Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
How to fix Azure Bot Service fails authentication: AADSTS700016 – App Registration “not found” after switching tenant settings
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Joost Vagevuur | Barney Media
0
Reputation points
Hello,
I am experiencing an authentication failure between Azure Bot Service and my Azure AD App Registration.
The bot is built with the Python Bot Framework SDK and works correctly in other environments.
However, in this Azure setup, Azure Bot Service cannot authenticate using the Microsoft App ID and secret, even though they are correct and freshly regenerated.
🔴 Error Messages
Azure Bot App Service logs repeatedly show:
get_user_token exception: Operation returned an invalid status code 'Unauthorized'
and sometimes when it switch to single tenant:
AADSTS700016: Application with identifier '{APP-ID}'
was not found in the directory 'Bot Framework'.
You may have sent the authentication request to the wrong tenant.
Whenever this happens, the bot fails immediately with:
Operation returned an invalid status code 'Unauthorized'
Adapter cannot authenticate → Bot cannot send activities
Azure AI Bot Service
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 39%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sridhar M 2,525 Reputation points Microsoft External Staff Moderator2025-11-28T18:44:13.5733333+00:00 Hi Joost Vagevuur | Barney Media
Welcome to the Microsoft Q&A and thank you for posting your questions here.
You’re encountering the error AADSTS700016: Application with identifier 'xxxxxxxxxxx' was not found in the directory 'Bot Framework'.
This typically indicates an issue with Azure Active Directory (AAD) authentication. Most often, it means the bot’s Azure AD app registration is misconfigured or the authentication request is being sent to the wrong tenant.
If you’re manually requesting tokens, double-check the following in your authentication code:
Client ID
Tenant ID
Authority URL
Scopes
Make sure the request is being directed to the correct AAD endpoint:
- Single-tenant apps: https://login.microsoftonline.com/{tenant-id}
- Multi-tenant apps: https://login.microsoftonline.com/common
If your bot is intended to be multi-tenant, ensure that admin consent has been granted in the target tenant:
In App Registrations, open your app.
Go to API permissions and verify required permissions.
Confirm that admin consent has been granted, especially for delegated permissions.
Additional troubleshooting steps you can take:
- Use Azure AD Graph Explorer (or Microsoft Graph Explorer) to test token requests and validate permissions.
- Consider using Microsoft Authentication Library (MSAL) for token acquisition, as it handles many authentication edge cases automatically.
I Hope this helps. Do let me know if you have any further queries.
Thank you
-
Joost Vagevuur | Barney Media 0 Reputation points
2025-12-01T06:52:32.6533333+00:00 Thanks for the reply.
But the issue we are facing happens before any token request, MSAL, or scopes come into play. Our bot is not even reaching the authentication flow.
The real problem: The Bot Framework Service itself cannot authenticate using our App ID + Secret. So the bot cannot send or receive messages at all.
This is why every request returns: Unauthorized even during the first conversationUpdate.
So this is NOT a token-request or MSAL problem.
The bot is not manually requesting tokens. It is Azure Bot Service that tries to authenticate using the App Registration and it fails immediately.
Our actual question: Why does Bot Framework return Unauthorized when: The App Registration exists The Enterprise Application exists The App ID + Secret are correct The tenant is correct Admin consent is done
Yet the Bot Service still cannot sign in with the App ID. We need Azure/Microsoft to confirm why Bot Framework cannot authenticate the bot in this tenant, even though everything is configured correctly. This is happening before token acquisition, so checking scopes/MSAL/Graph does not apply here.
