AADSTS500011: The resource principal named {xyz} was not found in the tenant named Bot Framework.

Question

AADSTS500011: The resource principal named {xyz} was not found in the tenant named Bot Framework.

Craig Noll 0

Like others here, I am encountering this error but from everything I can see the bot is setup correctly in the sandbox. I tried to be thorough with the screenshots and data but let me know if you need to see anything else. This is all in a temporary sandbox so exposing the IDs shouldn't be an issue. I'm primarily showing them in case someone needs to confirm that the corrects IDs are used in each place.

I don't really understand how any of the suggestions in the error response or what people have described here can be relevant based on my understanding of the documentation and what is provided.

I'd love if someone can point out the issue and/or step through anything that could be missing or misconfigured.

Entra Admin Center:

User's image

Teams Admin Center:

User's image

Teams User Page:

User's image

The bot/app .env:

MicrosoftAppId=<PII removed>
MicrosoftAppPassword=<PII removed>
MicrosoftAppType=MultiTenant

MicrosoftAppOAuthScope=https://api.botframework.com/.default

POST payload:

{
  "azureTenantId": "<PII removed>",
  "azureUserId": "<PII removed>",
  "text": "Test message from Postman. If you see this in Teams, the proactive flow works."
}

2 answers

Your answer

Answer 1

Teddie-D 12,845 Microsoft External Staff Moderator

Hi @Craig Noll

Thank you for posting your question in the Microsoft Q&A forum.

Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.

Based on your description and screenshots, the issue comes from a mismatch between the application type and the OAuth scope configuration.

With the following configuration:

MicrosoftAppType=MultiTenant  
MicrosoftAppOAuthScope=https://api.botframework.com/.default

the SDK requests a token for the Bot Framework resource (https://api.botframework.com). Azure AD then attempts to resolve the application in the Bot Framework tenant, but your app registration exists only in your own tenant. Because of this, Azure cannot locate the resource and returns: AADSTS500011: The resource principal named <app> was not found in the tenant named Bot Framework.

Here are correct configurations:

1.Single tenant app

MicrosoftAppType=SingleTenant 
MicrosoftAppOAuthScope=https://api.botframework.com/.default

This configuration works because Azure AD issues a token for the Bot Framework resource using the credentials from your tenant.

2.Multi-tenant app

MicrosoftAppType=MultiTenant 
MicrosoftAppOAuthScope=api://<AppClientID>/.default

In this scenario, the token is requested for your own application resource rather than the Bot Framework resource.

Required configuration steps in Microsoft Entra ID:

-Set Supported account types to Accounts in any organizational directory.

-Configure an Application ID URI, for example: api://<AppClientID>

-Expose at least one scope.

This allows Azure AD to resolve the resource in the tenant where the application registration exists.

When the bot is installed in other tenants, administrator consent must be granted so the service principal is created in those tenants.

Note: Multi-tenant bots with custom scopes are an advanced scenario and may have limitations with some Bot Framework features.

I hope this helps.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Sayali-MSFT 5,191 Reputation points Microsoft External Staff Moderator

2026-03-10T07:31:31.5433333+00:00

Hi @Craig Noll,
Could you please confirm if your issue has resolved with provided suggestions or still looking for any help?
Craig Noll 0 Reputation points

2026-03-10T21:45:50.0166667+00:00

We do need the app/bot to be multi-tenant so I followed the suggestion of changing the MicrosoftAppOAuthScope value, made sure there was a scope assigned in app registration, restarted my local microservice, and verified that the new value was being used from the .env but I still get the same error.

I tried to do some digging and read something about ToChannelFromBotOAuthScope and tried setting that too but that got me an error about an empty url so I backed that out. But I don't understand why I would get the same error about Bot Framework as the tenant even after changing MicrosoftAppOAuthScope to be api://<app id>
Teddie-D 12,845 Reputation points Microsoft External Staff Moderator

2026-03-11T05:31:08.2133333+00:00

Hi @Craig Noll,

Changing MicrosoftAppOAuthScope does not affect all authentication paths. Proactive messaging and channel communication go through the Bot Framework Connector service, which requires tokens for the Bot Framework resource (https://api.botframework.com/.default).

Because of this, the SDK may still request tokens for the Bot Framework resource even if a custom OAuth scope is configured for other scenarios. Bots must authenticate to the Bot Framework Connector using this resource, so it cannot be replaced with a custom application scope.

