Description
When a user shares a OneDrive or SharePoint file link in a 1:1 Teams DM with a bot, the msteams provider fails to download the file. The log shows graph media fetch empty. Local file uploads (drag-and-drop from device) work correctly — the provider logs downloaded attachments and the file is saved to the inbound media directory.
Steps to Reproduce
- Configure OpenClaw with msteams channel (Bot Framework, single tenant)
- Grant
Files.ReadWrite.All Graph API permission on the app registration
- Set
mediaAllowHosts: ["*"] and mediaAuthAllowHosts: ["*"] in msteams config
- In a 1:1 Teams DM with the bot, share a file from OneDrive (click attach → choose from OneDrive)
- Observe:
graph media fetch empty in logs, agent receives <media:document> with no file content
Expected Behavior
The provider should download the shared file and pass it to the agent, same as local file uploads.
Actual Behavior
- Local file upload:
received message → downloaded attachments → agent gets file path and content ✅
- OneDrive shared link:
received message → graph media fetch empty → agent gets <media:document> tag only ❌
Root Cause Analysis
This appears related to closed issue #28014. resolveMSTeamsInboundMedia() in src/monitor-handler/inbound-media.ts uses the Bot Framework turn context tokenProvider, which returns a Bot Connector-scoped token. This token lacks the Graph API permissions needed to fetch files from SharePoint/OneDrive URLs.
The fix exists in the codebase: resolveGraphToken() in src/graph.ts correctly acquires an MSAL token with Graph scope via client credentials flow. It needs to be wired up as a fallback when the bot adapter token fails to fetch media.
Environment
- OpenClaw version: 2026.3.22
- Docker image:
ghcr.io/openclaw/openclaw:latest
- Channel: msteams (Bot Framework, single tenant)
- Graph permissions: Files.ReadWrite.All, User.Read.All, Group.Read.All (all granted)
- Config:
mediaAllowHosts: ["*"], mediaAuthAllowHosts: ["*"]
Related
Description
When a user shares a OneDrive or SharePoint file link in a 1:1 Teams DM with a bot, the msteams provider fails to download the file. The log shows
graph media fetch empty. Local file uploads (drag-and-drop from device) work correctly — the provider logsdownloaded attachmentsand the file is saved to the inbound media directory.Steps to Reproduce
Files.ReadWrite.AllGraph API permission on the app registrationmediaAllowHosts: ["*"]andmediaAuthAllowHosts: ["*"]in msteams configgraph media fetch emptyin logs, agent receives<media:document>with no file contentExpected Behavior
The provider should download the shared file and pass it to the agent, same as local file uploads.
Actual Behavior
received message→downloaded attachments→ agent gets file path and content ✅received message→graph media fetch empty→ agent gets<media:document>tag only ❌Root Cause Analysis
This appears related to closed issue #28014.
resolveMSTeamsInboundMedia()insrc/monitor-handler/inbound-media.tsuses the Bot Framework turn contexttokenProvider, which returns a Bot Connector-scoped token. This token lacks the Graph API permissions needed to fetch files from SharePoint/OneDrive URLs.The fix exists in the codebase:
resolveGraphToken()insrc/graph.tscorrectly acquires an MSAL token with Graph scope via client credentials flow. It needs to be wired up as a fallback when the bot adapter token fails to fetch media.Environment
ghcr.io/openclaw/openclaw:latestmediaAllowHosts: ["*"],mediaAuthAllowHosts: ["*"]Related