Share via

CloudAdapter in-turn replies 401 Unauthorized

Mali, Priyanka (Ext) 0 Reputation points
2025-12-01T11:34:26.63+00:00

Hello,

We are migrating an MS Teams application which is written in Node.js/Express from Azure sdk to microsoft s365 agent.

After migrating index.js file to use the new auth changes mentioned in migration article for azure we are getting 401 Unauthorized error.

Tried all the possible solutions but no luck.
Article - https://learn.microsoft.com/en-us/microsoft-365/agents-sdk/bf-migration-nodejs?tabs=before
Error - Adapter process failed: Error: Unknown error type: Request failed with status code 401""    at CloudAdapter.runMiddleware (C:\VirtualAssistant\nic-core\node_modules@microsoft\agents-hosting\dist\src\baseAdapter.js:131:27)     at process.processTicksAndRejections (c:\VirtualAssistant\lib\internal\process\task_queues.js:95:5)     at async CloudAdapter.process (C:\VirtualAssistant\nic-core\node_modules@microsoft\agents-hosting\dist\src\cloudAdapter.js:245:9)     at async C:\VirtualAssistant\nic-core\index.js:160:7 {stack: 'Error: Unknown error type: Request failed wit…:\VirtualAssistant\nic-core\index.js:160:7', message: 'Unknown error type: Request failed with status code 401""'}
ENv

MicrosoftAppType="MultiTenant"
clientId="xyz"
clientSecret="xyz"
tenantId="xyz"
Microsoft Teams | Development
Microsoft Teams | Development
Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-01T11:34:38.7633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The 401 Unauthorized error you are encountering when using the CloudAdapter in your migrated MS Teams application could be due to several reasons related to authentication issues. Here are some steps you can take to troubleshoot this error:

    1. Check App Registration: Ensure that your application is correctly registered in Azure Active Directory. Verify that the clientId, clientSecret, and tenantId are correctly configured in your environment variables.
    2. Service Principal: If your application is a single-tenant Azure Bot Service, make sure that it is linked to a Service Principal in the tenant. You can check this in the Azure Portal under App Registrations. If a Service Principal does not exist, create one.
    3. Token Scope: Ensure that the token you are using has the correct scopes. For Microsoft Teams applications, the required scope should typically include https://api.botframework.com/.default.
    4. Environment Variables: Double-check that the environment variables are being loaded correctly in your application. You can log these variables to ensure they are set as expected.
    5. Authentication Type: Since you are using MultiTenant, ensure that your application is configured to allow multi-tenant access in the Azure Portal. This can be found under the Supported account types section of your app registration.
    6. Error Handling: Implement error handling in your code to capture and log more detailed error messages. This can help identify the root cause of the 401 error.

    If you have verified all of the above and are still facing issues, consider reviewing the migration documentation for any additional configuration steps that may have been missed.

    References:

    0 comments
  2. Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator
    2025-12-01T12:52:28.5933333+00:00

    Hi Mali, Priyanka (Ext),

    Thank you for posting your question in the Microsoft Q&A forum. 

    Based on your description and the migration article you’re following, you’ve updated the authentication passed to CloudAdapter as follows:

    Bot Framework SDK (before):

    const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(process.env);
const adapter = new CloudAdapter(botFrameworkAuthentication);

    Microsoft 365 Agents SDK (after):

    const authConfig = loadAuthConfigFromEnv();
const adapter = new CloudAdapter(authConfig);

    I verified the behavior of loadAuthConfigFromEnv(). This helper does not explicitly carry an “AppType” (multi‑tenant vs single‑tenant) flag; instead, it infers tenancy from the presence of tenantId in your environment variables:

    • No tenantId present > interpreted as Multi‑tenant.
    • tenantId present > interpreted as Single‑tenant.

    From your environment, it looks like your existing bot is most likely multi‑tenant, but you still have a tenantId configured. That causes loadAuthConfigFromEnv() to build a single‑tenant AuthConfiguration, which the CloudAdapter then uses to acquire wrong access tokens.

    Additional note: Microsoft has deprecated new multi‑tenant bot creation after July 31, 2025. Existing multi‑tenant bots continue to function. If your scenario relies on multi‑tenant behavior and you already have a working multi‑tenant bot, removing tenantId in the environment is the appropriate path. If you intend to migrate to single‑tenant, try creating a new Single‑tenant Azure AD (Microsoft Entra) app registration > Update your bot’s configuration to use the new clientId, clientSecret, and tenantId associated with that single‑tenant app. This avoids 401 errors caused by stale or cached registration data and ensures your tokens are issued by the correct authority for single‑tenant operation.

    I hope this helps resolve the 401 you’re seeing.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Mali, Priyanka (Ext) 0 Reputation points
    2025-12-03T12:15:16.5766667+00:00

    I have another question.

    We are actually using tenantId across our code so we indeed require this. If we change our app type to SingleTenant what will be the process?
    Will the url's , id's for our app will get changed?

  4. Mali, Priyanka (Ext) 0 Reputation points
    2025-12-03T15:16:50.8733333+00:00

    Thankyou for your quick response, if I have any further questions I will reach out to you!!

    Once again Thankyou for your kind help and support!!

  5. Mali, Priyanka (Ext) 0 Reputation points
    2025-12-05T14:08:33.4333333+00:00

    Hi, Thankyou for checking back. I am following MultiTenant approach, as suggested I removed the tenantId from env and tested I was no longer getting 401 in local.

    When I deployed changes to our DEV env it started giving me 401 issues.
    Attaching dev env for your reference.
    Below is the error logs from azure.
    Auth config loaded: { hasAppId: true, hasAppPassword: true }

    Server listening to port 3978

    Get Bot Framework Emulator: https://aka.ms/botframework-emulator

    To talk to your bot, open the emulator select "Open Bot"

    Processing message request...

    user channel mapping2

    Channel in user mapping msteams

    detect api success: {"kind":"LanguageDetectionResults","results":{"documents":[{"id":"documentId","warnings":[],"detectedLanguage":{"name":"English","iso6391Name":"en","confidenceScore":1}}],"errors":[],"modelVersion":"2024-11-01"}}

    Adapter process failed: Error: Unknown error type: Request failed with status code 401{"message":"Authorization has been denied for this request."}

    at CloudAdapter.runMiddleware (C:\home\site\wwwroot\node_modules\@microsoft\agents-hosting\dist\src\baseAdapter.js:118:27)

    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

    at async CloudAdapter.process (C:\home\site\wwwroot\node_modules\@microsoft\agents-hosting\dist\src\cloudAdapter.js:300:9)

    at async C:\home\site\wwwroot\index.js:161:7

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.