Hello Cesare Farina Busetto ,
Based on the available documentation, Copilot Studio's MCP OAuth configuration exposes both a Token URL and a Refresh URL, and the documentation states that refresh tokens are intended to be used to obtain new access tokens when the access token expires. However, I couldn't find any documentation that explicitly describes a setting to enable or disable automatic refresh behavior. Connect your agent to an existing Model Context Protocol (MCP) server - Microsoft Copilot Studio | Microsoft Learn states that refresh tokens are used to obtain new access/refresh tokens after expiry, but it doesn't document any configuration switch for silent refresh.
Copilot Studio MCP Server with Manual OAuth 2.0 prompts re-authentication on every access token expiry instead of using refresh token
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 4%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECF%3C/text%3E%3C/svg%3E)
Cesare Farina Busetto
0
Reputation points
Environment
| Field | Value |
|---|---|
| Product | Microsoft Copilot Studio (Agent with MCP tool) |
| MCP server exposed via | Azure API Management |
| Auth type | OAuth 2.0 - Manual configuration |
| Identity provider | Azure Active Directory |
| Token endpoint | Custom /token endpoint deployed in APIM, calling Azure AD internally |
Problem Description
I have a Copilot Studio agent connected to a remote MCP server protected by OAuth 2.0 (manual configuration). The initial authentication flow works correctly: the user authenticates, the agent receives an access token, and tool calls succeed.
However, when the access token expires, Copilot Studio displays the following dialog to the user:
"Let's get you connected first, and then I can find that info for you. Open connection manager to verify your credentials. Once the connection is ready, retry your request."
The user is forced to manually reconnect every time the token expires.
Expected Behavior
When the access token expires and a refresh token is available, Copilot Studio should automatically call the configured token endpoint with grant_type=refresh_token to silently obtain a new access token — without interrupting the user.
Observed Behavior
Copilot Studio does not attempt a token refresh at all. From APIM logs, no request is made to the /token endpoint when the access token expires. Copilot Studio silently drops the connection and immediately surfaces the re-authentication prompt to the user, without ever attempting to contact the token endpoint.
Why This Is a Client-Side Issue
The same /token endpoint works correctly in other MCP clients:
| Client | Behavior on token expiry |
|---|---|
| Claude (Anthropic) | Calls /token silently, no user prompt |
| VS Code MCP client | Calls /token silently, no user prompt |
| Copilot Studio | Makes no request to /token, prompts user to reconnect |
This confirms the APIM setup and the Azure AD token endpoint are correctly configured. The complete absence of any request to APIM on token expiry confirms the problem is Copilot Studio not implementing the refresh token grant flow.
What I Have Tried
- Verified the refresh token is issued and available after initial auth
- Confirmed the
/tokenendpoint responds correctly togrant_type=refresh_tokenrequests (validated via Claude and VS Code) - Checked APIM logs on token expiry: zero incoming requests from Copilot Studio
- Confirmed
offline_accessscope is requested to ensure refresh token issuance
Questions
- Is there any Copilot Studio configuration that enables silent token refresh via the refresh token grant?
- Is this a known limitation currently tracked for a fix?
Microsoft Copilot | Other
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 48%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sayali-MSFT 6,101 Reputation points Microsoft External Staff Moderator2026-06-17T11:46:36.16+00:00 -
AI answer
2026-06-17T09:21:40.2466667+00:00 - There is no Copilot Studio configuration in the provided documentation that enables a generic, silent refresh-token grant flow for MCP tools when using OAuth 2.0 – Manual. The MCP onboarding wizard and manual OAuth configuration for MCP servers only define:
- Authorization URL
- Token URL template
- Refresh URL
- Scopes
- The behavior described is consistent with a current limitation rather than a misconfiguration:
- The MCP onboarding wizard for enterprise and remote/self-hosted MCP servers documents OAuth 2.0 setup (Authorization URL, Token URL template, Refresh URL, scopes) but does not describe any automatic refresh-token grant behavior or additional flags to enable it.
- The guidance for calling tools from a Copilot Studio agent focuses on initial sign-in and connection creation; it does not mention silent token renewal or refresh-token usage for MCP tools after expiry.
Given the documentation, this should be treated as a product limitation rather than a configuration issue. Escalation through official support channels would be required to confirm status and track any future fix.
References:
AI-generated content may be incorrect. Read our transparency notes for more information. - There is no Copilot Studio configuration in the provided documentation that enables a generic, silent refresh-token grant flow for MCP tools when using OAuth 2.0 – Manual. The MCP onboarding wizard and manual OAuth configuration for MCP servers only define: