"Allow Always" API Access Not Working in Microsoft Teams Copilot Declarative Agent

[ahmedjarada]

"Allow Always" API Access Not Working in Microsoft Teams Copilot Declarative Agent

Issue Summary

When configuring an OpenAPI-based API in a Microsoft Teams Copilot Declarative Agent, API requests function correctly when "Allow Once" is selected. However, when "Allow Always" is chosen, subsequent API calls fail, preventing the agent from accessing the API persistently.

Steps to Reproduce

1. Configure a Copilot Declarative Agent with an API-based plugin using an OpenAPI document.
2. Ensure the API has proper authentication (OAuth2, Bearer Token) and is accessible, my case is no authentication (CORS only)
3. Run a command in the Copilot Agent that triggers an API request.
4. When prompted by Teams, select "Allow Once" → API works as expected.
5. Repeat the process and select "Allow Always" when prompted.
6. Try the same API call again → API request fails.

Expected Behavior

• When "Allow Always" is selected, API requests should continue working without additional permission prompts.

Actual Behavior

• API requests fail after choosing "Allow Always".
• Selecting "Allow Once" allows the API call to work only for that session but not persistently.
• No explicit error message appears in Teams, but F12 (DevTools) > Network Tab shows failed API requests.

Potential Causes

• Permission Caching Bug: Teams might not be properly caching the persistent API access setting.
• CORS/Access Control Policies: The API may reject requests when called persistently under "Allow Always" but not under "Allow Once".
• Copilot Plugin Scopes Issue: Teams might not be storing the authorization scope for persistent API access.

Workarounds Attempted

• Cleared permissions and reauthorized API → No effect.
• Manually added API to Allowed APIs list in Copilot manifest → No effect.
• Tested API with Postman (works fine, so API itself is not the issue).
• Restarted Teams & reinstalled Copilot Agent → No change.

Environment Details

• Copilot Declarative Agent: (09d4adba-7817-42c2-a01e-1a132f69d3ea)
• API Type: OpenAPI Azure Function App hosted in Azure (Rest API)
• Authentication Type: None

Priority & Impact

🔴 High Impact – This issue prevents persistent API access, forcing users to reauthorize every session, which is not a scalable solution for enterprise integrations.

Next Steps

• Could Microsoft Teams engineering confirm whether persistent API authorization is cached correctly in Copilot Declarative Agents?
• Is there a way to force Request Access or Missing Permission for "Allow Always" in API-based plugins?
• Can Teams provide logs or error messages when an API fails under "Allow Always"?

---

**Workaround Needed: ** Immediate fix or confirmation on expected behavior.

[m365-agent-toolkit-assistant]

👋 Hi @ahmedjarada,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

Based on your detailed bug report regarding the "Allow Always" API access issue in Microsoft Teams Copilot Declarative Agent, here are some potential troubleshooting steps and considerations:

Key Points from Your Report:

1. Issue Summary: API requests fail when "Allow Always" is selected, but work with "Allow Once".
2. Steps to Reproduce: Clear and reproducible steps indicating the problem.
3. Expected vs. Actual Behavior: Highlights the discrepancy in API access persistence.
4. Potential Causes: Identified possible causes such as permission caching and CORS policies.
5. Workarounds Attempted: Detailed attempts to resolve the issue.

Potential Troubleshooting Steps:

1. Check Teams Toolkit Version:

   • Ensure you are using the latest version of Teams Toolkit. Updates may include fixes for known issues.
   • Download the latest version of Teams Toolkit.

2. Review OpenAPI Document:

   • Ensure the OpenAPI document adheres to the supported specifications (avoid using OpenAPI 3.1.0 as it is not fully supported yet).
   • GitHub Issue on OpenAPI 3.1.0

3. Authentication and Permissions:

   • Verify that there are no underlying issues related to API permissions and CORS policies.
   • Double-check if the API endpoints are accessible without authentication as expected.

4. Developer Tools and Network Tab:

   • Use the F12 Developer Tools in Teams to monitor Network requests and identify any specific errors or denied requests.
   • Capture and analyze the request and response headers for any discrepancies.

5. Manifest and Scopes:

   • Ensure that the Copilot Declarative Agent manifest includes the proper permissions and scopes.
   • Manually verify and update the allowed APIs list if necessary.

6. Test in Different Environments:

   • Test the Copilot Declarative Agent in different Teams environments (e.g., web, desktop, mobile) to see if the issue persists.

7. Logs and Support:

   • Collect logs from Teams and Azure Function App to provide detailed error information to Microsoft support.
   • Teams Toolkit Troubleshooting Guide

Next Steps and Recommendations:

1. Confirm Persistent API Authorization:

   • Raise the issue with Microsoft Teams engineering to confirm if persistent API authorization is cached correctly in Copilot Declarative Agents.
   • Submit an Issue on GitHub

2. Request Access or Missing Permissions:

   • Investigate if there is a mechanism to force "Request Access" or handle "Missing Permissions" for "Allow Always".

3. Logs and Error Messages:

   • Request specific logs or error messages from Microsoft to understand why the API fails under "Allow Always".

Reference Links:

• Teams Toolkit GitHub Issues
• Teams Toolkit Documentation
• Stack Overflow: Teams API Issues

If you need further assistance or if the issue persists, consider providing additional logs or reaching out to Microsoft support for a more in-depth investigation.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[Nivedipa-MSFT]

Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[SLdragon]

Hi, @ahmedjarada , I tried the "Allow Always" button, and it worked fine for me. You can check the video below.

You can try provision your project again and if you're still experiencing issues, please share any error logs so I can help you troubleshoot. Thanks!

test-video.mp4

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

[microsoft-github-policy-service]

Due to lack of details for further investigation, we will archive the issue for now. In case you still have following-up questions on this issue, please always feel free to reopen the issue by clicking ‘reopen issue’ button below the comment box. We will get back to you as soon as possible.