Echo Bot 401 when POST to conversation endpoint

[li3]

Describe the bug
Using @microsoft/agents-hosting:0.2.14 I have the echo express example deployed as a docker container in Azure Containers. I have a bot service configured to point to the /api/messages endpoint of the container, and a teams app side loaded into teams. When I send a message to the bot through teams I can see the request is received by the server, but, when it tries to reply: POST https://smba.trafficmanager.net/amer/{tenant}/v3/conversations/{id}/activities/{id} I receive a 401.

All resources were created manually.

To Reproduce

Azure: App Registration

0. Setup a new Azure Tenant
1. Create a new App Registration
2. Set to "Accounts in any organizational directory" (Multitenant)
3. Create a client secret
4. Create a Service Principal for the App Registration in the Tenant

Teams App

At dev.teams.microsoft.com

1. Create a new teams app
2. On Basic Information, set the application client id of the app registration
3. In App features, select Bot
4. Check "Enter a bot ID"
5. Use application client id of the app registration
6. Check "personal", "team", "group chat"

Azure: Create Container

Note

In my actual environment I won't be able to use the toolkit so I've setup a fresh Azure tenant/environment where I have full rights to experiment.
One requirement of my real environment will be running the bot code in a docker container.

0. Use vscode to create echo example with Microsoft 365 Agent Toolkit
1. Create ACR
2. Create Dockerfile (note I used Bun here)
3. Deploy Container Image
4. Create Container App
5. Use image
6. Set tenantId env var
7. Set clientId env var (to application client id of the app registration)
8. Set clientSecret env var (to the secret created earlier)
9. Set BUN_CONFIG_VERBOSE_FETCH=curl (I'm using bun and this lets me see the http requests)
10. Set ingress target port
11. Allow all public traffic

Azure: Bot Service

1. Create a Bot Service
2. Set messaging endpoint to {ingress_host}/api/messages
3. Set Multi Tenant as bot type
4. Set Use existing app registration, use application client id created earlier
5. Go to channels, add microsoft teams

Teams: Dev Portal

1. Fill out the manifest.json via app package editor
2. Add *.botframework.com to validDomains
3. Save and update
4. Click preview in teams

Teams opens, adds the bot correctly, and allows me to send messages.

When a message is sent via teams, the container application does the following:

1. GET to keys:

curl --http1.1 "https://login.botframework.com/v1/.well-known/keys" -H "Connection: keep-alive" -H "User-Agent: Bun/1.2.14" -H "Accept: */*" -H "Host: login.botframework.com"

Receives 200 OK

2. POST to login:

curl --http1.1 "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?client-request-id={some_guid}" -X POST -H "content-type: application/x-www-form-urlencoded;charset=utf-8" -H "Connection: keep-alive" -H "User-Agent: Bun/1.2.14" -H "Accept: */*" -H "Host: login.microsoftonline.com"

Receives a 200 OK

3. POST to conversation endpoint

curl --http1.1 "https://smba.trafficmanager.net/amer/{tenant}/v3/conversations/{some_id}/activities/{another_id}" -X POST -H "accept: application/json" -H "accept-encoding: gzip, compress, deflate, br" --compressed -H "authorization: Bearer {token_from_step_two}" -H "content-type: application/json" -H "user-agent: agents-sdk-js/0.2.14 nodejs/v22.6.0 linux-x64/5.15.164.1-1.cm2" -H "Connection: keep-alive" -H "Host: smba.trafficmanager.net" -H "Content-Length: 729" --data-raw "{body_json}"

Receives a 401 Unauthorized

---

Expected behavior
I expect the POST call to succeed

VS Code Extension Information (please complete the following information):

• OS: Windows 11
• Version: teamsdevapp.ms-teams-vscode-extension, v6.0.0

CLI Information (please complete the following information):

• OS: [e.g. iOS8.1]
• Version [e.g. 22]

Additional context
I can see the bearer token and decode it:

{
  "aud": "https://api.botframework.com",
  "iss": "https://sts.windows.net/{tenant_id}/",
  "iat": 1748165045,
  "nbf": 1748165045,
  "exp": 1748168945,
  "aio": "k2RgYPBZclkkK0fkzU6Dg5xvDrEWAwA=",
  "appid": "{app_id_created_earlier}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenant_id}/",
  "idtyp": "app",
  "oid": "{object_id_of_the_app_id}",
  "rh": "1.AXEBnhVh8SGIdkuSmIgBsTrfgEIzLY0pz1lJlXcODq-9FrzYAQBxAQ.",
  "sub": "{object_id_of_the_app_id}",
  "tid": "{tenant_id}",
  "uti": "nnurGfdHBUW-pm2exUX_AA",
  "ver": "1.0",
  "xms_ftd": "SOic9aTNQmAj2uR-k3mvjm3JwsOxdWpgABGgrF-1zngBdXNlYXN0LWRzbXM",
  "xms_idrel": "7 30",
  "xms_rd": "0.42LjYBJi-sgkJMLBLiSw8VxOdubnG64LZF7YnvDNlAOKcgoJMKABoCiHkICTsW6v5vlIz6nlfHzr94rtAQA"
}

By my best guess, it looks like the token is correct, and the plumbing required to get Teams -> Bot Service -> My Adapter Code is all working correctly. My reply from my container is where things fall apart. At a guess, I need to grant the App Registration some set of permissions, but I cannot find any documentation on what exactly those should be. Allowing Teams dev portal, or M365 Agent Toolkit create the App Registration does not show any differences between the one I created manually and the ones they created. Further I get the same issue if I let M365 Create the majority of resources.

[m365-agent-toolkit-assistant]

👋 Hi @li3,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

Known Issues & Common Workarounds

Common Issue: Unauthorized (401) Errors when Bot Attempts to Reply

1. Problem: The issue often lies with incorrect bot credentials or missing permissions.
2. Common Causes:
   • Incorrect Bot Id and Bot Password in your application configuration.
   • Inadequate Microsoft Graph API permissions for the bot.

Recommended Steps to Resolve

Ensure Correct Bot Credentials:

var credentials = new MicrosoftAppCredentials("YourAppId", "YourAppPassword");
var connectorClient = new ConnectorClient(new Uri(serviceUrl), credentials);

Trust Service URL:

MicrosoftAppCredentials.TrustServiceUrl(serviceUrl, DateTime.MaxValue);

Assign Necessary Permissions:

• Permissions needed:
  • Bot Framework Channel Emulator
  • Microsoft Graph API
  • Ensure that you have proper scopes like User.Read etc. defined in Azure App Registration.

Checklist for Azure App Registration

1. App Registration:
   • Go to Azure Portal.
   • Find your app under App registrations.
2. API Permissions:
   • Add required API permissions (Azure Microsoft Graph required permissions).

Further Resources

• Setup Azure Bot Service: Create an Azure Bot
• Necessary Graph Permissions: Ensure necessary Graph permissions are added for your bot to access data.

Following these steps should address any common issues related to 401 Unauthorized errors when the bot tries to reply. If the issue persists, consider checking your bot's configuration against the Microsoft Bot Framework documentation for any other required settings.

✨We'd love your feedback! Please take a moment to fill out our survey.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[li3]

Update, I got this working for a Single Tenant app registration. I'd like to learn how to make this work for Multi Tenant, but I haven't been able to figure out what's needed regardless of the tutorials I've found.

For example these were the steps I followed which resulted in the 401:
https://learn.microsoft.com/en-us/microsoftteams/platform/sbs-bots-with-sso?source=recommendations&tabs=dev&tutorial-step=3

[Prasad-MSFT]

We run below REST API, and it sent message successfully without any error.
POST https://smba.trafficmanager.net/teams/v3/conversations/{conversationId}/activities