Forum Discussion

logularjason's avatar
logularjason
Copper Contributor
Jun 30, 2025

Azure Bot (Teams) 401 ERROR on Reply - Valid Token, Manual SP, NO API Permissions, No Logs!

Hi all, I'm facing a persistent 401 Unauthorized when my on-prem bot app tries to send a reply back to an MS Teams conversation via the Bot Framework Connector.  I have an open support request but nothing back yet.

Key details & what's NOT the issue (all standard checks passed):

  • Authentication: client_credentials flow.
  • Token: Acquired successfully, confirmed valid (aud: https://api.botframework.com, correct appid, not expired). Scope is https://api.botframework.com/.default.
  • Config: Bot endpoint, App ID/Secret, MS Teams channel - all verified many times.

The UNUSUAL aspects (possible root cause?):

  1. Service Principal Creation Anomaly: The Enterprise Application (Service Principal) for my bot's App Registration was NOT automatically generated; I had to create it using a link on the app registration page (see screenshot below).
  2. Missing API Permissions: In the App Registration's "API permissions," the "Bot Framework Service" API (or equivalent Bots.Send permission) is NOT listed/discoverable, so explicit admin consent cannot be granted.
  3. Diagnostic Logs are Silent: Azure Bot Service diagnostic logs (ABSBotRequests table) do NOT show any 401 errors for these outbound reply attempts, only successful inbound messages.

Curl command (shows the exact failure):

curl -v -X POST \
  'https://smba.trafficmanager.net/au/<YourTenantID>/v3/conversations/<ConversationID>/activities' \
  -H 'Authorization: Bearer <YourValidToken>' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "message",
    "text": "Hello, this is a reply!"
  }'

# ... (curl output) ...
< HTTP/2 401
< content-type: application/json; charset=utf-8
< date: Tue, 01 Jul 2025 00:00:00 GMT
< server: Microsoft-IIS/10.0
< x-powered-by: ASP.NET
< content-length: 59
{"message":"Authorization has been denied for this request."}

After bot creation, the app registration has a link for creation of the service principal.  Could this be an indication that the bot creation has not set up the internal "wiring" that allows my tokens to be accepted by the bot framework?  

 

Any insights on why a seemingly valid and linked Service Principal would be denied, especially with the manual creation and missing API permission options, would be greatly appreciated! I'm stumped why logs aren't even showing the error.

No RepliesBe the first to reply

Resources