401 Unauthorized "Authorization has been denied" error when messaging Bot in E5 Sandbox

Question

I am developing a Teams bot using the @microsoft/teams.apps SDK. While my bot successfully receives activities (verified via console logs), it fails with a 401 Unauthorized error every time it attempts to send a message back to Teams.

The code the causes the error:

app.on('message', async ({ send, activity }) => {
  await send({ type: 'typing' });
  await send(`you said "${activity.text}"`);
});

The Error:

[ERROR] @teams/app Request failed with status code 401

[ERROR] @teams/app /emea/c2e3254e-4ed5-4b5f-8740-092db2482ef2/v3/conversations/a:1WpTnxjd37Gea6hN81_Q3eLDq1TlmQFD3EVobwpJmIiELzdDPDU_T7P_fuzUiOdE76uBTG7R2MVmWHmjrdfb66UeK6rYxGaAr4pyu8d1zzafPAkfqur9nOxqnEG4RTEwr/activities

[ERROR] @teams/app {

[ERROR] @teams/app "message": "Authorization has been denied for this request."

[ERROR] @teams/app }

I am using the 365 Developer Program Sandbox account. To test if it is a problem with my code I just used one of the examples, "quote-agent", on the docs and deployed it using the toolkit but get the same error, the error appears specifically when it attempts to send a message back to the teams environment it is installed on and the toolkit gave me an additional error:

[2026-03-26T12:02:05.389Z] [Info] - check whether azure account is signed in.[2026-03-26T12:02:05.421Z] [Info] - subscription is not selected, try to select.[2026-03-26T12:02:05.586Z] [Error] - No subscription found with this tenant. Hover over your Azure account and click 'Switch' to change tenants.

Despite trying to link both the sandbox azure account and my own personal account separately.

I have been trying to fix this issue for a long time now and I am really stuck, any advice would go a long way, thank you.

EDIT: One thing to add which i suspect is contributing to the problem I cannot create an Azure Bot resource on the sandbox account as the azure account needs a subscription, which the sandbox account isn't allowed to have.

I have tried creating the azure bot resource/app registration both manually through my personal acc and sandbox acc as well as through the toolkit.

Answer 1

Hi Harrison Clements

I have reviewed your provided information and seem like You've correctly identified the root cause that the Microsoft 365 Developer Sandbox does not include an Azure subscription, which means you cannot create an Azure Bot resource within that tenant. The 401 error occurs because of a fundamental mismatch between the M365 Developer Sandbox and Azure Bot Service requirements.

In this context, I think you can try this approach:

Use two separate accounts: your personal Azure subscription for bot infrastructure, and the M365 sandbox for Teams sideloading.

Step 1: Create an Azure bot on your personal Azure account

1. Go to portal.azure.com signed in with your personal account.
2. Create a new Azure Bot resource
3. After creation, go to Configuration --> note the Microsoft App ID.
4. Go to Manage Password --> create a new Client Secret and save it.
5. Set the Messaging endpoint to your dev tunnel URL: https://<your-devtunnel>.devtunnels.ms/api/messages

Step 2: Configure your Bot code

Set the environment variables in your .env file:

BOT_ID=<Microsoft App ID from Step 1>
BOT_PASSWORD=<Client Secret from Step 1>
BOT_TYPE=MultiTenant
BOT_TYPE=MultiTenant

Step 3: Update the Teams app manifest

In your manifest.json, ensure the bot ID matches:

{
  "bots": [
    {
      "botId": "<Microsoft App ID from Step 1>",
      "scopes": ["personal", "team", "groupChat"]
    }
  ]
}

Step 5: Enable Sideloading on Sandbox

• In the Teams Admin Center (signed in with your sandbox admin account)
• Go to Teams apps --> Manage apps --> Org-wide app settings
• Enable Upload custom apps

Step 6: Run and Test

• Start your dev tunnel
• Run your bot locally
• Sideload the app to Teams in the sandbox tenant

You can try the approach above and let me know if the problem still persists

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Answer 2

The 401 Unauthorized when the bot tries to send a reply indicates that the bot cannot obtain or use a valid access token for the Bot Framework/Teams service, even though it can receive activities.

From the provided context, there are two common root causes and resolutions for this pattern when using the newer Teams SDKs and Azure Bot Service:

1. Bot/service principal not correctly registered or linked in the tenant
   When the bot is configured as SingleTenant (msaAppType: 'SingleTenant') but the corresponding Microsoft Entra app registration does not yet have a service principal in the tenant, token acquisition fails with 401. The fix is to ensure the app registration backing the bot has a service principal in the same tenant where the bot runs. Steps:
   1. Sign in to Azure Portal for the same tenant where the bot is registered.
   2. Go to App registrations.
   3. Locate the app registration using the bot ID (the same ID configured in the bot/Teams app).
   4. In the app registration overview, check the Managed application in local directory field:
      • If a value is shown, a service principal already exists.
      • If it shows Create Service Principal, select that to create it.
   5. After the service principal is created, restart the bot application and test sending messages again.
   This resolves the 401 token errors described in the Missing Service Principal in the Tenant section.
2. Mismatch or misalignment between bot type and app registration tenant configuration
   Similar 401/"Authorization has been denied" errors also occur when the Azure Bot resource is configured as Single Tenant but the app registration or adapter configuration is effectively treating it as multi-tenant or using the wrong tenant. In the Q&A examples, the issue was resolved by:
   • Aligning the Azure Bot resource and the App registration to the same Single Tenant configuration, and
   • Updating the adapter/CloudAdapter initialization to match current SDK guidance so that the correct tenant ID and credentials are used when acquiring tokens.
   For a 365 Developer Sandbox, ensure:
   • The bot’s Azure Bot resource is Single Tenant and points to the sandbox tenant.
   • The app registration used by the bot is also single-tenant for that same sandbox tenant.
   • The credentials (client ID/secret or certificate) configured in the bot code match that app registration.
3. How to interpret the 401 from the bot APIs
   The Teams bot conversational APIs return 401 when the bot is not properly registered or authorized:
   • Status 401 – BotNotRegistered: “No registration found for this bot.”
     Developer action: verify the bot ID and password and ensure the bot ID is registered in Teams Developer Portal or via Azure Bot Channel Registration with the Teams channel enabled.
   In practice, for this scenario:
   • Confirm the bot ID in the Teams app manifest matches the Azure Bot and app registration.
   • Confirm the Teams channel is enabled on the Azure Bot.
4. What to do next in this specific sandbox scenario
   Based on the context and the errors:
   • Use the sandbox tenant’s Azure Portal (not a different personal tenant) to check the app registration and service principal as in step 1.
   • Ensure the Azure subscription and tenant selected in the Toolkit/VS Code match the sandbox tenant where the bot and app registration live.
   • After fixing the service principal/tenant alignment, redeploy or restart the bot and test sending a simple text reply.

If, after these steps, the bot still receives activities but cannot send, capture the exact HTTP 401 error body from the bot framework call (it should include codes like BotNotRegistered) and then re-verify bot ID, password/secret, and Teams channel enablement as described in the status code table.

---

References:

• Status codes from bot conversational APIs
• Authentication Troubleshooting
• Teams App / Bot 'Unauthorized' error when responding to an activity - Microsoft Q&A
• Issue with Azure BOT communication with Teams - Microsoft Q&A