MS Teams SSO signin failure with resourcematch failed #193133

tharuds · 2026-04-20T05:45:01Z

tharuds
Apr 20, 2026

Discussion Type

Question

Discussion Content

Hi team,

I'm trying to implement single sign on for a simple bot app built using Teams SDK and I keep getting a 200 response with a sign in failure.

{
    "name": "signin/failure",
    "type": "invoke",
    "value": {
        "code": "resourcematchfailed",
        "message": "Resource match failed"
    }
}

I have checked the application ID URI, token exchange URL (in bot resource) and the manifest webApplicationInfo which matches the api://{azuread-client-id} going through the troubleshooting tips.

When I try to sign in from teams client the resource match failed keeps happening even if the troubleshooting checklist looks fine.
The Entra app is configured to support multiple entra ID accounts while the Azure bot resource is single tenant. I have also tried changing the Azure AD app supporting account types yet keep getting the same issue. I'm testing the bot app using the sandbox account created from the admin tenant that I used to configure azure resources, which has a different tenant id (domain - 250rr3.onmicrosoft.com).

I have also checked the jwt generated when testing the oauth connection (https://token.botframework.com/api/oauth/TestConnectionCallback) configured for the Azure bot resource and it works fine with graph endpoints.
Would be great to know what could be missing or if it could be a cache issue or an issue from the bot framework.

TIA

Pramodya-Alahakoon · 2026-04-20T09:52:51Z

Pramodya-Alahakoon
Apr 20, 2026

This usually points to a resource/tenant mismatch, not a cache issue.

A few things stand out:

For a standalone Teams bot, the bot SSO docs expect the Application ID URI to be api://botid-{AppId} and the OAuth connection Token Exchange URL to use that exact same value. If your manifest/webApplicationInfo is using api://{azuread-client-id}, that can cause signin/failure with resourcematchfailed.
Your Azure Bot resource is single-tenant, but you’re testing with a user from a different tenant/domain. Single-tenant Entra apps are only for users/guests in the home tenant, so cross-tenant testing can fail even if the OAuth connection “Test connection” succeeds.
In Expose an API, make sure the scope is correct and that the required Authorized client applications for Teams/Microsoft 365 are added.
Verify all four values line up exactly across Entra app, bot OAuth connection, and Teams manifest:
- Entra Application ID URI
- Bot Token Exchange URL
- Manifest webApplicationInfo.id
- Manifest webApplicationInfo.resource

So my first fix would be:

change the Application ID URI / Token Exchange URL to the correct bot SSO value for your bot,
test with a user in the same tenant as the single-tenant bot resource,
then re-upload the Teams app package to avoid stale manifest data.

The 200 you see is just the invoke reaching your bot; the actual payload already shows the auth flow is failing at token exchange.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

MS Teams SSO signin failure with resourcematch failed #193133

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

GitHub Community

MS Teams SSO signin failure with resourcematch failed #193133

Uh oh!

Uh oh!

tharuds Apr 20, 2026

Discussion Type

Discussion Content

Replies: 1 comment

Uh oh!

Pramodya-Alahakoon Apr 20, 2026

tharuds
Apr 20, 2026

Pramodya-Alahakoon
Apr 20, 2026