Share via

Error Message AI/Bot to MS Teams

Siegelman, David - Xylem 0 Reputation points
2026-03-24T21:18:32.01+00:00

I've loaded my AI Bot into MS Teams and when I access it and ask it a question I am getting the following error message. I'm not sure if this caused by any "guardrails" implemented for a general network security issue: Please Help; see below message (i have removed some sensitive identifying information )

Authorization error encountered when processing your request with activityId=<removed>conversationId=<removed>. Please ensure that the project managed identity for project<removed> has Microsoft.CognitiveServices/accounts/AIServices/agents/write action on itself. This is typically done by assigning the Azure AI User built-in role to the project managed identity.

Azure AI Bot Service
Azure AI Bot Service

An Azure service that provides an integrated environment for bot development.

2 answers

Sort by: Oldest
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-24T21:18:42.9433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error indicates that the Azure AI project’s managed identity does not have sufficient permissions on the Azure AI resource itself. Specifically, the identity is missing the Microsoft.CognitiveServices/accounts/AIServices/agents/write data action, which is normally granted via the Azure AI User built‑in role.

    To resolve this, assign the Azure AI User role to the project’s managed identity on the Azure AI resource:

    1. Identify the project managed identity
      • In Azure portal, open the Azure AI project/resource referenced in the error.
      • Under Identity, confirm the System-assigned or User-assigned managed identity that the project uses.
    2. Open Access control (IAM) for the Azure AI resource
      • On the same Azure AI resource, go to Access control (IAM).
      • Select AddAdd role assignment.
    3. Assign the Azure AI User role
      • Role: choose Azure AI User.
      • Assign access to: Managed identity.
      • Select the project’s managed identity identified in step 1.
      • Save the role assignment.
    4. Retry the bot in Teams
      • After role assignment propagates (may take a few minutes), invoke the bot again in Teams.
      • The authorization error should no longer occur if the correct identity and scope were used.

    If the bot still fails, verify:

    • The bot code is using that same managed identity to call the Azure AI project.
    • There are no conflicting identities (for example, a different user-assigned identity on the App Service or Function hosting the bot).

    References:

    0 comments
  2. Karnam Venkata Rajeswari 1,555 Reputation points Microsoft External Staff Moderator
    2026-03-27T11:04:42.9833333+00:00

    Hello Siegelman, David - Xylem,

    Welcome to Microsoft Q&A .Thank you for reaching out.

    The error indicates an authorization failure during agent execution when the AI bot is accessed from Microsoft Teams.Although the bot is successfully loaded in teams, the backend request to the Azure AI agent fails because the project managed identity does not have the required data‑plane permission to perform agent operations.

    Agent creation, update, and execution in Azure AI Foundry are protected by role‑based access control (RBAC) at the data plane.When the required permission is missing, the request is blocked and results in the following error:

    Microsoft.CognitiveServices/accounts/AIServices/agents/write

    This behavior is not related to guardrails, Teams security policies, or network restrictions. It is caused by an incomplete RBAC configuration on the Azure AI resource or project.

    This error occurs when a message is sent from Microsoft Teams, the bot invokes the Azure AI agent using a managed identity (system‑assigned or user‑assigned). If that managed identity does not have a role that includes the agents/write data action, the authorization check fails at runtime.

    Only specific built‑in roles include this permission.The recommended and supported role for agent execution is Azure AI User.Assigning contributor, owner, or project roles alone does not reliably grant agent data‑plane permissions.

    Follow the steps below to resolve the issue:

    1. Identify the managed identity used by the bot.
    • For App Service, Function App, or Container App hosting the bot:
      • System‑assigned identity appears under Identity → System assigned
      • User‑assigned identity appears under Identity → User assigned
    • Note the exact managed identity name

    2. Open the Azure AI resource

    • Navigate to the Azure AI (Cognitive Services / Foundry) resource associated with the agent
    • Select Access control (IAM) from the left navigation
    1. Assign the required role
    • Select Add > Add role assignment
    • Choose the role Azure AI User
    • Under "Assign access to", select Managed identity
    • Select the identified managed identity
    • Complete the role assignment
    1. Verify and retest
    • Allow a short time for role propagation
    • Invoke the bot again from Microsoft Teams
    • If the error persists, please confirm:
      • The correct managed identity was selected
      • The role was assigned at the Azure AI resource or project scope
      • The bot runtime is using the same managed identity

    Please note that

    • The role assignment must be applied to the managed identity, not to a user account
    • The scope must include the Azure AI resource or project
    • Subscription‑level or unrelated resource assignments may not be sufficient
    • A brief propagation delay after role assignment is expected

    References:

    Thank you!

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.