Toolkit using M365 account to provision Azure resources

[NWH-SAmin5]

Describe the bug
M365 Agent Toolkit is using M365 account to provision Azure Resources with actions like aadApp/create, aadApp/update

Environment scenario
Single tenant
As a developer I use two accounts in same tenant.
Microsoft 365 Account: TestAccount@tenant.com
Azure Account: Elevated_TestAccount@tenant.com

TestAccount@tenant.com does not have access to Create/Update Azure resources like aad app.

To Reproduce
Steps to reproduce the behavior:

1. Sign in M365 account with TestAccount@tenant.com
2. Sign in Azure account with Elevated_TestAccount@tenant.com
3. Execute Local or Dev environment provisioning
4. ... going through action aadApp/create OR aadApp/update
5. Error: Message for denied access

Issue
I reviewed Fiddler trace to review the REST API call to update the aap app.
Auth token sent to Microsoft Graph REST API to update the Azure Application, is from M365 account instead of Azure account.
Added few screenshots

Expected behavior
Use Elevated_TestAccount@tenant.com to provision resources in Azure and use TestAccount@tenant.com for M365 resources

VS Code Extension Information (please complete the following information):

• OS: Windows Server 2022 Data Center
• Version 6.4.0

Additional context
Fiddler screenshot of decoded Auth token to confirm the account being used (Sorry had to remove)

[m365-agent-toolkit-assistant]

👋 Hi @NWH-SAmin5,

Thank you for reporting this issue! We want to let you know that:

⏱️ Our team will personally review your issue
🎯 You can expect a response within 2 business days

✨ This is an AI-generated initial response
🤖 AI-Generated Preliminary Analysis:

This is a common issue: even after signing in with both your Microsoft 365 (M365) and Azure accounts in the VS Code extension, the Microsoft 365 Agents Toolkit provisions Azure AD resources (like AAD apps) using the M365 account, not your signed-in Azure account. This fails if the M365 account lacks permissions.

Workarounds / Steps:

• The toolkit currently requires BOTH Azure and M365 accounts to be from the same tenant and be the same user if you want to create/update Azure resources. If the accounts differ, provisioning will use the M365 account for AAD actions, causing "Denied access" errors.
• There is ongoing discussion about this limitation and requests for better account separation; see related GitHub issues.
• Current workaround: Use the same account for Azure and M365 login (ensure it has both M365 and Azure permissions).

References:

• Toolkit uses M365 account for Azure resources

If this is blocking your scenario, please upvote/comment on the issue above. This behavior is by design today, so apologies for the inconvenience.

✨We'd love your feedback! Please take a moment to fill out our survey.

---

Note: This is an automated first response generated by AI. A human team member will review your issue and provide a more detailed response soon. We appreciate your patience!

[tecton]

Hi @NWH-SAmin5, this is by design that Toolkit use M365 account to create Entra app and Azure Bot Service. You can login your M365 account on Azure portal to view the Entra app.