Multi-tenant bots are still supported for existing deployments, but the creation of new multi-tenant bots is deprecated. For new bots, Microsoft recommends using a single-tenant bot identity. The Teams app can still be installed cross-tenant, but connector authentication will always rely on the Bot Framework resource.
Teddie-D 12,845 Reputation points Microsoft External Staff Moderator

2026-03-12T01:17:52.9266667+00:00

Hi @Craig Noll
May I know if you have got any chance to check my answer? If you need further assistance, please feel free to let me know. Thank you!
Craig Noll 0 Reputation points

2026-03-12T04:49:46.3066667+00:00

I tried switching to single tenant both in the .env as well as in the app registration. I get almost the same error message though. Still 500011 but now it says that the resource principal <tenant_id> was not found in the tenant named <tenant_name>. That seems like it shouldn't really be possible. Especially since the app is registered in that tenant as well as installed as an app in the admin's Teams.

It makes me wonder if there is something else that is missing but you can see from the screenshots that everything is setup according to the documentation (as best as I understand it).

This does seem to be a tricky situation as your second response basically contradicted the first. Please let me know if there is any more information or screenshots I can provide that can clarify if there is simply some sort of configuration or setup mistake.
Teddie-D 12,845 Reputation points Microsoft External Staff Moderator

2026-03-12T06:39:23.9133333+00:00

Hi @Craig Noll

What you’re seeing can still occur in a single‑tenant setup, and the change in the error message is actually useful. If the error now references your tenant instead of the Bot Framework tenant, it indicates that the token request authority has changed and is now targeting your tenant.

However, AADSTS500011 can still occur if Azure AD cannot resolve the requested resource during token acquisition, even when the app is registered correctly. In Bot Framework scenarios, this typically points to configuration alignment issues rather than a Teams installation issue.

Two things are worth verifying:

-For single‑tenant bots, ensure MicrosoftAppTenantId is explicitly set so the SDK acquires tokens against the correct tenant.

-If the app type or tenant settings were changed after the bot resource was created, re‑save the authentication configuration in the Azure Bot resource. The Bot Service can cache identity settings, and stale values can cause token acquisition to fail.

Also note that installing the app in Teams only validates the manifest, it does not verify Bot Framework connector authentication.

Since this is a user-to-user support forum. Moderators, contributors, and external Microsoft employees do not have access to back-end systems to investigate root causes. Our role here is limited to sharing technical guidance based on publicly available resources and experience. For deeper investigation, the best next step is to open a GitHub issue against the relevant repository, where the product team and contributors can provide further insights.
Thank you for your understanding.

For reference: Participating in a discussion - GitHub Docs.

Answer 2

Error AADSTS500011 indicates that the resource (application) being requested cannot be found or accessed in the tenant that is handling the token request.

From the context, the relevant points for AADSTS500011 are:

The error means the resource principal named in the request does not exist in the tenant, or is not accessible from that tenant.
Typical causes:
- The resource application is not provisioned in the tenant.
- No user/admin has consented to the application in that tenant.
- The resource URL / App URI ID is incorrect.
- The tenant ID in the request is wrong.
- The app is single‑tenant but is being accessed from a different tenant.

In this scenario:

MicrosoftAppId and Directory (tenant) ID are both in tenant <PII removed>.
MicrosoftAppType=MultiTenant, but the error message mentions the tenant name Bot Framework, which is the special botframework.com tenant used when acquiring tokens with the scope https://api.botframework.com/.default.
This combination means the token request is being sent to the Bot Framework tenant as the resource, and that tenant cannot find the app registration corresponding to the MicrosoftAppId in its directory, so it returns AADSTS500011.

To resolve this:

Verify the resource and tenant in the failing token request
- Use the error details or https://login.microsoftonline.com/error with the error code to confirm which resource (or scope) and tenant are in the failing request.
- Ensure the request is sent to the tenant that owns the app registration (<PII removed>) and that the resource matches a valid application in that tenant.
Check that the resource application exists and is consented in the tenant
- In Azure portal, go to Microsoft Entra ID → Enterprise applications.
- Confirm that the resource application (the one whose App URI ID or resource URL is in the error) is present.
- If it is missing, provision it (for example, by adding it from the gallery or granting permissions) and grant admin/user consent as required.
Validate the App URI ID / resource URL
- Ensure that the MicrosoftAppOAuthScope or any resource/scope parameter used in token acquisition matches the App URI ID of an application that actually exists in the tenant.
- If the App URI ID belongs to a different tenant, either:
  - Make that app registration multi‑tenant so it can be accessed cross‑tenant, or
  - Change the tenant in the request so it targets the tenant where that App URI ID is registered.
Align tenant type and usage
- If the bot is effectively single‑tenant (used only in the sandbox tenant), configure both the Azure Bot resource and the app registration as single‑tenant and send token requests only to that tenant.
- If multi‑tenant access is required, ensure the app registration is configured as multi‑tenant and that each consuming tenant has the corresponding service principal provisioned and consented.

These steps address the documented causes of AADSTS500011 by ensuring that the resource application and tenant in the token request are valid and correctly configured.

References:

Share via

AADSTS500011: The resource principal named {xyz} was not found in the tenant named Bot Framework.

2 answers

Your answer