Full Error 2025-12-01T06:22:22.0361467Z INFO:merford-bot:HTTP POST /api/messages (channelId=webchat) 2025-12-01T06:22:23.9897581Z INFO:merford-bot:RX activity: type=conversationUpdate name=None channel=webchat convId=83Z3xUQKNLc2gbTcntkKXP-eu svc=https://webchat.botframework.com/ 2025-12-01T06:22:25.4667663Z INFO:merford-bot:get_user_token exception: Operation returned an invalid status code 'Unauthorized'
2025-12-01T06:22:25.9760126Z ERROR:merford-bot:Exception in /api/messages: Operation returned an invalid status code 'Unauthorized'
2025-12-01T06:22:25.9760679Z Traceback (most recent call last):
2025-12-01T06:22:25.9760703Z File "/tmp/8de2e7823e842e6/bot.py", line 530, in messages
2025-12-01T06:22:25.9760729Z asyncio.run(_proc())
2025-12-01T06:22:25.9760745Z File "/opt/python/3.11.14/lib/python3.11/asyncio/runners.py", line 190, in run
2025-12-01T06:22:25.9760759Z return runner.run(main)
2025-12-01T06:22:25.9760773Z ^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9760889Z File "/opt/python/3.11.14/lib/python3.11/asyncio/runners.py", line 118, in run
2025-12-01T06:22:25.9760904Z return self._loop.run_until_complete(task)
2025-12-01T06:22:25.9760919Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9760937Z File "/opt/python/3.11.14/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete
2025-12-01T06:22:25.9760951Z return future.result()
2025-12-01T06:22:25.9760964Z ^^^^^^^^^^^^^^^
2025-12-01T06:22:25.976098Z File "/tmp/8de2e7823e842e6/bot.py", line 528, in _proc
2025-12-01T06:22:25.9760997Z return await adapter.process_activity(activity, auth_hdr, handle_activity)
2025-12-01T06:22:25.9761013Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761032Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/bot_framework_adapter.py", line 445, in process_activity
2025-12-01T06:22:25.9761066Z return await self.process_activity_with_identity(activity, identity, logic)
2025-12-01T06:22:25.9761084Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761105Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/bot_framework_adapter.py", line 487, in process_activity_with_identity
2025-12-01T06:22:25.9761119Z await self.run_pipeline(context, logic)
2025-12-01T06:22:25.9761139Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/bot_adapter.py", line 181, in run_pipeline
2025-12-01T06:22:25.9761152Z raise error
2025-12-01T06:22:25.976117Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/bot_adapter.py", line 174, in run_pipeline
2025-12-01T06:22:25.9761186Z return await self._middleware.receive_activity_with_status(
2025-12-01T06:22:25.9761201Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761221Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/middleware_set.py", line 69, in receive_activity_with_status
2025-12-01T06:22:25.9761252Z return await self.receive_activity_internal(context, callback)
2025-12-01T06:22:25.9761268Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761286Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/middleware_set.py", line 79, in receive_activity_internal
2025-12-01T06:22:25.9761301Z return await callback(context)
2025-12-01T06:22:25.9761315Z ^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.976133Z File "/tmp/8de2e7823e842e6/bot.py", line 304, in handle_activity
2025-12-01T06:22:25.9761373Z await turn_context.send_activity("👋 Hi! Please sign in to continue.")
