Notifications
Announcements
Hi,
I have developed a Copilot agent that can suggest questions based on uploaded images. When I tested it in Copilot Studio, it worked as expected. However, after deploying it to Microsoft Teams, the bot no longer receives the image content directly—it only gets a reference link to the file stored on OneDrive.
I attempted a workaround by using Power Automate to retrieve the image and convert it to Base64 using the OneDrive link. Unfortunately, this approach failed with a 403 (Forbidden) error.
Can i check if anyone know what are the recommended ways to enable the Copilot agent to access the actual image content when deployed to Teams? Are there configuration changes (e.g., permissions, Graph API access, consent requirements) needed so the bot can fetch images from OneDrive/SharePoint? Are there alternative workarounds (e.g., converting the attachment before upload, pre-processing in Teams, or using Graph connectors) to avoid the 403 issue?
Thanks.
Hi, When deploying a Copilot agent that processes uploaded images in Microsoft Teams, encountering a `403 Forbidden` error when accessing OneDrive-hosted image links is typically related to **insufficient permissions or missing consent for Microsoft Graph API scopes**. Here's how you can address this: --- ### 🔐 1. **Ensure Graph API Permissions Are Granted** To access files stored in OneDrive or SharePoint via a bot, your app must have the appropriate Microsoft Graph permissions. Specifically, you may need: - `Files.Read` or `Files.Read.All` - `Sites.Read.All` - `User.Read` These permissions must be: - **Declared in the Azure AD app registration** associated with your Copilot agent. - **Granted admin consent** in the Azure portal under **API permissions**. --- ### ⚙️ 2. **Use On-Behalf-Of (OBO) Flow for Delegated Access** Since the file is stored in the user’s OneDrive, your bot must access it **on behalf of the user**. This requires: - Implementing the **OAuth 2.0 On-Behalf-Of flow**. - Ensuring the user is authenticated and a valid access token is passed when calling the Graph API. More on this here: 🔗 https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow --- ### 🔄 3. **Alternative Workarounds** If modifying the authentication flow is not feasible, consider: - **Using a Teams message extension** to intercept the file before upload and convert it to Base64. - **Pre-processing the image** client-side before sending it to the bot. - **Using a Power Automate flow** with elevated permissions (via a service account) to retrieve the file, though this may require admin setup and consent. --- ### 🧪 4. **Test in Different Contexts** Sometimes, Teams chat and Copilot Studio behave differently due to **channel-specific limitations**. Test your agent in: - A **Teams personal chat** - A **Teams channel** - A **task module** or **custom tab** Each may handle file attachments differently. --- For further reference, you may find these resources helpful: - https://learn.microsoft.com/en-us/graph/permissions-reference - https://learn.microsoft.com/en-us/graph/teams-send-channel-message-with-attachment Thanks and best regards, Daniele Note: This response was prepared with support from Copilot to ensure clarity and completeness.
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
In our never-ending quest to improve we are simplifying the forum hierarchy…
We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…
These are the community rock stars!
Stay up to date on forum activity by subscribing.
Michael E. Gernaey 270 Super User 2025 Season 2
Romain The Low-Code... 181 Super User 2025 Season 2
S-Venkadesh 93 Moderator
