Troubleshooting and security notes

Troubleshooting

Symptom	Cause and fix
Test API fails: "Auth failed before API call", `AADSTS900023` invalid tenant	The API Server's Auth URI is empty or still contains a placeholder. Enter the full token URL with your tenant ID, set Grant Type to Client Credentials and the `.default` scope, then Save.
AppId / App Secret show `SESSION_CREDENTIAL`	AI Flow Builder saved placeholder references. Replace both with the real Client ID and Secret in the API Server and Save.
Flow missing from the trigger's Associate Flow list	The flow is not a top-level flow, or the latest deploy hasn't propagated. Set Is Top-Level Flow = Yes, re-deploy (Overwrite), then reopen Create Trigger.
Trigger stays in Draft after publishing	Publishing is asynchronous. Wait for the request to finish and refresh the Triggers page - the status changes to Published.
Deploy reports a name conflict	A copy already exists in Production. Choose Overwrite to replace it (or rename the flow if you want both).
Search returns no users or groups	The Graph filters use `startswith(displayName, …)`. Search by the first letters of the display name, not a substring.
Trigger phrase launches a different flow or none at all	You are chatting with a bot from another environment, or another trigger matches more strongly. Use this environment's bot and make sample queries distinctive.

Grant the app registration the minimum Graph permissions the flow needs, and prefer GroupMember.ReadWrite.All over broader group write scopes.
Enter secrets only in masked credential fields. Never place them in prompts, flow steps, sample queries, screenshots, or documents - and rotate any secret that leaks.
The confirmation card is your guardrail for write operations: keep it, and consider an Audience restriction on the trigger so only the right people can add members.
Use a test tenant or test users while building; the live tests inside AI Flow Builder and the end-to-end run in Teams make real changes.