Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Allow Always" API Access Not Working in Microsoft Teams Copilot Declarative Agent #13304

Open
ahmedjarada opened this issue Feb 26, 2025 · 3 comments
Open

"Allow Always" API Access Not Working in Microsoft Teams Copilot Declarative Agent #13304

ahmedjarada opened this issue Feb 26, 2025 · 3 comments
Assignees
@SLdragon
Labels
investigating needs more info Need user to provide more info TA:Auth Team Area: Auth

Comments

@ahmedjarada
Copy link

ahmedjarada commented Feb 26, 2025
edited
Loading

"Allow Always" API Access Not Working in Microsoft Teams Copilot Declarative Agent

Issue Summary

When configuring an OpenAPI-based API in a Microsoft Teams Copilot Declarative Agent, API requests function correctly when "Allow Once" is selected. However, when "Allow Always" is chosen, subsequent API calls fail, preventing the agent from accessing the API persistently.

Steps to Reproduce

  1. Configure a Copilot Declarative Agent with an API-based plugin using an OpenAPI document.
  2. Ensure the API has proper authentication (OAuth2, Bearer Token) and is accessible, my case is no authentication (CORS only)
  3. Run a command in the Copilot Agent that triggers an API request.
  4. When prompted by Teams, select "Allow Once" → API works as expected.
  5. Repeat the process and select "Allow Always" when prompted.
  6. Try the same API call again → API request fails.

Expected Behavior

  • When "Allow Always" is selected, API requests should continue working without additional permission prompts.

Actual Behavior

  • API requests fail after choosing "Allow Always".
  • Selecting "Allow Once" allows the API call to work only for that session but not persistently.
  • No explicit error message appears in Teams, but F12 (DevTools) > Network Tab shows failed API requests.

Potential Causes

  • Permission Caching Bug: Teams might not be properly caching the persistent API access setting.
  • CORS/Access Control Policies: The API may reject requests when called persistently under "Allow Always" but not under "Allow Once".
  • Copilot Plugin Scopes Issue: Teams might not be storing the authorization scope for persistent API access.

Workarounds Attempted

  • Cleared permissions and reauthorized API → No effect.
  • Manually added API to Allowed APIs list in Copilot manifest → No effect.
  • Tested API with Postman (works fine, so API itself is not the issue).
  • Restarted Teams & reinstalled Copilot Agent → No change.

Environment Details

  • Copilot Declarative Agent: (09d4adba-7817-42c2-a01e-1a132f69d3ea)
  • API Type: OpenAPI Azure Function App hosted in Azure (Rest API)
  • Authentication Type: None

Priority & Impact

🔴 High Impact – This issue prevents persistent API access, forcing users to reauthorize every session, which is not a scalable solution for enterprise integrations.

Next Steps

  • Could Microsoft Teams engineering confirm whether persistent API authorization is cached correctly in Copilot Declarative Agents?
  • Is there a way to force Request Access or Missing Permission for "Allow Always" in API-based plugins?
  • Can Teams provide logs or error messages when an API fails under "Allow Always"?

**Workaround Needed: ** Immediate fix or confirmation on expected behavior.
@microsoft-github-policy-service microsoft-github-policy-service bot added the needs attention This issue needs the attention of a contributor. label Feb 26, 2025
@teams-toolkit-assistant teams-toolkit-assistant
Copy link

👋 Hi @ahmedjarada,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

Based on your detailed bug report regarding the "Allow Always" API access issue in Microsoft Teams Copilot Declarative Agent, here are some potential troubleshooting steps and considerations:

Key Points from Your Report:

  1. Issue Summary: API requests fail when "Allow Always" is selected, but work with "Allow Once".
  2. Steps to Reproduce: Clear and reproducible steps indicating the problem.
  3. Expected vs. Actual Behavior: Highlights the discrepancy in API access persistence.
  4. Potential Causes: Identified possible causes such as permission caching and CORS policies.
  5. Workarounds Attempted: Detailed attempts to resolve the issue.

Potential Troubleshooting Steps:

  1. Check Teams Toolkit Version:

  2. Review OpenAPI Document:

    • Ensure the OpenAPI document adheres to the supported specifications (avoid using OpenAPI 3.1.0 as it is not fully supported yet).
    • GitHub Issue on OpenAPI 3.1.0

  3. Authentication and Permissions:

    • Verify that there are no underlying issues related to API permissions and CORS policies.
    • Double-check if the API endpoints are accessible without authentication as expected.

  4. Developer Tools and Network Tab:

    • Use the F12 Developer Tools in Teams to monitor Network requests and identify any specific errors or denied requests.
    • Capture and analyze the request and response headers for any discrepancies.

  5. Manifest and Scopes:

    • Ensure that the Copilot Declarative Agent manifest includes the proper permissions and scopes.
    • Manually verify and update the allowed APIs list if necessary.

  6. Test in Different Environments:

    • Test the Copilot Declarative Agent in different Teams environments (e.g., web, desktop, mobile) to see if the issue persists.

  7. Logs and Support:

Next Steps and Recommendations:

  1. Confirm Persistent API Authorization:

    • Raise the issue with Microsoft Teams engineering to confirm if persistent API authorization is cached correctly in Copilot Declarative Agents.
    • Submit an Issue on GitHub

  2. Request Access or Missing Permissions:

    • Investigate if there is a mechanism to force "Request Access" or handle "Missing Permissions" for "Allow Always".

  3. Logs and Error Messages:

    • Request specific logs or error messages from Microsoft to understand why the API fails under "Allow Always".

Reference Links:

If you need further assistance or if the issue persists, consider providing additional logs or reaching out to Microsoft support for a more in-depth investigation.

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

@Nivedipa-MSFT
Copy link

Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

@adashen adashen added investigating TA:Auth Team Area: Auth labels Feb 27, 2025
@SLdragon
Copy link
Contributor

Hi, @ahmedjarada , I tried the "Allow Always" button, and it worked fine for me. You can check the video below.

You can try provision your project again and if you're still experiencing issues, please share any error logs so I can help you troubleshoot. Thanks!

test-video.mp4

@adashen adashen added needs more info Need user to provide more info and removed needs attention This issue needs the attention of a contributor. labels Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SLdragon SLdragon

Labels
investigating needs more info Need user to provide more info TA:Auth Team Area: Auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@adashen @SLdragon @ahmedjarada @Nivedipa-MSFT