MS Teams SSO signin failure with resourcematch failed

[tharuds]

Discussion Type

Question

Discussion Content

Hi team,

I'm trying to implement single sign on for a simple bot app built using Teams SDK and I keep getting a 200 response with a sign in failure.

{
    "name": "signin/failure",
    "type": "invoke",
    "value": {
        "code": "resourcematchfailed",
        "message": "Resource match failed"
    }
}

I have checked the application ID URI, token exchange URL (in bot resource) and the manifest webApplicationInfo which matches the api://{azuread-client-id} going through the troubleshooting tips.

When I try to sign in from teams client the resource match failed keeps happening even if the troubleshooting checklist looks fine.
The Entra app is configured to support multiple entra ID accounts while the Azure bot resource is single tenant. I have also tried changing the Azure AD app supporting account types yet keep getting the same issue. I'm testing the bot app using the sandbox account created from the admin tenant that I used to configure azure resources, which has a different tenant id (domain - 250rr3.onmicrosoft.com).

I have also checked the jwt generated when testing the oauth connection (https://token.botframework.com/api/oauth/TestConnectionCallback) configured for the Azure bot resource and it works fine with graph endpoints.
Would be great to know what could be missing or if it could be a cache issue or an issue from the bot framework.

TIA

[mecodeatlas]

Thanks for posting in the GitHub Community, @tharuds!

We're happy you're here. You are more likely to get a useful response if you are posting your question in the applicable category, the Discussions category is solely related to conversations around the GitHub product Discussions. This question should be in the Programming Help category. I've gone ahead and moved it for you. Good luck!

[Gecko51]

resourcematchfailed on signin/failure almost always means the aud claim in the issued token doesn't byte-for-byte equal the resource value the Teams client sent in the SSO prompt. The matcher is stricter than the Azure portal copy implies. In order of how often I've seen them trip people up:

1. Trailing slash or case mismatch between webApplicationInfo.resource in the manifest and the Application ID URI in Entra. api://abc-123 and api://abc-123/ are two different resources. Same for casing on the GUID.

2. webApplicationInfo.id must be the app's client ID (the GUID), not the Application ID URI. Common mix-up because the fields sit next to each other in the manifest.

3. accessTokenAcceptedVersion in the Entra app manifest. If it's null, the app emits v1 tokens, set it to 2 to force v2. The v1/v2 token audience shape differs, and the SSO resource value has to match whatever the consumer expects.

4. Your mixed-tenant setup is the likely culprit given the symptoms. Multi-tenant Entra app + single-tenant Azure Bot + sandbox account from a different tenant. In cross-tenant flows the issued token often ends up with aud = api://{tenant-guid}/{client-id} instead of plain api://{client-id}. If your App ID URI is the plain form but the consuming tenant rewrites it, the match fails. Two ways out:

   • Switch the Entra app to single-tenant, only the bot's tenant, or
   • Set the App ID URI to include the tenant explicitly (api://{tenant-id}/{client-id}) and mirror that exact string in the manifest resource.

The fact that TestConnectionCallback succeeds but the Teams client doesn't is the real tell, the bot framework test exchange uses the OBO settings you configured (which are fine), but the in-Teams signin/tokenExchange uses webApplicationInfo.resource from the manifest and that's where the mismatch hits.

Quickest diagnostic: paste the JWT you're trying to exchange into jwt.ms, copy the aud claim, and diff it character-by-character against the webApplicationInfo.resource string in your current uploaded manifest. Whatever differs is your bug.

If you want to share the (redacted) aud claim and the manifest resource field, I can spot the mismatch directly.