with Microsoft","url":"https://login.microsoftonline.com/11343e3a-cbce-4555-9bac-e4162996bfec/oauth2/authorize?client_id=f2cfdb39-dace-405c-9fd5-17a652007394&response_type=id_token&redirect_uri=https://<domain>/ExternalIntegration.do&response_mode=form_post&scope=https://graph.microsoft.com/openid&state=MSwLogin&nonce=F2FB11ED-5849-45D3-AC0B-880

URL - > https://smba.trafficmanager.net/in/11343e3a-cbce-4555-9bac-e4162996bfec/v3/conversations/a:1OvhbT-aZSyeLEd4EA_d8dka1JYDhlf_AHpcZhIvA6NBaX7aVZn0JL-lC0LgNMERfHI6N-1k5jSDvgjyqjuXHU6te2BPRUGvHqYVss9M0jtN-dMBW2b-FGzT0mAHGm3F-/activities

Please find my access token decoded as well:

{

"typ": "JWT",

"alg": "RS256",

"x5t": "CNv0OI3RwqlHFEVnaoMAshCH2XE",

"kid": "CNv0OI3RwqlHFEVnaoMAshCH2XE"

}.{

"aud": "https://api.botframework.com",

"iss": "https://sts.windows.net/d6d49420-f39b-4df7-a1dc-d59a935871db/",

"iat": 1750259199,

"nbf": 1750259199,

"exp": 1750345899,

"aio": "k2RgYFj+ui2Hse62wxan1St4zs45BwA=",

"appid": "f2cfdb39-dace-405c-9fd5-17a652007394",

"appidacr": "1",

"idp": "https://sts.windows.net/d6d49420-f39b-4df7-a1dc-d59a935871db/",

"idtyp": "app",

"rh": "1.AW4AIJTU1pvz902h3NWak1hx20IzLY0pz1lJlXcODq-9FrxeAQBuAA.",

"tid": "d6d49420-f39b-4df7-a1dc-d59a935871db",

"uti": "PvgJkw15i0q1h-ZZkJJXAA",

"ver": "1.0",

"xms_ftd": "2S22OPZMdVVmm6CUMn4L9z518Yji4sS1H50sYenc0lQBdXNzb3V0aC1kc21z",

"xms_idrel": "13 22",

"xms_rd": "0.42LjYBJiygsWEuFgFRKwsjMRPHc61HX2midimtP2vwGKsgsJXOUvOtjiUu-0qGS_49S__-KBopxCAgxoACjKISTgZKzbq3k-0nNqOR_f-r1iewA"

}.[Signature]

Please let me know if you need anything else. Looking forward to your response.
Jack-Bu 2,145 Reputation points Microsoft External Staff Moderator

2025-06-19T15:38:14.8233333+00:00

Hello Nithish,

Thank you for your patience as I investigate this issue.

To assist with my investigation, could you please double check the value "MSwLogin&nonce" in the request body matches the nonce present in the ID token, it seems incomplete:

post&scope=https://graph.microsoft.com/openid&state=MSwLogin&nonce=F2FB11ED-5849-45D3-AC0B-880

This might be the cause for the error " HTTP 403".

Looking forward to hearing from you soon.
Vergil-V 155 Reputation points Microsoft External Staff Moderator

2025-06-23T07:31:55.54+00:00

Hi Nithish
I hope all is well. I wanted to follow up and see if there have been any updates on the on the "HTTP 403" error you're encountering when using the Bot Framework API workflow.
I'd appreciate any updates you can share after looking over my previous response. Please let me know if there’s anything further I can do to assist.

Thank you for your time and understanding.
Nithish 10 Reputation points

2025-06-23T09:31:54.21+00:00

Hello Team,

Apologies for the delay in my response, I was travelling and hence had limited access.

I have managed to resolve the issue for now by reverting the Developer Portal's latest update back. I'm guessing it was a bug in your end with the latest Developer Portal update.

Thank you for your attention and support to this matter. I'll reach out if I encounter it again in the future, hopefully I don't.
Vergil-V 155 Reputation points Microsoft External Staff Moderator

2025-06-23T12:23:39.7266667+00:00

Hi Nithish
I sincerely appreciate you taking the time to follow up on this thread, even while on holiday. I'm very pleased that we were able to work collaboratively and that a solution to your issue has been found.
I believe marking this as an accepted answer would be highly beneficial. Your contribution will serve as an excellent reference for others encountering similar issues and will significantly enhance our shared knowledge base.
Thank you once again for your follow-up and your valuable contribution.

Share via

Bot Framework REST API returns "Authorisation has been denied for this request"

1 answer

Your answer