Share via

"Authorization has been denied for this request" - Bot Framework REST API returns this error despite a successful access token retreival

Nithish 20 Reputation points
2025-12-05T09:46:17.3+00:00

Hello,

We’re encountering an issue with sending proactive messages to Microsoft Teams. We have multiple tenants, and in one of them the REST API works correctly. The app registration is multi-tenant, and we obtain the access token from https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token, which works without any problems.

However, in another tenant the same flow fails with "Authorization has been denied for this request", even though we are still able to retrieve the access token. After decoding both tokens, everything matches except for the tid.

I also tried switching the app to single-tenant and requesting the token from https://login.microsoftonline.com/<my-tenant-id>/oauth2/v2.0/token. This returns a valid token, but using it to send a proactive message results in the same authorization error.

My understanding from recent documentation is that multi-tenant bot creation has been deprecated and bots should now migrate to a single-tenant model. Does this also apply to bots created in the Developer Portal? The Bot Framework REST API documentation doesn’t explicitly mention any changes:

https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-authentication?view=azure-bot-service-4.0&tabs=multitenant#bot-to-connector

I could also see multiple users facing the same issue, so is there a bug that is currently preventing some tenants from using the service?

Microsoft Teams | Development
Microsoft Teams | Development
Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-05T09:46:32.2733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message "Authorization has been denied for this request" typically indicates that there is an issue with the token being used for authentication. Since you mentioned that the access token retrieval is successful and the tokens match except for the tenant ID (tid), this suggests that the token may not be valid for the tenant you are trying to send the proactive message to.

    Here are some points to consider:

    1. Tenant ID Mismatch: The tid in the access token must match the tenant ID of the Microsoft Teams environment you are trying to access. If the tid does not match, the authorization will fail even if the token is valid for another tenant.
    2. Single-Tenant vs Multi-Tenant: You mentioned switching to a single-tenant model. If your bot is registered as single-tenant, it will only work with users from the same tenant. Ensure that the bot's app registration is correctly configured for the tenant you are targeting.
    3. Proactive Messaging Requirements: When sending proactive messages, ensure that you are using the correct service URL and that you have called MicrosoftAppCredentials.TrustServiceUrl before sending the message. This is crucial for authorization to succeed.
    4. Documentation Updates: As for the deprecation of multi-tenant bot creation, it is advisable to follow the latest guidelines provided in the documentation. If you are using a multi-tenant setup, consider migrating to a single-tenant model as recommended.
    5. Common Issues: Since multiple users are facing the same issue, it could be beneficial to check if there are any known service issues or bugs affecting the Bot Framework in the specific tenant.

    If the problem persists, you may want to review the authentication flow and ensure that all configurations are set correctly according to the latest documentation.

    0 comments
  2. Steven-N 14,835 Reputation points Microsoft External Staff Moderator
    2025-12-05T11:39:14.6366667+00:00

    Hi Nithish

    Thank you for reaching out to Microsoft Q&A forum

    Based on your description, I understand you can successfully obtain access tokens (both from botframework.com and a tenant‑specific authority), but posting proactive messages to the Bot Framework Connector for Microsoft Teams fails with “Authorization has been denied for this request.” And now you want clarity on

    1. Whether the deprecation of multi‑tenant bot creation also applies to bots created in the Teams Developer Portal
    2. Whether a service bug is preventing some tenants from using proactive messaging.

    Regarding your first question: Does this also apply to bots created in the Developer Portal?

    Based on my research, the answer is YES, the deprecation covers new multi‑tenant bot creation across Azure Bot Service, including flows initiated from the Teams Developer Portal/Teams Toolkit. After 2025‑07‑31, attempts to create a multi‑tenant bot in those experiences return the explicit 400 error: “Multitenant bot creation is deprecated. Please use SingleTenant or UserAssignedMSI.”

    So, in this situation, you should register new bots as Single‑Tenant (or User‑Assigned Managed Identity) and then distribute cross‑tenant by publishing your Teams app to AppSource/Teams Store. Other tenants can install and use the app even though the bot identity is single‑tenant, however, service‑to‑service auth for the Bot Connector must come from your bot’s home tenant authority.

    You can read here for more information:

    https://github.com/OfficeDev/microsoft-365-agents-toolkit/issues/14385

    https://github.com/microsoft/Agents/issues/216

    https://learn.microsoft.com/en-us/azure/bot-service/bot-service-quickstart-registration?view=azure-bot-service-4.0&tabs=multitenant#supported-app-types

    Regarding your second question: Is there a bug preventing some tenants from using the service?

    From my perspective view, there is no documented, tenant‑wide service bug affecting proactive messaging in Microsoft Teams. The recurring 401/403 “Authorization has been denied” responses are typically caused by configuration and authentication issues, including acquiring the Bot Connector token from the wrong authority for single‑tenant bots (use your home‑tenant endpoint with scope https://api.botframework.com/.default), failing to trust the current serviceUrl from the latest conversation reference before sending, and app availability controls as states in this document

    Hope my answer will help you, for any further concern, kindly let me know in the comment section.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.