Configure single sign-on with Microsoft Entra ID for copilots in Microsoft Teams
Copilot Studio supports single sign-on (SSO) for copilots published to Microsoft Teams 1:1 chats, which means copilots can automatically sign in users with their Microsoft Teams credentials. SSO is only supported when using Microsoft Entra ID. Other service providers, such as Azure AD v1, don't support SSO in Microsoft Teams.
Important
It's possible to use SSO in Microsoft Teams chats, and not require manual authentication. To use this method for a previously published copilot, reconfigure the copilot to use Authenticate with Microsoft and then publish it again to Microsoft Teams. It might take a few hours before this change takes effect. If a user is in the middle of a conversation and the change doesn't appear to have taken effect, they can type "start over" in the chat to force the conversation to restart with the latest version of the copilot. These changes are now available for Teams 1:1 chats between the user and the copilot. They are not yet available for group chats or channel messages.
SSO is not supported for copilots integrated with Dynamics 365 Customer Service.
Please do not proceed with the following document unless necessary. If you want to use manual authentication for your copilot, see Configure user authentication with Microsoft Entra ID.
Note
If you are using Teams SSO authentication with the manual authentication option, and also using the copilot on custom websites at the same time, you must deploy the Teams app using the app manifest.
For more information, see Download the Teams app manifest for a copilot.
Other configurations such as authentication options beside Manual, or through Teams deployment using Copilot Studio one-click, will not work.
Prerequisites
- Learn how to use end-user authentication in a topic.
- Connect and configure a copilot for Microsoft Teams.
Configure an app registration
Before configuring SSO for Teams, you need to configure user authentication with Microsoft Entra ID. This process creates an app registration that is required to set up SSO.
Create an app registration. See the instructions in Configure user authentication with Microsoft Entra ID.
Add the redirect URL.
Generate a client secret.
Configure manual authentication.
Locate your Microsoft Teams channel app ID
In Copilot Studio, open the copilot for which you want to configure SSO.
Under the settings for the copilot, select Channels. Select the Microsoft Teams tile.
If the Microsoft Teams channel isn't connected to your copilot yet, select Turn on Teams. For more information, see Connect a copilot to the Microsoft Teams channel.
Select Edit details, expand More, and then select Copy next to the App ID field.
Add your Microsoft Teams channel app ID to your app registration
Go to the Azure portal. Open the app registration blade for the app registration you created when you configured user authentication for your copilot.
Select Expose an API on the side pane. For Application ID URI, select Set.
Enter
api://botid-{teamsbotid}
and replace{teamsbotid}
with your Teams channel app ID that you found earlier.Select Save.
Grant admin consent
Applications are authorized to call APIs when they're granted permissions by users/admins as part of the consent process. To learn more about consent, see Permissions and consent in the Microsoft identity platform.
If the admin consent option is available, you must grant consent:
In the Azure portal on your app registration blade, go to API Permissions.
Select Grant admin consent for <your tenant name> and then select Yes.
Tip
To avoid users having to consent to each application, a global administrator, application administrator, or a cloud application administrator can grant tenant-wide consent to your application registrations.
Add API permissions
In the Azure portal on your app registration blade, go to API Permissions.
Select Add a permission and choose Microsoft Graph.
Select Delegated permissions. A list of permissions appears.
Expand OpenId permissions.
Select openid and profile.
Select Add permissions.
Define a custom scope for your copilot
In the Azure portal on your app registration blade, go to Expose an API.
Select Add a scope.
Set the following properties:
Property Value Scope name Enter Test.Read
Who can consent? Select Admins and users Admin consent display name Enter Test.Read
Admin consent description Enter Allows the app to sign the user in.
State Select Enabled Note
The scope name
Test.Read
is a placeholder value and should be replaced with a name that makes sense in your environment.Select Add scope.
Add Microsoft Teams client IDs
Important
In the following steps, the values provided for Microsoft Teams client IDs should be used literally because they are the same across all tenants.
In the Azure portal on your app registration blade, go to Expose an API and select Add a client application.
In the Client ID field, enter the client ID for Microsoft Teams mobile/desktop, which is
1fec8e78-bce4-4aaf-ab1b-5451cc387264
. Select the checkbox for the scope that you created earlier.Select Add application.
Repeat the previous steps but, for Client ID, enter the client ID for Microsoft Teams on the web, which is
5e3ce6c0-2b1f-4285-8d4b-75ee78787346
.Confirm the Expose an API page lists the Microsoft Teams client app IDs.
To summarize, the two Microsoft Teams client IDs added to the Expose an API page are:
1fec8e78-bce4-4aaf-ab1b-5451cc387264
5e3ce6c0-2b1f-4285-8d4b-75ee78787346
Add token exchange URL to your copilot's Authentication settings
To update the Microsoft Entra ID authentication settings in Copilot Studio, you must add the token exchange URL to allow Microsoft Teams and Copilot Studio to share information.
In the Azure portal on your app registration blade, go to Expose an API.
Under Scopes, select the Copy to clipboard icon.
In Copilot Studio, under the settings for the copilot, select Security, and then select the Authentication tile.
For Token exchange URL (required for SSO), paste the scope you copied earlier.
Select Save.
Add SSO to your copilot's Microsoft Teams channel
In Copilot Studio, under the settings for the copilot, select Channels.
Select the Microsoft Teams tile.
Select Edit details and expand More.
For AAD application's client ID, enter the Application (client) ID from your app registration.
To obtain this value, open the Azure portal. Then on your app registration blade, go to Overview. Copy the value in the Application (client) ID box.
For Resource URI, enter the Application ID URI from your app registration.
To obtain this value, open the Azure portal. Then on your app registration blade, go to Expose an API. Copy the value in the Application ID URI box.
Select Save, and then Close.
Publish the copilot again, to make the latest changes available to your customers.
Select Open the copilot in Teams, to start a new conversation with your copilot in Microsoft Teams and verify if it automatically signs you in.
Known issues
If you first published your copilot using manual authentication without Teams SSO, the copilot in Teams will continuously prompt users to sign in.