Teams App / Bot 'Unauthorized' error when responding to an activity

Question

Teams App / Bot 'Unauthorized' error when responding to an activity

Weston Boone 20

Goal:

Create a teams app / bot for my department that can process requests (from DMs or channels), respond to them, and store the conversation context externally so that proactive messages can be sent when events happen in the future.
Current error:

[on_turn_error] unhandled error: Operation returned an invalid status code 'Unauthorized'
Traceback (most recent call last):
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\bot_adapter.py", line 174, in run_pipeline
    return await self._middleware.receive_activity_with_status(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Testing Context:

Single Tenant Azure Bot has been created
- currently sending requests to local code via ngrok
- Teams channel has been added
Teams app manifest has been created, uploaded, and approved in my org
- Messaging the app invokes my local code
Azure Entra App Registration
- Authentication: Any Microsoft Entra ID tenant - Multitenant
  - The Single tenant option caused an error about not finding the client (app) id and i think that was because it was looking in some global bot framework catalogue
- API Permissions: Microsoft Graph -> Delegated Permisions -> Channel.ReadBasic.All, ChannelMember.Read.All, Chat.Create, Chat.ReadBasic.WhereInstalled, Chat.ReadWrite.WhereInstalled
  - All permissions have been granted admin consent
Local code is currently hardcoding app id/password
- Code is invoked as expected, but on sending an activity back to the conversation the pasted Unauthorized error is thrown
- When testing against agentplayground locally with no app id/password set responding to a request was working, but i never got the proactive message bit to function

Questions/Concerns/Disclaimers:

I am drowning a bit in deprecated/renamed libraries and the general abstractions being forced by botframework so i'm sure i have some pretty obvious errors in my setup but am having a hard time determining what to search. Have also never dabbled in the Azure end of things
It seems like i would want the api permissions for graph to be delegated and not under the running user for my use case, but i don't see any that look like they would allow Channel messaging? Are these 'api permissions' actually needed for the bot to respond? Are they needed for the proactive messaging?
In the manifest.json under bots[0]['scopes'] i have ['personal','groupChat','team'] I assume those somehow translate into permissions when the app is installed in Teams ( i don't have Teams admin access). Are they related at all to the 'api permissions' in the registered app?
What is the relationship between the Azure Bot being 'Single tenant' and the App registration -> Authentication being Multitenant?

Should i be passing the tenant id into the Adapter config settings? It didn't seem to make any difference that i noticed:

  AUTH_CONFIG = AuthenticationConfiguration(tenant_id=CONFIG.TENANT_ID)
  SETTINGS = BotFrameworkAdapterSettings(CONFIG.APP_ID, CONFIG.APP_PASSWORD, auth_configuration=AUTH_CONFIG)
  ADAPTER = BotFrameworkAdapter(SETTINGS)

Let me know if any additional information would be helpful and thanks in advance.

Weston Boone 20

It won't let me post the full stack trace in the main post for some reason.. trying to put here


 [on_turn_error] unhandled error: Operation returned an invalid status code 'Unauthorized'
Traceback (most recent call last):
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\bot_adapter.py", line 174, in run_pipeline
    return await self._middleware.receive_activity_with_status(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\middleware_set.py", line 69, in receive_activity_with_status
    return await self.receive_activity_internal(context, callback)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\middleware_set.py", line 79, in receive_activity_internal
    return await callback(context)
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\activity_handler.py", line 70, in on_turn
    await self.on_message_activity(turn_context)
  File "C:\source\teamsapp\bots\adaptive_card_actions_bot.py", line 37, in on_message_activity
    await turn_context.send_activity(
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\turn_context.py", line 174, in send_activity
    result = await self.send_activities([activity_or_text])
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\turn_context.py", line 226, in send_activities
    return await self._emit(self._on_send_activities, output, logic())
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\turn_context.py", line 304, in _emit
    return await logic
           ^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\turn_context.py", line 221, in logic
    responses = await self.adapter.send_activities(self, output)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\bot_framework_adapter.py", line 728, in send_activities
    raise error
  File "C:\source\teamsapp\.venv\Lib\site-packages\botbuilder\core\bot_framework_adapter.py", line 713, in send_activities
    response = await client.conversations.reply_to_activity(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\source\teamsapp\.venv\Lib\site-packages\botframework\connector\aio\operations_async\_conversations_operations_async.py", line 529, in reply_to_activity
    raise models.ErrorResponseException(self._deserialize, response)
botbuilder.schema._models_py3.ErrorResponseException: Operation returned an invalid status code 'Unauthorized'

Answer recommended by moderator

1 additional answer

Your answer

Answer 1

I got past my immediate errors with a combination of two things:

Aligning the bot service and app registration to Single Tenant authentication
updating the adapter instantiation and process function to match what i was seeing on less deprecated code examples. Under the covers I'm sure this is doing something similar to creating the AUTH_CONFIG with the tenant id, but i haven't gone through enough of the code to know what exactly is the difference yet.

