Share via

Teams Bot not receiving messages — incoming requests from Teams returning 401 (Microsoft Agents SDK Python)

info 0 Reputation points
2026-05-01T13:16:15.4166667+00:00

Details:

Environment:

  • Microsoft 365 Agents Toolkit (Python)
  • Microsoft Agents SDK (microsoft-agents)
  • Azure App Service (Python 3.11, gunicorn + aiohttp)
  • Auth type: UserAssignedMSI
  • Teams channel enabled on Azure Bot Service

Problem:

A Teams bot deployed to Azure App Service receives no messages from Teams. The bot works correctly when tested via Test in Web Chat in the Azure Portal, but does not respond to messages sent from the Teams client.

Debugging steps taken:

To identify where the requests were failing, a request logger middleware was added before jwt_authorization_middleware to log all incoming requests and their response status codes:

@middleware
async def request_logger(req: Request, handler):
    print(f"[HTTP] {req.method} {req.path} from {req.remote}", file=sys.stderr)
    resp = await handler(req)
    print(f"[HTTP] {req.method} {req.path} -> {resp.status}", file=sys.stderr)
    return resp

app = Application(middlewares=[request_logger, jwt_authorization_middleware])

Logs observed:

When a message is sent from Teams, the requests return 401:

[HTTP] OPTIONS /api/messages from x.x.x.x -> 401

When tested via Test in Web Chat, the requests succeed:

[HTTP] POST /api/messages from x.x.x.x -> 202
[INFO] Message received | text='Hello'

Questions:

  1. Why does the Teams channel return 401 while Web Chat works correctly with the same bot endpoint and UserAssignedMSI configuration?
  2. This was working perfectly 2 days earlier.
Azure AI Bot Service
Azure AI Bot Service

An Azure service that provides an integrated environment for bot development.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anshika Varshney 10,145 Reputation points Microsoft External Staff Moderator
    2026-05-04T09:44:31.4+00:00

    Hi info,

    Thanks for sharing the details. This looks like a Teams channel authentication or configuration issue, not a problem with your bot code.

    If your bot works in Web Chat but not in Teams, it means your endpoint and bot logic are working fine. The issue is happening before the request reaches your bot.

    Teams uses stricter validation through Azure Bot Service. Every request must pass identity and token checks before it is forwarded. If validation fails, you will see 401 errors or no incoming requests at all.

    Why Teams returns 401 while Web Chat works

    Web Chat is more permissive and can work even if there are small gaps in authentication.

    Teams strictly validates App ID, tenant, and tokens. Any mismatch causes the request to be rejected before it reaches your bot. [youtube.com]

    Why it stopped working suddenly

    This usually happens due to small configuration changes such as expired credentials, App registration updates, managed identity changes, or tenant policy updates. Even a small mismatch can break Teams while Web Chat still works.

    What to check

    Check App ID alignment. Make sure the same App ID is used in Azure Bot, App registration, and Teams manifest.

    Example: If your App ID is abc123, it must match exactly in all three places.

    Check authentication setup. Make sure your auth type is correct and credentials are valid.

    Example: Client secret setup MICROSOFT_APP_ID and MICROSOFT_APP_PASSWORD must match App registration Secret should not be expired.

    Managed identity setup. Ensure identity is still assigned and has required permissions.

    Check Teams channel. Confirm Teams channel is enabled, and bot is installed with correct scope.

    Check endpoint Ensure endpoint is public, HTTPS, and points to /api/messages

    Example: https://yourapp.azurewebsites.net/api/messages

    Check logs. No logs mean request blocked before your bot 401 logs mean authentication issue.

    In short: This is not a code issue. It is a Teams authentication mismatch.

    Fixing App ID consistency and verifying authentication setup usually resolves it.

    Hope this helps. If you share your auth type, I can help you narrow it down further. Do let me know if you have any further queries.

    If this answers your query, please do click Accept Answer and Yes for was this answer helpful.

    Thankyou!

    0 comments
  2. Q&A Assist
    2026-05-01T13:16:47.4833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The behavior matches a channel-specific authentication or configuration issue on the Teams side, not a problem with the core bot logic.

    Key points from the context:

    • When a bot works in Web Chat but fails in another channel, the guidance is to treat it as a channel configuration issue, channel-specific behavior, or a channel outage.
    • For Teams, 401/Unauthorized errors are commonly caused by:
      • Bot registration or credentials not matching what the channel expects.
      • Missing or incorrect Service Principal for a single-tenant bot.
      • Misalignment between bot’s msaAppType/tenant configuration and the app registration.

    In this scenario:

    1. Why Teams returns 401 while Web Chat works with UserAssignedMSI Web Chat uses the Bot Framework service and the bot’s Azure Bot registration directly. If Web Chat works, the bot endpoint and MSI-based auth are valid for the Bot Framework. Teams, however, uses the Teams channel configuration and the Teams app registration path. A 401 from Teams while Web Chat succeeds indicates:
      • The Teams channel is calling the bot with credentials or tenant context that do not match the bot’s configured identity.
      • For single-tenant bots, if the Service Principal is missing in the tenant, token acquisition for Teams can fail with 401.
      • If the bot registration and app registration are not aligned (for example, bot set as single-tenant but app registration or Teams app is effectively multi-tenant, or vice versa), Teams calls can be rejected.
      The official guidance for similar 401 issues with single-tenant bots is:
      • Ensure the app registration used by the bot has a Service Principal created in the tenant.
      • Align the Azure Bot Service configuration and the App Registration authentication settings (for example, both single-tenant).
    2. Why it worked 2 days earlier and now fails From the context, there are two common patterns when something that was working suddenly starts failing with 401:
      • A change in tenant or app registration configuration, such as switching supported account types, changing msaAppType, or modifying the bot’s identity configuration.
      • A transient platform issue that was later fixed by a hotfix; however, in such cases, the guidance is to verify configuration and, if the issue persists, escalate.
      Given that Web Chat still works, the most likely cause is a configuration drift affecting only the Teams channel path:
      • The bot’s Teams channel registration or app registration may have been changed (tenant alignment, Service Principal, or auth settings) after it was working.
      • For single-tenant bots, if the Service Principal was missing or removed, Teams token acquisition can start failing with 401 even though Web Chat continues to work.

    Recommended checks based on the provided guidance:

    1. In Azure Portal → App registrations, locate the bot’s app registration (using the BOT_ID) and verify:
      • A Service Principal exists (Managed application in local directory is present). If not, create it and restart the app.
      • The supported account types and tenant configuration align with the Azure Bot Service msaAppType (for example, both single-tenant if that is the configuration).
    2. In the Azure Bot resource:
      • Confirm the Teams channel is enabled and the bot ID/password (or MSI identity) match the app registration.
      • If necessary, remove and re-add the Teams channel to reset channel configuration.
    3. If the configuration is correct and 401 persists only for Teams:
      • Treat it as a channel-specific issue and test with a simple echo bot or another channel to rule out a broader outage.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.