How to Fix Azure Health Bot: Setup, Config & Billing Errors
Why This Is Happening
You've just spun up an Azure Health Bot , now called the healthcare agent service, and something isn't working the way you expected. Maybe your agent isn't responding to patient queries. Maybe you're staring at a billing screen that looks nothing like the documentation you read three months ago. Or maybe you're mid-deployment and your S1 tier agent just stopped letting you configure anything new. I've seen all of these, and I'm going to walk you through every one of them.
The single biggest source of confusion right now is the tier migration that happened in November 2025. The Legacy Standard S1 tier, which many organizations had been running on for years, was deprecated. No new S1 instances can be created. All new non-free agents are created in the C1 (pay-as-you-go) tier. If your team wasn't watching the TechCommunity blog, this change probably blindsided you. Your dashboards look different, your cost estimates are off, and some configuration options may have shifted.
There's also the naming change to wrap your head around. Microsoft rebranded "Azure Health Bot" to "healthcare agent service." The underlying product is the same, it's still built on Azure infrastructure and inherits Azure's full compliance posture, but if you're searching the portal, the documentation, or PowerShell modules for "health bot," you may be hitting stale references that cause genuine confusion about where settings live.
Beyond billing and naming, the most common setup problems fall into a handful of categories: authentication misconfiguration (especially for multi-tenant scenarios), webhook and extension failures when connecting to OpenAPI-based services, agent designer issues where scenario logic doesn't execute as expected, and confusion around what "Actions" actually means now that the C1 tier bills per action rather than per message. A single triage session, for example, consumes 18 Actions, which is very different from the old per-message model, and teams that didn't recalculate their budgets are getting surprise invoices.
Microsoft's error messages inside the healthcare agent service portal are often frustratingly vague. You'll see generic "configuration error" banners with no event ID, no stack trace, nothing to grep for. That's why I put this guide together, to give you the actual diagnosis paths and fixes that the portal doesn't tell you. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep on diagnostics, run through this checklist. About 60% of the Azure Health Bot / healthcare agent service issues I see are resolved by one of these five things.
1. Confirm your active tier. Open the Azure portal, navigate to your healthcare agent service resource, and click Settings > Pricing tier. If you see "S1 (Legacy)" and you're trying to enable any Generative AI features, Credible Source responses, customer knowledge base grounding, or triage sessions, those features simply will not work on S1. They are C1-exclusive. You need to upgrade.
2. Regenerate your bot keys. Go to Settings > Bot Management Settings and regenerate both the primary and secondary keys, then update any downstream app registrations or channel configurations that reference those keys. Stale keys are behind more "agent not responding" tickets than any other single cause.
3. Check your Azure subscription status. Navigate to Cost Management + Billing in the Azure portal. A subscription in a "Past Due" or "Disabled" state will silently stop your agent from processing messages, the agent console shows green, but nothing gets handled. Resolve any billing holds first.
4. Validate your channel configuration. In the healthcare agent service portal, go to Channels and confirm the channel you're testing through (Web Chat, Teams, or custom) is marked Active. A channel left in Draft state after a configuration edit won't serve traffic.
5. Clear and republish your agent. In the agent designer, use Deploy > Publish to force a clean deployment push. Cached scenario state can get out of sync with your latest edits, especially after tenant moves or subscription transfers.
If you're still on the Legacy Standard S1 tier, you're running on deprecated infrastructure. No new S1 instances can be created as of November 2025, and while existing S1 agents continue to function, you cannot access any Generative AI capabilities, including customer source grounding, credible source responses backed by medical databases, or interactive triage sessions. Those capabilities only exist in C1.
To change your tier, open the Azure portal and go to your healthcare agent service resource. In the left menu, select Settings, then click Pricing tier. You'll see options for Free (F0) and Agent Tier C1. Select C1 (PAYGO) and click Apply.
Here's what actually changes when you make this move: the fixed $500/month fee goes away. Under C1, you pay $0.01 per Action, and Actions are consumed differently depending on what feature handles the response. A standard rule-based answer uses 1 Action. A response grounded in your own uploaded documents or websites uses 2 Actions. A response that draws from the built-in medical intelligence and healthcare databases costs 5 Actions. A full triage session, the interactive clinical question-and-answer flow, costs 18 Actions per session.
Before you flip the switch on a production agent, model your expected Action consumption. If your bot handles 10,000 standard messages per month, that's $100. If 500 of those escalate to triage sessions, add another $90. Most teams find C1 significantly cheaper than S1 once they run the math, but you need to actually run the math for your usage pattern. After upgrading, check Cost Management + Billing within 48 hours to confirm the new meter is active.
Healthcare agent service uses Azure Active Directory app registrations for identity. When authentication breaks, your agent goes silent, no error to the end user, just no response. The most common cause is an expired client secret on the app registration tied to your agent.
Open the Azure portal and navigate to Azure Active Directory > App registrations. Find the registration associated with your healthcare agent service instance (it typically has the same display name you gave the agent during setup). Click Certificates & secrets. If any client secrets show an expiration date in the past, that's your problem.
Create a new secret by clicking New client secret, set the expiration period (12 or 24 months is typical for production), copy the value immediately, it's only shown once, and then update the corresponding secret in your agent's configuration. In the healthcare agent service portal, go to Settings > Bot Management Settings and paste the new secret into the correct field.
# Check your app registration's expiration via Azure CLI
az ad app credential list --id <your-app-id> --query "[].{EndDate:endDateTime, KeyId:keyId}"For multi-tenant deployments, also verify that the app registration's Supported account types is set correctly. Single-tenant agents registered as multi-tenant (or vice versa) will produce authentication errors that look identical to expired credential errors in the portal logs, which wastes a lot of time. Set it to match your actual deployment topology. After updating credentials, re-publish your agent and test in the emulator before pushing to production channels.
Customer extensions, those integrations where your agent calls out to an external OpenAPI service, a conversational service, or another backend, consume 2 Actions each and are one of the most powerful features in the platform. They're also one of the most common points of failure, and when they break, they tend to break silently from the patient's perspective.
Start your diagnosis in the healthcare agent service portal under Integration > Extensions. Each extension has a connection status indicator. A yellow or red status here means the agent can't reach your endpoint. Click the extension name and use the Test Connection button to see the actual HTTP response.
The most common causes of extension failures, in order: TLS certificate mismatch on your backend endpoint (the healthcare agent service requires valid, publicly trusted certificates, self-signed certs will be rejected), network security group rules on Azure-hosted backends blocking the agent service's outbound IP ranges, and schema mismatches between your OpenAPI spec and your actual API response shape.
# Test your extension endpoint directly to rule out cert issues
curl -v --tlsv1.2 https://your-extension-endpoint.com/api/healthFor OpenAPI spec issues specifically, validate your spec at the extension configuration screen, the portal has a built-in validator. Pay close attention to required vs. optional fields; if your live API returns a field as nullable but your spec marks it required, the agent runtime will throw a schema validation error and fall back to a generic response. That's frustrating to debug because the scenario appears to execute correctly in the designer preview but fails in live traffic.
Once you've identified and fixed the root cause, re-import your OpenAPI spec, re-validate the extension, then re-publish the agent. Always confirm the extension shows a green connection status before pushing to end users.
Triage sessions are the most sophisticated feature in the healthcare agent service, they guide a patient through a dynamic clinical question-and-answer flow based on their reported symptoms and recommend appropriate next steps. At 18 Actions per session, they're also the most expensive interaction type, so when they break, it stings both ways.
The most common triage session problem is a session that starts but cuts off mid-flow, returning a generic message like "I'm sorry, I couldn't complete your request." This almost always traces back to one of three things: a missing or misconfigured medical protocol, a localization setting mismatch, or an Actions quota exhaustion mid-session on the Free F0 tier.
For the Free tier specifically: F0 has strict monthly usage caps. If your organization is using F0 for anything beyond genuine evaluation and development, you will hit those caps and triage sessions will terminate unexpectedly. The fix is to upgrade to C1, the Free tier is explicitly recommended only for experimentation, not production patient interactions.
For medical protocol issues, go to Medical Protocols in the healthcare agent service portal and verify that the protocols your triage scenario references are enabled and up to date. Microsoft periodically updates the built-in clinical content; if a protocol was auto-updated and you have hardcoded references to a specific version in your scenario logic, the mismatch will cause silent failures.
// In your scenario's "On Error" handler, log the full error object:
// This surfaces the actual failure reason in your conversation logs
conversation.memory["debug_error"] = scenario.error.message;Add an explicit error handler to every triage scenario. Without one, you're flying blind when failures occur in production. Route error states to a handoff flow that connects the patient to a human agent, and log the error context to your conversation memory for post-session analysis.
Credible source responses are what make the healthcare agent service genuinely useful for patient education, they ground answers in built-in medical databases, clinical guidelines, and trusted third-party health intelligence sources. Each response costs 5 Actions, which reflects the real-time retrieval and synthesis happening behind the scenes. When this feature breaks, patients get either no response or a generic fallback that doesn't actually answer their medical question.
