Configure single sign-on with Microsoft Entra ID for copilots in Microsoft Teams

Copilot Studio supports single sign-on (SSO) for copilots published to Microsoft Teams 1:1 chats, which means copilots can automatically sign in users with their Microsoft Teams credentials. SSO is only supported when using Microsoft Entra ID. Other service providers, such as Azure AD v1, don't support SSO in Microsoft Teams.

Important

It's possible to use SSO in Microsoft Teams chats, and not require manual authentication. To use this method for a previously published copilot, reconfigure the copilot to use Authenticate with Microsoft and then publish it again to Microsoft Teams. It might take a few hours before this change takes effect. If a user is in the middle of a conversation and the change doesn't appear to have taken effect, they can type "start over" in the chat to force the conversation to restart with the latest version of the copilot. These changes are now available for Teams 1:1 chats between the user and the copilot. They are not yet available for group chats or channel messages.

SSO is not supported for copilots integrated with Dynamics 365 Customer Service.

Please do not proceed with the following document unless necessary. If you want to use manual authentication for your copilot, see Configure user authentication with Microsoft Entra ID.

Note

If you are using Teams SSO authentication with the manual authentication option, and also using the copilot on custom websites at the same time, you must deploy the Teams app using the app manifest.

For more information, see Download the Teams app manifest for a copilot.

Other configurations such as authentication options beside Manual, or through Teams deployment using Copilot Studio one-click, will not work.

Prerequisites

Configure an app registration

Before configuring SSO for Teams, you need to configure user authentication with Microsoft Entra ID. This process creates an app registration that is required to set up SSO.

  1. Create an app registration. See the instructions in Configure user authentication with Microsoft Entra ID.

  2. Add the redirect URL.

  3. Generate a client secret.

  4. Configure manual authentication.

Locate your Microsoft Teams channel app ID

  1. In Copilot Studio, open the copilot for which you want to configure SSO.

  2. Under the settings for the copilot, select Channels. Select the Microsoft Teams tile.

  3. If the Microsoft Teams channel isn't connected to your copilot yet, select Turn on Teams. For more information, see Connect a copilot to the Microsoft Teams channel.

  4. Select Edit details, expand More, and then select Copy next to the App ID field.

Add your Microsoft Teams channel app ID to your app registration

  1. Go to the Azure portal. Open the app registration blade for the app registration you created when you configured user authentication for your copilot.

  2. Select Expose an API on the side pane. For Application ID URI, select Set.

    Screenshot of the location of the Set button for the Application ID URI.

  3. Enter api://botid-{teamsbotid} and replace {teamsbotid} with your Teams channel app ID that you found earlier.

    Screenshot of a correctly formatted URI entered into the Application ID URI box.

  4. Select Save.

Applications are authorized to call APIs when they're granted permissions by users/admins as part of the consent process. To learn more about consent, see Permissions and consent in the Microsoft identity platform.

If the admin consent option is available, you must grant consent:

  1. In the Azure portal on your app registration blade, go to API Permissions.

  2. Select Grant admin consent for <your tenant name> and then select Yes.

Tip

To avoid users having to consent to each application, a global administrator, application administrator, or a cloud application administrator can grant tenant-wide consent to your application registrations.

Add API permissions

  1. In the Azure portal on your app registration blade, go to API Permissions.

  2. Select Add a permission and choose Microsoft Graph.

  3. Select Delegated permissions. A list of permissions appears.

  4. Expand OpenId permissions.

  5. Select openid and profile.

  6. Select Add permissions.

    Screenshot of the openid and profile permissions turned on.

Define a custom scope for your copilot

  1. In the Azure portal on your app registration blade, go to Expose an API.

  2. Select Add a scope.

    Screenshot of the Add a scope button highlighted.

  3. Set the following properties:

    Property Value
    Scope name Enter Test.Read
    Who can consent? Select Admins and users
    Admin consent display name Enter Test.Read
    Admin consent description Enter Allows the app to sign the user in.
    State Select Enabled

    Note

    The scope name Test.Read is a placeholder value and should be replaced with a name that makes sense in your environment.

  4. Select Add scope.

Add Microsoft Teams client IDs

Important

In the following steps, the values provided for Microsoft Teams client IDs should be used literally because they are the same across all tenants.

  1. In the Azure portal on your app registration blade, go to Expose an API and select Add a client application.

    Screenshot of the Add a client application button highlighted.

  2. In the Client ID field, enter the client ID for Microsoft Teams mobile/desktop, which is 1fec8e78-bce4-4aaf-ab1b-5451cc387264. Select the checkbox for the scope that you created earlier.

    Screenshot of the client ID entered into the Add a client application pane.

  3. Select Add application.

  4. Repeat the previous steps but, for Client ID, enter the client ID for Microsoft Teams on the web, which is 5e3ce6c0-2b1f-4285-8d4b-75ee78787346.

  5. Confirm the Expose an API page lists the Microsoft Teams client app IDs.

To summarize, the two Microsoft Teams client IDs added to the Expose an API page are:

  • 1fec8e78-bce4-4aaf-ab1b-5451cc387264
  • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346

Add token exchange URL to your copilot's Authentication settings

To update the Microsoft Entra ID authentication settings in Copilot Studio, you must add the token exchange URL to allow Microsoft Teams and Copilot Studio to share information.

  1. In the Azure portal on your app registration blade, go to Expose an API.

  2. Under Scopes, select the Copy to clipboard icon.

  3. In Copilot Studio, under the settings for the copilot, select Security, and then select the Authentication tile.

  4. For Token exchange URL (required for SSO), paste the scope you copied earlier.

  5. Select Save.

    Screenshot of where to paste the token exchange URL in Copilot Studio.

Add SSO to your copilot's Microsoft Teams channel

  1. In Copilot Studio, under the settings for the copilot, select Channels.

  2. Select the Microsoft Teams tile.

  3. Select Edit details and expand More.

  4. For AAD application's client ID, enter the Application (client) ID from your app registration.

    To obtain this value, open the Azure portal. Then on your app registration blade, go to Overview. Copy the value in the Application (client) ID box.

  5. For Resource URI, enter the Application ID URI from your app registration.

    To obtain this value, open the Azure portal. Then on your app registration blade, go to Expose an API. Copy the value in the Application ID URI box.

    Screenshot of where to paste the Application ID URI in Teams channel of Copilot Studio.

  6. Select Save, and then Close.

  7. Publish the copilot again, to make the latest changes available to your customers.

  8. Select Open the copilot in Teams, to start a new conversation with your copilot in Microsoft Teams and verify if it automatically signs you in.

Known issues

If you first published your copilot using manual authentication without Teams SSO, the copilot in Teams will continuously prompt users to sign in.