Configure end-user authentication for actions
When creating a Copilot Studio action for an authenticated Copilot Studio project, you can enable end-user authentication, or supply a set of credentials for the copilot to use on behalf of the user.
- Select Copilot author authentication if access to the service associated with the action is implicit, or for low-risk use cases. For example, use this authentication setting to find the phone number for the support team in a given zip code. OR when using a weather API to get the current forecast.
- Select User authentication if you must restrict data access to specific groups or individuals in the user community. For example, use this authentication setting if the copilot is meant to retrieve data that only the end user has access to, or to perform work on their behalf.
Creating connections
Users are prompted when they visit any dialog that uses a user action to log in to the experience. They are prompted as soon as the conversation begins, and they authenticate with the copilot.
When users review the connections page, they can see the connection they need to configure for the action to complete a given dialog, and other connections your actions may require in the entire experience.
Completing the connection and returning to the conversation with the copilot allows your end users to "retry" the action. It then completes with the end user's data access.
About data access and permission management
Copilot Studio does not store any credentials and reprompts end users for access if the token for access expires or is revoked on the service side. Additionally, they can manually access this connection page and refresh or revoke permissions once they are done talking to your copilot.
Supported channels
The following table details the channels that currently support end user authentication for actions.
Channel | Supported |
---|---|
Azure Bot Service channels | Not supported |
Custom Website | Supported |
Demo Website | Not supported |
Not supported | |
Microsoft Teams1 | Supported |
Mobile App | Not supported |
Omnichannel for Customer Service2 | Supported |
1 If you also have the Teams channel enabled, you need to follow the configuration instructions on the Configure single sign-on with Microsoft Entra ID for copilots in Microsoft Teams documentation. Failing to configure the Teams single sign-on (SSO) settings as instructed on that page causes your users to always fail authentication when using the Teams channel.
2 Only the live chat channel is supported. For more information, see Configure handoff to Dynamics 365 Customer Service.