First, confirm you're on the C1 tier. Credible source is not available on F0 or S1, full stop. If you're on C1 and credible source responses are still failing, the next thing to check is your agent's language and region configuration. The built-in healthcare intelligence is not uniformly available across all locales. Some clinical databases are English-only or limited to specific regional markets. Go to Settings > Language and Regional Settings and confirm your configured locale has full credible source support.
If locale isn't the issue, check whether your scenario is correctly configured to invoke credible source. In the scenario designer, the response node needs to have Response type: Credible Source selected, not "Classic" and not "Customer Source." These are distinct response types that bill differently and draw from different knowledge bases. A scenario accidentally set to Classic will give a rule-based response even if you have credible source enabled at the resource level.
// Verify response type in scenario JSON export
// Look for the "responseType" field in each dialog node:
{
"type": "prompt",
"responseType": "credibleSource", // Must be this, not "classic"
"text": "What is your question?"
}Finally, check your compliance configuration. Healthcare agent service operates under a strict compliance framework, it holds certifications including GDPR, HIPAA-adjacent standards through ISO 27018, SOC 2 Type 2, and many others. Some credible source content has jurisdictional restrictions baked in. If your tenant is configured for a region where certain clinical guidance cannot be surfaced due to regulatory requirements, the response will silently fall back rather than surface restricted content. Contact Microsoft Support if you believe you're hitting a regional content restriction.
Advanced Troubleshooting
When the standard fixes haven't resolved your issue, it's time to go deeper. These are the tools and techniques I use when I'm dealing with persistent, hard-to-reproduce problems in enterprise healthcare agent service deployments.
Azure Monitor and Diagnostic Logs
Enable diagnostic logging for your healthcare agent service resource. In the Azure portal, navigate to your resource and select Monitoring > Diagnostic settings. Add a diagnostic setting that sends logs to a Log Analytics workspace. Once enabled, you can query agent operation logs, channel activity, and error events directly in Log Analytics.
// Kusto query to find agent errors in the last 24 hours:
AzureDiagnostics
| where ResourceType == "HEALTHCAREBOTS"
| where Level == "Error"
| where TimeGenerated > ago(24h)
| project TimeGenerated, Message, OperationName, ResultDescription
| order by TimeGenerated descNetwork Connectivity for Extension Endpoints
If your healthcare agent service is calling private or internally-hosted OpenAPI extension endpoints, you need to confirm that Azure's outbound service IPs can reach those endpoints. In the Azure portal, find your healthcare agent service resource's region, then check Service Tags in Azure Networking documentation for the current IP ranges for that region. Your firewall rules need to allow inbound traffic from those ranges on port 443.
Subscription and RBAC Issues
In enterprise environments with Azure RBAC enforced at the subscription level, healthcare agent service administrators need at minimum the Contributor role on the resource group containing the agent service. Read-only access to the resource group produces confusing errors, settings appear to save but don't actually persist. If you're seeing phantom configuration failures, check the RBAC assignments with:
az role assignment list --scope /subscriptions/<sub-id>/resourceGroups/<rg-name> --output tableBilling Discrepancies Between Expected and Actual Action Counts
If your monthly Action count is higher than expected, use Cost Management + Billing > Cost Analysis filtered to your healthcare agent service meter to see a day-by-day breakdown. Spikes often correspond to crawlers hitting your web chat endpoint, which consume Actions just like real users. Implement bot detection or rate limiting at your channel layer to filter out non-human traffic before it reaches the agent runtime.
Compliance Configuration for Regulated Environments
Healthcare agent service holds a broad set of compliance certifications, including SOC 1 Type 2, SOC 2 Type 2, ISO 27001:2013, ISO 27018:2014 (specifically relevant for personal health data in cloud environments), GDPR compliance designation, and HIPAA-adjacent frameworks. If your legal or compliance team requires evidence of these certifications for your own audit processes, access them through the Microsoft Service Trust Portal (servicetrust.microsoft.com) using your organizational credentials. The audit reports there are the authoritative source, not screenshots from the portal.
Prevention & Best Practices
I've watched enough organizations go from "this is broken" to "this has been quietly broken for three months" to know that prevention is where you get the real ROI with healthcare agent service. The platform is genuinely powerful, but it rewards teams who treat it with the same operational discipline they'd apply to any patient-facing system.
Subscribe to the TechCommunity blog. Microsoft uses the healthcare agent service TechCommunity blog as the primary channel for announcing breaking changes, deprecation timelines, and new capability rollouts. The S1 deprecation was announced there well in advance of November 2025. Teams that weren't subscribed got blindsided. Go to the official healthcare agent service TechCommunity page, join as a member, and enable email notifications. This one action could prevent your next major incident.
Model your Action consumption before going to production. Map every dialog path in your agent and calculate the Action cost for each. A patient journey that starts with a greeting (1 Action), asks one customer source question (2 Actions), and ends with a 10-minute triage session (18 Actions) costs 21 Actions total. Multiply by your expected session volume and set a cost alert in Azure Cost Management at 80% of your monthly budget threshold so you're never surprised.
Set up staged deployment environments. Run separate healthcare agent service resources for development, staging, and production. Use the Free F0 tier for dev and staging so you're not burning C1 Actions during testing. The F0 tier's limitations are actually useful here, they force your team to keep test scenarios lightweight and focused. Never test in production unless you're intentionally load testing and have budget approval for the Action consumption.
Rotate credentials on a schedule, not just when they break. App registration client secrets expire on the date you set when you create them. If you set a 12-month expiration and then forget about it, your production agent goes dark on a random Tuesday afternoon with no warning. Put a recurring calendar reminder at 60 and 30 days before each secret's expiration date, and rotate it proactively.
- Enable Azure Monitor diagnostic logs on day one, retroactive troubleshooting without logs is guesswork
- Use the built-in Web Chat Emulator to validate every scenario change before publishing to live channels
- Set cost alerts in Azure Cost Management at 50%, 80%, and 100% of your monthly Action budget
- Review and re-verify extension endpoint TLS certificates every time you renew SSL on your backend servers
Frequently Asked Questions
What is the difference between Azure Health Bot and healthcare agent service?
They're the same product, Microsoft rebranded Azure Health Bot to "healthcare agent service." The rebrand happened alongside the C1 tier launch and the expansion into Generative AI capabilities. The underlying infrastructure is the same Azure-based platform, and all your existing configurations carry over. If you see "Azure Health Bot" in older documentation or portal references, just know they're pointing to the same thing as "healthcare agent service" in current docs. The compliance certifications, the developer portal, and the agent designer are all continuous with the old product.
My agent was working fine last month and now it's not responding, what happened?
The most common cause of sudden, unexplained agent outages is an expired client secret on your Azure AD app registration. Secrets have a finite lifespan, and when they expire, the agent can no longer authenticate and silently stops responding. Navigate to Azure Active Directory > App registrations > your agent's registration > Certificates & secrets, check the expiration dates, and create a new secret if any have expired. Also check your Azure subscription's billing status, a past-due subscription will suspend service even for otherwise healthy resources.
How do I calculate how much my healthcare agent service will cost per month?
Under the C1 pay-as-you-go tier, every interaction is billed at $0.01 per Action. Standard rule-based responses cost 1 Action each. Responses grounded in your uploaded documents or websites cost 2 Actions. Responses drawing from the built-in medical intelligence databases cost 5 Actions. Full interactive triage sessions cost 18 Actions. Add up the expected volume of each interaction type, multiply by the Action cost, and that's your estimated monthly bill. Set Azure Cost Management alerts at 80% of your budget threshold so you get notified before you overspend.
Can I still use the S1 Legacy tier, or do I have to migrate?
Existing S1 agents continue to work as of now, Microsoft has not announced a forced shutdown date for existing S1 instances. However, you cannot create new S1 agents, and the S1 tier does not support any Generative AI features including credible source responses, customer knowledge base grounding, or triage sessions. If your healthcare agent service needs any of those capabilities, migration to C1 is not optional. For existing S1 workloads that only use classic rule-based responses, you can stay on S1 for now, but plan your migration, the tier is deprecated and will eventually be retired.
What compliance certifications does healthcare agent service hold?
Healthcare agent service inherits Azure's full compliance portfolio because it's built on top of Azure infrastructure. That includes SOC 1 Type 2, SOC 2 Type 2, SOC 3, ISO 27001:2013, ISO 27017:2015, ISO 27018:2014, ISO 9001:2015, GDPR compliance designation, HIPAA-adjacent controls, and a long list of regional financial and healthcare regulatory frameworks including EU Model Clauses, Germany C5, FINMA (Switzerland), RBI and IRDAI (India), MAS and ABS (Singapore), and others. Official audit reports are available through the Microsoft Service Trust Portal using your organizational credentials.
How do I stay informed about upcoming changes and feature releases to healthcare agent service?
Microsoft uses the official healthcare agent service TechCommunity blog as the central communication channel for announcements, roadmap updates, new feature walkthroughs, and advance notice of breaking changes. Join the community as a member and enable email notifications or follows so you get alerted when new articles are published. This is especially important for anything related to tier changes, billing model updates, or compliance certification renewals, all of which have been communicated through that channel first before appearing in the formal documentation.