![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 20%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 51%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKV%3C/text%3E%3C/svg%3E)
Hello Siegelman, David - Xylem,
Welcome to Microsoft Q&A .Thank you for reaching out.
The error indicates an authorization failure during agent execution when the AI bot is accessed from Microsoft Teams.Although the bot is successfully loaded in teams, the backend request to the Azure AI agent fails because the project managed identity does not have the required data‑plane permission to perform agent operations.
Agent creation, update, and execution in Azure AI Foundry are protected by role‑based access control (RBAC) at the data plane.When the required permission is missing, the request is blocked and results in the following error:
Microsoft.CognitiveServices/accounts/AIServices/agents/write
This behavior is not related to guardrails, Teams security policies, or network restrictions. It is caused by an incomplete RBAC configuration on the Azure AI resource or project.
This error occurs when a message is sent from Microsoft Teams, the bot invokes the Azure AI agent using a managed identity (system‑assigned or user‑assigned). If that managed identity does not have a role that includes the agents/write data action, the authorization check fails at runtime.
Only specific built‑in roles include this permission.The recommended and supported role for agent execution is Azure AI User.Assigning contributor, owner, or project roles alone does not reliably grant agent data‑plane permissions.
Follow the steps below to resolve the issue:
- Identify the managed identity used by the bot.
- For App Service, Function App, or Container App hosting the bot:
- System‑assigned identity appears under Identity → System assigned
- User‑assigned identity appears under Identity → User assigned
- Note the exact managed identity name
2. Open the Azure AI resource
- Navigate to the Azure AI (Cognitive Services / Foundry) resource associated with the agent
- Select Access control (IAM) from the left navigation
- Assign the required role
- Select Add > Add role assignment
- Choose the role Azure AI User
- Under "Assign access to", select Managed identity
- Select the identified managed identity
- Complete the role assignment
- Verify and retest
- Allow a short time for role propagation
- Invoke the bot again from Microsoft Teams
- If the error persists, please confirm:
- The correct managed identity was selected
- The role was assigned at the Azure AI resource or project scope
- The bot runtime is using the same managed identity
Please note that
- The role assignment must be applied to the managed identity, not to a user account
- The scope must include the Azure AI resource or project
- Subscription‑level or unrelated resource assignments may not be sufficient
- A brief propagation delay after role assignment is expected
References:
- Role-based access control for Microsoft Foundry - Microsoft Foundry | Microsoft Learn
- Azure built-in roles for AI + machine learning - Azure RBAC | Microsoft Learn
- Troubleshooting Bot Framework Authentication - Bot Service | Microsoft Learn
- Diagnose runtime exceptions by using Application Insights - Azure Monitor | Microsoft Learn
Thank you!
Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.
