Python agent provisioning does not populate TENANT_ID in .env, causing 401 Unauthorized for single-tenant bots

[jonpagh]

Describe the bug
When creating and provisioning a Python agent using the Microsoft 365 Agents Toolkit (v6.4.1), the generated root .env file is missing the required TENANT_ID variable.

Without TENANT_ID, the Python Teams SDK defaults to the /common authority (multi-tenant). Since the provisioned Entra app is single-tenant, token acquisition succeeds but is rejected by the Bot Framework service, causing all outbound bot replies to fail with:

[ERROR] @teams/app.HttpPlugin Activity 1765446490692 failed: Client error '401 Unauthorized' for url 'https://smba.trafficmanager.net/emea/<TENANT-ID>//v3/conversations/a:1mR7WlV5ReKiqO5bKlTyk5x7j8znA3xcbnWE44rTYEM3vq2XGCSWpM7q1_ywk5SJk-XZPgNqzwQGgK3Uan2UbTuboKnHAEKzHNSSLxnxffeNI3OQIy60jOiDGVHlMEH5a/activities' 
[ERROR] @teams/app.HttpPlugin For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 
[ERROR] @teams/app.HttpPlugin Unexpected error during token validation: Client error '401 Unauthorized' for url 'https://smba.trafficmanager.net/emea/<TENANT-ID>//v3/conversations/a:1mR7WlV5ReKiqO5bKlTyk5x7j8znA3xcbnWE44rTYEM3vq2XGCSWpM7q1_ywk5SJk-XZPgNqzwQGgK3Uan2UbTuboKnHAEKzHNSSLxnxffeNI3OQIy60jOiDGVHlMEH5a/activities' 
[ERROR] @teams/app.HttpPlugin For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 
INFO: 52.123.134.92:0 - "POST /api/messages HTTP/1.1" 500 Internal Server Error 
ERROR: Exception in ASGI application

Manually adding TENANT_ID= to .env immediately resolves the issue.

To Reproduce
Steps to reproduce the behavior:

1. Create a new Python Quote Agent using the Microsoft 365 Agents Toolkit (v6.4.1) in VS Code.
2. Sign in to Azure and Microsoft 365.
3. Run Local Debug (Edge) to trigger provisioning.
4. Inspect the generated root .env file → it contains CLIENT_ID, CLIENT_SECRET, and PORT, but no TENANT_ID.
5. Open Teams (via debug) and send a message to the bot.
6. The bot receives the incoming activity but fails to send a reply.
7. Terminal shows a 401 error from smba.trafficmanager.net.
8. Add TENANT_ID=<tenant-guid> manually to .env, restart debugging → bot replies successfully.

Expected behavior
The provisioning process should populate .env with all required identity fields for single-tenant authentication:

CLIENT_ID=<app-id>
CLIENT_SECRET=<secret-value>
TENANT_ID=<tenant-guid>

The bot should authenticate correctly and reply to messages without 401 errors during local debugging.

VS Code Extension Information (please complete the following information):

• OS: Win 11
• Extension Version: 6.4.1

CLI Information (please complete the following information):

• OS: Win 11
• Version 2.0.5

Additional context
The generated Entra app is single-tenant.

The Python SDK logs:

TENANT_ID is not set, assuming multi-tenant app

As soon as TENANT_ID is defined, the bot authenticates successfully and replies work.
This appears to be specific to the Python agent template environment provisioning

[m365-agent-toolkit-assistant]

👋 Hi @jonpagh,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

This issue is a known bug in Microsoft 365 Agents Toolkit (v6.4.1) for Python agents. The provisioning process does not add TENANT_ID to the .env file, causing the Python SDK to default to /common (multi-tenant), resulting in 401 Unauthorized errors for single-tenant agents.

Workaround:
Manually add TENANT_ID=<your_tenant_guid> to your .env file after provisioning. This aligns the SDK’s authority endpoint with your registered tenant and enables outbound replies.

References:

• Teams Toolkit Single Tenant Bot Issue
• Agents Toolkit Python SDK Known Issue

Next Steps:

• Keep your .env up to date with all required values: CLIENT_ID, CLIENT_SECRET, and TENANT_ID.
• Watch for a toolkit update addressing this in future releases.
• If you'd like, I can help you script .env validation for your Python agent.

Apologies for the inconvenience—this is an open bug for Python template provisioning.

✨We'd love your feedback! Please take a moment to fill out our survey.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[summzhan]

@jonpagh , could you please specify which template that you are using? like which one you selected from UI.

[jonpagh]

@summzhan, I used the echo template

npx @microsoft/teams.cli new python quote-agent --template echo