Not working:

from botframework.connector.auth import AuthenticationConfiguration
CONFIG = DefaultConfig()
AUTH_CONFIG = AuthenticationConfiguration(tenant_id="YOUR_TENANT_ID")
SETTINGS = BotFrameworkAdapterSettings(app_id="YOUR_APP_ID", app_password="YOUR_APP_PASSWORD", auth_configuration=AUTH_CONFIG)
ADAPTER = BotFrameworkAdapter(SETTINGS)

Working (including the messages def because it is small and i had to tweak that to work with the CloudAdapter wrapper):

Config has

class DefaultConfig:
    """ Bot Configuration """
    PORT = 3978
    APP_ID = os.environ.get("MicrosoftAppId", "<app id>")
    APP_PASSWORD = os.environ.get("MicrosoftAppPassword", "<app password>")
    APP_TYPE = os.environ.get("MicrosoftAppType", "SingleTenant")
    APP_TENANTID = os.environ.get('MicrosoftTenantId','<tenant id>')

from botbuilder.integration.aiohttp import CloudAdapter, ConfigurationBotFrameworkAuthentication
CONFIG = DefaultConfig()
ADAPTER = CloudAdapter(ConfigurationBotFrameworkAuthentication(CONFIG))

async def messages(req: Request) -> Response:
   return await ADAPTER.process(req, BOT)

Jack-Bu 5,485 Reputation points Microsoft External Staff Moderator

2025-11-05T05:58:46.54+00:00

Hello Weston Boone,

Thank you for sharing the update. I’m glad to hear you were able to resolve the issue on your own. Your detailed explanation and code adjustments will surely help others facing similar challenges.

If you have any further questions or need assistance in the future, feel free to reach out.

Answer 2

Jack-Bu 5,485 Microsoft External Staff Moderator

Dear Weston Boone

Thank you for reaching to Microsoft Q&A regarding the "Unauthorized" error when responding to activities in your Teams bot. Based on a thorough review of similar cases and your described configuration, the error likely stems from a mismatch in tenant settings or authentication credentials. Your Azure Bot is single-tenant, but the Entra ID app registration was initially set to multitenant, which can cause authentication failures. Additionally, Microsoft's deprecation of new multi-tenant bots (effective July 31, 2025) may be impacting hybrid setups. Here something you can try to fix this:

Recreate Resources for Consistency: Delete and recreate your Entra ID app registration as single-tenant (Accounts in this organizational directory only). Then, create a new single-tenant Azure Bot using this existing app registration. Generate a fresh app password.

Update Code Snippet:

   from botframework.connector.auth import AuthenticationConfiguration
   AUTH_CONFIG = AuthenticationConfiguration(tenant_id="YOUR_TENANT_ID")
   SETTINGS = BotFrameworkAdapterSettings(app_id="YOUR_APP_ID", app_password="YOUR_APP_PASSWORD", auth_configuration=AUTH_CONFIG)
   ADAPTER = BotFrameworkAdapter(SETTINGS)

Test Incrementally: Start with a minimal echo bot in the emulator, then test in Teams. Enable adapter logging for detailed errors. Check Azure Bot data residency (prefer Global if possible).
Further Checks: Verify ngrok endpoint in Azure Bot config, regenerate credentials if needed, and monitor for region-specific issues.

Hope this helps.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Jack-Bu 5,485 Reputation points Microsoft External Staff Moderator

2025-11-03T06:39:25.1466667+00:00

Hello Weston Boone

Just checking in to see if the steps I shared helped resolve the issue with the Teams App bot returning an “Unauthorized” error. Please let me know if you need any further assistance. I’m happy to help.
Sayali-MSFT 4,341 Reputation points Microsoft External Staff Moderator

2025-11-03T09:40:24.0566667+00:00

Hello Weston Boone,
Could you please confirm if your issue has resolved with provided suggestions or still looking for any help?
Weston Boone 20 Reputation points

2025-11-03T17:18:40.3333333+00:00
@Jack-Bu thanks for the response.

I actually started with both the bot and app registration as being Single Tenant and only switched the one to multi tenant while trying to brute force my way through things. When both are Single Tenant i get this error:

PermissionError: Failed to get access token with error: unauthorized_client, error_description: AADSTS700016: Application with identifier '<expected app id>' was not found in the directory 'Bot Framework'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant

And that is with the AUTH_CONFIG passed into the adapter settings. I think that error very likely means that some global bot framework 'directory' is being checked against instead of the one listed in my specific tenant. I'm hesitant to just delete/recreate things because i don't have all the access needed to do that on my own and because things were created with the settings that are being recommended already.

I have switched back to setting the tenant id in the auth config

Things worked well enough locally via agentsplayground (until i hard coded the app id/password but that is expected i think). I didn't see any obvious way to crank up logging, but i'll poke around and figure out how to do that. The bot service is global

ngrok config is fine since i'm getting the traffic locally. I've seen other posts with region errors and i don't think i'm having those. Guess i'll try recreating the secret

Share via

Teams App / Bot 'Unauthorized' error when responding to an activity

1 additional answer

Your answer