2025-12-01T06:22:25.9761394Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/turn_context.py", line 174, in send_activity
2025-12-01T06:22:25.976141Z result = await self.send_activities([activity_or_text])
2025-12-01T06:22:25.9761442Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761461Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/turn_context.py", line 226, in send_activities
2025-12-01T06:22:25.9761478Z return await self._emit(self._on_send_activities, output, logic())
2025-12-01T06:22:25.9761493Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761512Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/turn_context.py", line 304, in _emit
2025-12-01T06:22:25.9761525Z return await logic
2025-12-01T06:22:25.9761539Z ^^^^^^^^^^^
2025-12-01T06:22:25.9761557Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/turn_context.py", line 221, in logic
2025-12-01T06:22:25.9761573Z responses = await self.adapter.send_activities(self, output)
2025-12-01T06:22:25.9761588Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761621Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/bot_framework_adapter.py", line 728, in send_activities
2025-12-01T06:22:25.9761635Z raise error
2025-12-01T06:22:25.9761653Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botbuilder/core/bot_framework_adapter.py", line 718, in send_activities
2025-12-01T06:22:25.9761669Z response = await client.conversations.send_to_conversation(
2025-12-01T06:22:25.9761684Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-12-01T06:22:25.9761705Z File "/tmp/8de2e7823e842e6/antenv/lib/python3.11/site-packages/botframework/connector/aio/operations_async/_conversations_operations_async.py", line 260, in send_to_conversation
2025-12-01T06:22:25.976172Z raise models.ErrorResponseException(self._deserialize, response)
2025-12-01T06:22:25.9762062Z botbuilder.schema._models_py3.ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
// only single tenant option i found
// selected as muliti tanent
-
Sridhar M 2,525 Reputation points Microsoft External Staff Moderator
2025-12-01T16:17:42.5+00:00 Hi Joost Vagevuur | Barney Media
The error “Operation returned an invalid status code 'Unauthorized'” occurs before your bot reaches OAuth, MSAL, or any token request. It happens during the very first authentication handshake between Azure Bot Service and Azure AD, when the Bot Service tries to authenticate using your App ID + Client Secret. This means Azure AD rejected the bot’s identity even before your bot code starts running.
Because the failure occurs before any user login flow begins, this error has nothing to do with OAuth scopes, Graph permissions, token caching, or your bot code. The Bot Framework itself fails to authenticate when trying to send or receive the very first system activity (usually
conversationUpdate). So the cause is entirely in the App Registration or Bot Configuration, not in your sign-in logic.Only a small number of configuration problems can cause this specific early-stage Unauthorized error. They are:
The Bot Service is using a client secret that is wrong or expired,
The tenant of the App Registration does not match the tenant of the Bot Channels Registration,
The App Registration is multi-tenant while the bot is configured as single-tenant (a mismatch), or
The App Registration’s service principal does not exist in the tenant where the bot resource lives. If any one of these is true, Azure AD will reject the Bot Service’s authentication request.
The most frequent cause is that the Bot Service is still using an old or incorrect client secret. Even if you created a new secret in Azure AD, the Bot Channels Registration does not automatically update—so Azure Bot Service will continue sending the old secret until you manually copy the new one into Bot → Settings → Microsoft App Password. If the secret saved there does not exactly match the active secret in the App Registration, authentication always fails.
Another common reason for this error is a tenant mismatch. If the App Registration is created in Tenant A, but the Bot Channels Registration belongs to Tenant B, then the Bot Service attempts to retrieve OpenID configuration from the wrong tenant. Since the app identity doesn’t exist in that tenant, Azure AD returns Unauthorized immediately during the handshake.
Your screenshots show a classic mismatch: the App Registration is configured as Multiple organizations (multi-tenant), but the Bot Service is configured as Single Tenant. When this happens, the Bot Service requests tokens from the app’s specific tenant ID, but multi-tenant apps expect to use the
commonororganizationsauthority. Azure AD rejects the request because the authority and the app’s configuration don’t align, leading to the Unauthorized failure before your bot code runs.The “App Tenant ID” in the bot configuration must exactly match the Directory (tenant) ID of the App Registration and must not contain stray spaces or characters. If the tenant ID is wrong, Azure Bot Service attempts to authenticate against the wrong authority URL and instantly receives Unauthorized. Re-entering and saving the correct tenant ID often resolves this
To verify the root cause, regenerate a new client secret in the App Registration and copy it into the Bot Channels Registration’s “Microsoft App Password” field. Then set your App Registration to Single Tenant so it matches the bot's configuration. After saving both, restart your bot service and send a test message through webchat. If the Unauthorized error disappears, the mismatch or stale secret was the source.
-
Sridhar M 2,525 Reputation points Microsoft External Staff Moderator
2025-12-02T12:05:30.0566667+00:00 Hi Joost Vagevuur | Barney Media
Did you get any chance to review the above response. Thank you!
Sign in to comment
Sign in to answer