Bot Service returns 500 to all channel requests because it calls my bot endpoint with an access token that has no appid claim.

The issue you're experiencing, where the Bot Service returns a 500 error due to an access token that lacks the appid claim, can be attributed to several potential causes. Here are some steps and considerations to help troubleshoot and resolve the problem:

1. Check App Registration: Ensure that the app registration in Azure for your bot is correctly configured with the appropriate permissions and that the MicrosoftAppId and MicrosoftAppPassword are correctly set in your bot's configuration files (e.g., appsettings.json, .env, or config.py). The appid claim in the token should match the MicrosoftAppId.
2. Token Acquisition: Verify that the token being issued by the Bot Service is being generated correctly. The absence of the appid claim suggests that there may be an issue with how the token is being requested or generated. Ensure that the Bot Framework SDK is properly set up to request the token with the correct parameters.
3. Redeploy and Validate: Since you've already regenerated the client secret and redeployed the bot, ensure that the deployment process correctly includes all necessary configuration files and environment variables. Double-check that the bot is running the latest version of the code with the updated credentials.
4. Enable Application Insights: If you haven't already, enable Application Insights for your bot. This can provide more detailed logs and telemetry data that may help identify where the failure is occurring in the token acquisition process.
5. Check for Configuration Errors: Review the configuration settings in the Azure portal for your bot service. Ensure that there are no typos or misconfigurations that could lead to the Bot Service not sending the correct token.
6. Consult Documentation: Refer to the official Microsoft documentation for troubleshooting authentication issues with the Bot Framework. This may provide additional insights or steps specific to your situation.

If these steps do not resolve the issue, consider reaching out to Microsoft support for further assistance, as they can provide more in-depth analysis based on your specific configuration and logs.

References:

• Troubleshoot bot configuration issues
• Troubleshoot HTTP 500 Internal Service Errors

Hi Catalin George Paraschivescu

Sorry for the delay in response. I have tried to analyze above error trace and symptoms.

Here is analysis and recommendation.

Issue Summary

Your bot (Azure Bot Service + Direct Line) returns HTTP 500 for all channel requests. Diagnostic logs show entries like StartConversationClientToDirectLine, but no PostActivityToBotEndpoint with a valid BotAppId.\ Bot logs confirm every POST from Bot Service fails with 401 Unauthorized because the incoming token has:

app_id=None
aud=f3026662-478d-454a-85b9-4d5911d57969

The resource is configured with the correct App ID and secret, yet Bot Service calls our endpoint with a token missing the appid claim.

Root Cause

• Bot Service issues v2 tokens, which do not include appid.
• In v2 tokens:
  • Caller App ID is in the azp (Authorized Party) claim.
    • Audience (aud) equals your bot’s App ID (GUID).
    • If your bot’s validation logic expects appid and ignores azp, it will reject all requests.

This is by design: Microsoft identity guidance says not to hard-depend on specific claims. V2 tokens legitimately omit appid.

Resolution

Update your bot’s token validation to support v2 tokens:

If using Bot Framework SDK

• Use the built-in authentication (BotFrameworkHttpAdapter / BotFrameworkAuthentication).
• Upgrade to the latest SDK packages (Microsoft.Bot.Connector.Authentication, Microsoft.Bot.Builder).
• The SDK automatically checks azp for v2 and appid for v1.

If using custom JWT validation

• Validate:
  • Signature & issuer against Bot Framework OpenID metadata.
  • Audience (aud) matches your bot’s App ID.
• For caller App ID:
  • Read azp first; fall back to appid if present.
• Do not fail because appid is missing.

Example (.NET):

string callerAppId = JwtTokenValidation.GetAppIdFromClaims(claims);
string audience = claims.FirstOrDefault(c => c.Type == "aud")?.Value;
if (audience != Environment.GetEnvironmentVariable("MicrosoftAppId"))
{
    throw new UnauthorizedAccessException("Invalid audience for bot endpoint.");
}

Checklist

1. Confirm your bot uses the correct App ID and secret in environment variables.
2. Decode an incoming token (jwt.ms) → expect ver=2.0, aud=<your bot App ID>, azp=<caller App ID>.
3. Switch to SDK defaults or update custom validation logic.

Why not Force Appid?

Bot Service aligns with Microsoft Entra v2 standards. azp replaces appid in v2 tokens. Forcing appid would break modern token flows.

References

• https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-authentication
• https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
• https://github.com/microsoft/botbuilder-dotnet

Hope it helps address the issue.

Thank you.