Description

When a user shares a OneDrive or SharePoint file link in a 1:1 Teams DM with a bot, the msteams provider fails to download the file. The log shows graph media fetch empty. Local file uploads (drag-and-drop from device) work correctly — the provider logs downloaded attachments and the file is saved to the inbound media directory.

Steps to Reproduce

1. Configure OpenClaw with msteams channel (Bot Framework, single tenant)
2. Grant Files.ReadWrite.All Graph API permission on the app registration
3. Set mediaAllowHosts: ["*"] and mediaAuthAllowHosts: ["*"] in msteams config
4. In a 1:1 Teams DM with the bot, share a file from OneDrive (click attach → choose from OneDrive)
5. Observe: graph media fetch empty in logs, agent receives <media:document> with no file content

Expected Behavior

The provider should download the shared file and pass it to the agent, same as local file uploads.

Actual Behavior

• Local file upload: received message → downloaded attachments → agent gets file path and content ✅
• OneDrive shared link: received message → graph media fetch empty → agent gets <media:document> tag only ❌

Root Cause Analysis

This appears related to closed issue #28014. resolveMSTeamsInboundMedia() in src/monitor-handler/inbound-media.ts uses the Bot Framework turn context tokenProvider, which returns a Bot Connector-scoped token. This token lacks the Graph API permissions needed to fetch files from SharePoint/OneDrive URLs.

The fix exists in the codebase: resolveGraphToken() in src/graph.ts correctly acquires an MSAL token with Graph scope via client credentials flow. It needs to be wired up as a fallback when the bot adapter token fails to fetch media.

Environment

• OpenClaw version: 2026.3.22
• Docker image: ghcr.io/openclaw/openclaw:latest
• Channel: msteams (Bot Framework, single tenant)
• Graph permissions: Files.ReadWrite.All, User.Read.All, Group.Read.All (all granted)
• Config: mediaAllowHosts: ["*"], mediaAuthAllowHosts: ["*"]

Related

• [msteams] Inline image downloads fail in 1:1 chats — inbound media uses bot adapter token instead of MSAL Graph token #28014 (closed as not planned — same root cause)
• Commit 41cc5bc (gate Teams media auth retries)