User managed identity bot error - IsUserAuthorizedToGrantPersonalScopeResourceSpecificPermissionsRequestV2

[SubbaReddi]

Type of issue

Missing information

Feedback

If the bot app is created using User assigned managed identity and if we use the same in webApplicationInfo section for RSC permissions, app installation might lead to following error: Failed to execute TeamsGraphService backend request IsUserAuthorizedToGrantPersonalScopeResourceSpecificPermissionsRequestV2.

RSC permissions are mapped against this webApplicationInfo property, which in turn, in Azure, is mapped to an App Registration (Entra App Id). For Manage Identity bots, the App Registration needed for this is not automatically created. They would need to create a new AppRegistration, assigned the required permissions to it and use that id (Application (client) ID) in the webApplicationInfo in the manifest.

Please mention the same in documentation.

Page URL

https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/bot-sso-overview?tabs=personal&source=docs

Content source URL

https://github.com/MicrosoftDocs/msteams-docs/blob/main/msteams-platform/bots/how-to/authentication/bot-sso-overview.md

Author

@vikasalmal0201

Document Id

34429d15-0e10-655c-fa2c-c434a8a460a6

Platform Id

64abf851-0f0d-7447-a501-de3a52ae8315

[m365-agent-toolkit-assistant]

👋 Hi @SubbaReddi,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 1 business day

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

Classification: Feature request — the report asks for missing documentation guidance; the described behavior is consistent with Teams SSO/RSC requiring a Microsoft Entra app registration for webApplicationInfo, not just a user-assigned managed identity.

• Learn docs state webApplicationInfo.id must be the app ID created in Microsoft Entra ID, and resource must be the Application ID URI from that app registration.
• The SSO overview/setup guidance repeatedly says to create/register a Microsoft Entra app for bot SSO.
• I couldn’t verify a duplicate GitHub issue from the searched evidence.

Existing coverage: No clearly matching duplicate found in the searched repos; this appears to be a docs gap.

What to do now:

1. Update the doc to state that user-assigned managed identity is not sufficient for webApplicationInfo/RSC.
2. Create a separate Entra app registration, grant required permissions, and use its Application (client) ID in webApplicationInfo.id.
3. Use that app’s Application ID URI in webApplicationInfo.resource.

Useful links:

• No similar issues found in the searched repos.
• https://learn.microsoft.com/microsoftteams/platform/bots/how-to/authentication/bot-sso-overview
• https://learn.microsoft.com/microsoftteams/platform/bots/how-to/authentication/bot-sso-manifest
• https://learn.microsoft.com/microsoft-365/extensibility/schema/root-web-application-info

If helpful, I can draft the exact doc wording for the missing note.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[microsoft-github-policy-service]

Hi @SubbaReddi! We will investigate and if we require further information we will reach out to you. Please use this link to escalate if you don't get replies in two working days.

Best regards, Teams Platform

[sayali-MSFT]

Hello @SirajShaik-MSFT ,Could you please help us to update the document?