Lab BAF1 - Setup of Azure Resources - ACCESS_AS_USER_PERMISSION_ID #834
Description
Lab BAF1 - Exercise 3: Build and Run your first agent > Step 1
Note this is a continuation after #833
[2026-01-30T17:13:32.849Z] [Info] - Build Microsoft Entra app manifest completed, and app manifest content is written to /Users/pkbullock/Git/Learn/copilot-camp/src/agent-framework/begin/infra/entra/build/entra.bot.manifest.local.json
[2026-01-30T17:13:42.688Z] [Error] - Unable to execute action aadApp/update. Error message: Unable to update or delete an enabled permission. It may be because the ACCESS_AS_USER_PERMISSION_ID environment variable is changed for selected environment. Make sure your permission id(s) match the actual Microsoft Entra application and try again.
[2026-01-30T17:13:42.693Z] [Error] - Failed to Execute lifecycle provision due to failed action: aadApp/update. DeleteOrUpdatePermissionFailed:Unable to update or delete an enabled permission. It may be because the ACCESS_AS_USER_PERMISSION_ID environment variable is changed for selected environment. Make sure your permission id(s) match the actual Microsoft Entra application and try again.
. Env output: {"TEAMS_APP_ID":"<redacted>9d6fd","TEAMS_APP_TENANT_ID":"<redacted>3627c"}
[2026-01-30T17:13:42.694Z] [Info] - Execution summary:
Summary:
(×) Error: Lifecycle stage provision failed.
(√) Done: teamsApp/create executed successfully.
(√) Done: App with id 4<redacted>69d6fd already exists, skipped creating a new app.
(√) Done: aadApp/create executed successfully.
(×) Error: aadApp/update failed.
(×) Error: Unable to update or delete an enabled permission. It may be because the ACCESS_AS_USER_PERMISSION_ID environment variable is changed for selected environment. Make sure your permission id(s) match the actual Microsoft Entra application and try again.
(!) Warning: arm/deploy was not executed.
(!) Warning: script was not executed.
(!) Warning: file/createOrUpdateJsonFile was not executed.
(!) Warning: teamsApp/validateManifest was not executed.
(!) Warning: teamsApp/zipAppPackage was not executed.
(!) Warning: teamsApp/validateAppPackage was not executed.
(!) Warning: teamsApp/update was not executed.
(!) Warning: teamsApp/extendToM365 was not executed.
[2026-01-30T17:13:42.729Z] [Error] - code:e.DeleteOrUpdatePermissionFailed, message: Unable to update or delete an enabled permission. It may be because the ACCESS_AS_USER_PERMISSION_ID environment variable is changed for selected environment. Make sure your permission id(s) match the actual Microsoft Entra application and try again.
Help link: https://aka.ms/teamsfx-aad-manifest
Copilots Opinion
The failure is because AAD_APP_ACCESS_AS_USER_PERMISSION_ID is missing, so Teams Toolkit tries to change an already‑enabled permission scope and Entra blocks it. Set it to the existing scope ID from your Entra app, then re‑provision.
Run this (macOS):
Add the returned ID to .env.local:
Then run Provision again.
Once provision completes, M365_APP_ID will be generated and the launch error will clear.
If the command returns nothing, delete the Entra app (BOT_ID) and re‑provision so a fresh scope ID is created.
Workaround
Get existing access_as_user scope id
az ad app show --id "$BOT_ID"
--query "api.oauth2PermissionScopes[?value=='access_as_user'].id | [0]"
-o tsv
az ad app show --id "973f68144f" --query "api.oauth2PermissionScopes[?value=='access_as_user'].id | [0]" -o tsv
Added to env.local file.
AAD_APP_ACCESS_AS_USER_PERMISSION_ID=<redacted>8144f
Yay it works after above
