diff --git a/modules/auth/csrf.py b/modules/auth/csrf.py
index eca69113..c29d6aec 100644
--- a/modules/auth/csrf.py
+++ b/modules/auth/csrf.py
@@ -27,8 +27,13 @@ class CSRFMiddleware(BaseHTTPMiddleware):
             "/api/msft/login",
             "/api/google/login",
             "/api/msft/callback",
-            "/api/google/callback"
+            "/api/google/callback",
         }
+
+        # Path prefixes exempt from CSRF (for service-to-service callbacks)
+        self._exemptPrefixes = [
+            "/api/teamsbot/",  # .NET Media Bridge callbacks (bridge/status, bridge/audio)
+        ]
         
         # State-changing HTTP methods that require CSRF protection
         self.protected_methods = {"POST", "PUT", "DELETE", "PATCH"}
@@ -37,9 +42,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         """
         Check CSRF token for state-changing operations.
         """
-        # Skip CSRF check for exempt paths
+        # Skip CSRF check for exempt paths (exact match)
         if request.url.path in self.exempt_paths:
             return await call_next(request)
+
+        # Skip CSRF check for exempt path prefixes (bridge callbacks etc.)
+        if any(request.url.path.startswith(p) for p in self._exemptPrefixes):
+            if "/bridge/" in request.url.path:
+                return await call_next(request)
         
         # Skip CSRF check for non-state-changing methods
         if request.method not in self.protected_methods: