Authorization denied when using MicrosoftAppCredentials for proactive messaging

[yashgandhi-32]

Hi team,

I have a SingleTenant Azure Bot registered in Azure Portal, with the Entra ID app set to Multitenant (accounts in any organizational directory).

Configuration:

MicrosoftAppType=SingleTenant
MicrosoftAppTenantId=
MicrosoftAppId=
MicrosoftAppPassword=

Problem:

Incoming messages work fine — CloudAdapter with ConfigurationServiceClientCredentialFactory validates and processes them correctly.

However, outgoing proactive messages fail with:

RestError: Authorization has been denied for this request.
This happens in ConversationService which uses ConnectorClient + MicrosoftAppCredentials to send birthday/anniversary notifications proactively.

Root cause I identified:

MicrosoftAppCredentials requests tokens from the /common endpoint by default, but SingleTenant bots must use the tenant-specific endpoint (login.microsoftonline.com/{tenant-id}/oauth2/token) as confirmed in this GitHub issue.

But how it will work when app is listed on teams APP store ? we are suing bot builder

[tracyboehrer]

Is this a Bot Framework SDK bot? If so, that SDK is no longer supported and you will need to migrate to Agents SDK.

[yashgandhi-32]

@tracyboehrer yes i can understand its not supported and will not have updates but it will still work right ?

[MattB-msft]

There have been some changes on the team's side that, and more coming that will require tenant scoped tokens.
We have taken care of this in the agents SDK's auth code, which is why @tracyboehrer is asking you to update.

That said, this looks like it's happening when trying to acquire the token from Azure Bot Service. When your agent sends the request to Azure Bot Service it needs to be tenant scoped... when your asking for an access token it can use the /common endpoint

[yashgandhi-32]

@MattB-msft Thanks

It's bit confusing lot has change under such big ecosystem without pproer details, i can se elot of people have same questions in different threads

Coculd you please share me piece of code from agents SDK's so i can review whats happening and can get exact idea .. what i can understand is you referring to if we try to access Graph API we need to have scoped tokens ?

[tracyboehrer]

Nothing has changed from BF SDK to Agents SDK around scope requirements. That is outside our control and just part of OAuth in general.

What has changed is how it was performed in each SDK. Where BF SDK used AppCredential derivatives, Agents SDK uses IAccessTokenProvider, which is accessed through IConnections.

BF SDK only supported OAuth (directly) via Dialogs.OAuthPrompt, where Agents SDK is more flexible and that support comes through AgentApplication.UserAuthorization. It's mostly config based. See the auto-signin or obo-authorization samples.

What is the same is both SDK's utilize the Azure Token Service, and that is highly dependent on the OAuth Connection setup on the Azure Bot. Though Agents SDK supports some features that BF SDK didn't, like OBO on a token.