AADSTS500021: Access to 'Bot Framework' tenant is denied

Question

When testing my bot with F5 I am able to receive requests but something goes wrong with the Authentication as I get the following error: AADSTS500021: Access to 'Bot Framework' tenant is denied.

• I am using C# so I have installed Teams Toolkit for Visual Studio.
• I have created a new command bot using the template.
• I have ran "Prepare Teams App Dependencies" and logged into Microsoft 365.
• I have started my ngrok http tunnel.

I have tried to follow the troubleshooting guide here:

• The bot works when I remove App ID & Password
• I get the same error from the curl statement in step 2: https://login.microsoftonline.com/error?code=500021 "error":"invalid_grant" "AADSTS500021: Access to 'Bot Framework' tenant is denied"

I am of the understanding I do not need to deploy my app to azure to begin testing locally and that the template solution should generate App ID and password for me. Is my understanding correct?

If so, is there something I need to configure in my Azure AD tenant? My IT department assure me that we have no tenant restrictions.

Full logs below:

info: NetTeamsApp.Commands.HelloWorldCommandHandler[0]
      Bot received message: helloworld

fail: Microsoft.Bot.Builder.Integration.AspNet.Core.CloudAdapter[0]
      [OnTurnError] unhandled error : Failed to acquire token for client credentials. (AADSTS500021: Access to 'Bot Framework' tenant is denied.
      Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da0799613a00
      Correlation ID: 35e7aead-412b-415e-8428-17029c5e97e6
      Timestamp: 2023-05-17 14:49:23Z)
      System.AggregateException: Failed to acquire token for client credentials. (AADSTS500021: Access to 'Bot Framework' tenant is denied.
      Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da0799613a00
      Correlation ID: 35e7aead-412b-415e-8428-17029c5e97e6
      Timestamp: 2023-05-17 14:49:23Z)
       ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500021: Access to 'Bot Framework' tenant is denied.
      Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da0799613a00
      Correlation ID: 35e7aead-412b-415e-8428-17029c5e97e6
      Timestamp: 2023-05-17 14:49:23Z
       ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Response status code does not indicate success: 400 (BadRequest).
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
        ErrorCode: BadRequest
        StatusCode: 400
         --- End of inner exception stack trace ---
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T]()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendHttpMessageAsync(IRequestParameters requestParameters)
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendTokenRequestAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.CheckAndAcquireTokenUsingBrokerAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(String resource, ClientKey clientKey)
         at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync(String resource, ClientCredential clientCredential)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.AcquireTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
        ErrorCode: invalid_request
        StatusCode: 400
         --- End of inner exception stack trace ---
         at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.Microsoft.Bot.Connector.Authentication.IAuthenticator.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AppCredentials.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AppCredentials.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         at Microsoft.Bot.Connector.Conversations.ReplyToActivityWithHttpMessagesAsync(String conversationId, String activityId, Activity activity, Dictionary`2 customHeaders, CancellationToken cancellationToken)
         at Microsoft.Bot.Connector.ConversationsExtensions.ReplyToActivityAsync(IConversations operations, String conversationId, String activityId, Activity activity, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.CloudAdapterBase.SendActivitiesAsync(ITurnContext turnContext, Activity[] activities, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.TurnContext.<>c__DisplayClass31_0.<<SendActivitiesAsync>g__SendActivitiesThroughAdapter|1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(IActivity activity, CancellationToken cancellationToken)         at Microsoft.TeamsFx.Conversation.ActivityCommandResponse.SendResponseAsync(ITurnContext turnContext, CancellationToken cancellationToken)
         at Microsoft.TeamsFx.Conversation.CommandResponseMiddleware.OnTurnAsync(ITurnContext turnContext, NextDelegate next, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.MiddlewareSet.ReceiveActivityWithStatusAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.BotAdapter.RunPipelineAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)

fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
      System.AggregateException: Failed to acquire token for client credentials. (AADSTS500021: Access to 'Bot Framework' tenant is denied.
      Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da07a7613a00
      Correlation ID: e8367844-44b8-42ae-8f07-be1db3d15c8c
      Timestamp: 2023-05-17 14:49:23Z)
       ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500021: Access to 'Bot Framework' tenant is denied.
      Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da07a7613a00
      Correlation ID: e8367844-44b8-42ae-8f07-be1db3d15c8c
      Timestamp: 2023-05-17 14:49:23Z
       ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Response status code does not indicate success: 400 (BadRequest).
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
        ErrorCode: BadRequest
        StatusCode: 400
         --- End of inner exception stack trace ---
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T]()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendHttpMessageAsync(IRequestParameters requestParameters)
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendTokenRequestAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.CheckAndAcquireTokenUsingBrokerAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(String resource, ClientKey clientKey)
         at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync(String resource, ClientCredential clientCredential)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.AcquireTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
        ErrorCode: invalid_request
        StatusCode: 400
         --- End of inner exception stack trace ---
         at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.Microsoft.Bot.Connector.Authentication.IAuthenticator.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AppCredentials.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AppCredentials.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         at Microsoft.Bot.Connector.Conversations.ReplyToActivityWithHttpMessagesAsync(String conversationId, String activityId, Activity activity, Dictionary`2 customHeaders, CancellationToken cancellationToken)
         at Microsoft.Bot.Connector.ConversationsExtensions.ReplyToActivityAsync(IConversations operations, String conversationId, String activityId, Activity activity, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.CloudAdapterBase.SendActivitiesAsync(ITurnContext turnContext, Activity[] activities, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.TurnContext.<>c__DisplayClass31_0.<<SendActivitiesAsync>g__SendActivitiesThroughAdapter|1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(IActivity activity, CancellationToken cancellationToken)         at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(String textReplyToSend, String speak, String inputHint, CancellationToken cancellationToken)
         at NetTeamsApp.AdapterWithErrorHandler.<>c__DisplayClass0_0.<<-ctor>b__0>d.MoveNext() in C:\Users\tomlinss\dev\NetTeamsApp\AdapterWithErrorHandler.cs:line 21
      --- End of stack trace from previous location ---
         at Microsoft.Bot.Builder.BotAdapter.RunPipelineAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.CloudAdapterBase.ProcessActivityAsync(AuthenticateRequestResult authenticateRequestResult, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.CloudAdapterBase.ProcessActivityAsync(String authHeader, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.Integration.AspNet.Core.CloudAdapter.ProcessAsync(HttpRequest httpRequest, HttpResponse httpResponse, IBot bot, CancellationToken cancellationToken)
         at NetTeamsApp.Controllers.BotController.PostAsync(CancellationToken cancellationToken) in C:\Users\tomlinss\dev\NetTeamsApp\Controllers\BotController.cs:line 24
         at lambda_method4(Closure , Object )
         at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
         at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Answer 1

I think there may be some restrictions in your M365 tenant according to this doc(https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#microsoft-365-support)

AADSTS500021: Access to '{tenant}' tenant is denied. AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header Restrict-Access-To-Tenant. For more information, see Use tenant restrictions to manage access to SaaS cloud applications.

If you find it hard to remove restriction of Bot Framework, you can create a M365 test account to test locally. You will have full control of this account. https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/build-and-test/prepare-your-o365-tenant#create-your-development-environment