Scenario
I'm trying to integrate n8n with Agent 365 in a cross-tenant setup:
- Tenant A (compute): n8n running on Azure Container Apps with a managed identity. This tenant has no M365 / Agent 365.
- Tenant B (M365): Agent identity blueprint, agent identity service principal, agent user (
AgentUser@tenantB), and all MCP servers. Has Microsoft 365 Copilot + Agent 365 licenses, enrolled in Frontier preview.
The Agent User in tenant B has the AGENT_365 license assigned and was created via Teams → Create Instance (Step 10 in the n8n demo guide).
What I followed
The n8n demo guide at https://go.n8n.io/A365-demo, which configures n8n's built-in Microsoft Agent 365 Trigger node using tenant_id + client_id + client_secret of the blueprint.
All a365 CLI steps completed without errors in tenant B:
a365 setup all --aiteammatea365 setup permissions mcp → "Configuring permissions for 6 resource(s)" → "Consent granted (All permissions)"a365 setup permissions bot → "Consent granted (All permissions)"a365 publish → manifest uploaded to M365 Admin Center, agent activated- Step 10 (Create Instance) completed in Teams; agent user verified via Graph (
@odata.type: #microsoft.graph.agentUser)
- Messaging endpoint configured at dev.teams.microsoft.com → API based → n8n webhook URL
What fails
At runtime (Teams @mention → n8n execution):
Error: invalid_grant
AADSTS65001: The user or administrator has not consented to use the application
with ID '' named ''.
Send an interactive authorization request for this user and resource.
When I tried to diagnose further:
Static client_credentials against the blueprint with a fresh secret from the Entra UI (verified length 40, copied directly via the Entra portal copy button): AADSTS7000215: Invalid client secret provided.
Tested against both https://graph.microsoft.com/.default and the MCP audience ea9ffc3e-8a23-4a7d-836d-234d7c7565c1/.default. Same error for both.
Static admin consent via /adminconsent?client_id=<blueprint-client-id>: AADSTS82007: Static consent method is not supported for service accounts.
This is consistent with Microsoft Learn (https://learn.microsoft.com/en-us/entra/agent-id/integrate-n8n-agent), which states:
Agent identities don't have credentials of their own. They only authenticate using federated identity credentials (FIC) issued by the agent identity blueprint.
The Learn page recommends the @astaykov/n8n-nodes-entraagentid community node and ships an azd up deployment — but it places n8n in the same tenant as the blueprint, not cross-tenant.
Questions
- Is cross-tenant Agent 365 (n8n in tenant A, blueprint/MCP in tenant B) a supported scenario in the current preview or planned for GA?
- If yes, what's the auth pattern — multi-tenant blueprint + cross-tenant FIC from the Container App's managed identity to the blueprint in tenant B? Something else?
- If no, is co-locating n8n with the blueprint (option: deploy a second n8n inside tenant B) the only viable path today?
The n8n demo guide implies static client secrets work for the Trigger node, but blueprint behavior in current preview seems to contradict that regardless of tenant topology. Clarification on the intended auth flow for n8n's built-in Agent 365 Trigger node (vs. the community node) would also help.
Environment
a365 CLI: 1.1.188+22075d3bdd- n8n: Self-hosted 2.18.5
- n8n hosting: Azure Container Apps (managed identity enabled) in tenant A
- Blueprint tenant (tenant B): Frontier preview enrolled, M365 Copilot + Agent 365 licenses
- Browser used for credential setup: Chrome
Scenario
I'm trying to integrate n8n with Agent 365 in a cross-tenant setup:
AgentUser@tenantB), and all MCP servers. Has Microsoft 365 Copilot + Agent 365 licenses, enrolled in Frontier preview.The Agent User in tenant B has the AGENT_365 license assigned and was created via Teams → Create Instance (Step 10 in the n8n demo guide).
What I followed
The n8n demo guide at https://go.n8n.io/A365-demo, which configures n8n's built-in Microsoft Agent 365 Trigger node using
tenant_id + client_id + client_secretof the blueprint.All
a365CLI steps completed without errors in tenant B:a365 setup all --aiteammatea365 setup permissions mcp→ "Configuring permissions for 6 resource(s)" → "Consent granted (All permissions)"a365 setup permissions bot→ "Consent granted (All permissions)"a365 publish→ manifest uploaded to M365 Admin Center, agent activated@odata.type: #microsoft.graph.agentUser)What fails
At runtime (Teams @mention → n8n execution):
Error: invalid_grant
AADSTS65001: The user or administrator has not consented to use the application
with ID '' named ''.
Send an interactive authorization request for this user and resource.
When I tried to diagnose further:
Static client_credentials against the blueprint with a fresh secret from the Entra UI (verified length 40, copied directly via the Entra portal copy button): AADSTS7000215: Invalid client secret provided.
Tested against both
https://graph.microsoft.com/.defaultand the MCP audienceea9ffc3e-8a23-4a7d-836d-234d7c7565c1/.default. Same error for both.Static admin consent via
/adminconsent?client_id=<blueprint-client-id>: AADSTS82007: Static consent method is not supported for service accounts.This is consistent with Microsoft Learn (https://learn.microsoft.com/en-us/entra/agent-id/integrate-n8n-agent), which states:
The Learn page recommends the
@astaykov/n8n-nodes-entraagentidcommunity node and ships anazd updeployment — but it places n8n in the same tenant as the blueprint, not cross-tenant.Questions
The n8n demo guide implies static client secrets work for the Trigger node, but blueprint behavior in current preview seems to contradict that regardless of tenant topology. Clarification on the intended auth flow for n8n's built-in Agent 365 Trigger node (vs. the community node) would also help.
Environment
a365CLI: 1.1.188+22075d3bdd