OAuth Identity Passthrough Not Supported for Foundry Agents Published to M365 Copilot

Question

OAuth Identity Passthrough Not Supported for Foundry Agents Published to M365 Copilot

Cristopher Coronado 20 MVP

Hello Microsoft Support,

We are encountering a critical limitation when publishing Foundry agents to Microsoft 365 Copilot. Our scenario requires per-user identity enforcement via OAuth identity passthrough (OBO) for MCP Server tool authorization. While this works as expected in the Foundry playground (Responses API protocol), publishing the agent to M365 Copilot switches to the Activity Protocol (Bot Service), which does not forward the user's OAuth token. As a result, the MCP Server receives only the project managed identity, breaking per-user authorization and resulting in a generic error ("Sorry, I wasn't able to respond to that") in Copilot.

The documentation at https://learn.microsoft.com/en-us/azure/foundry/agents/how-to/tools/model-context-protocol?pivots=csharp#known-limitations describes this as a known limitation, but it is not clear whether this applies only to Teams or also to M365 Copilot. We require explicit confirmation from Microsoft:

Is OAuth identity passthrough (OBO) supported for Foundry agents published to M365 Copilot?
If not, is there a roadmap or recommended workaround for enabling per-user identity propagation in this scenario?
Is this limitation documented anywhere specific to M365 Copilot, or only for Teams?

This limitation is blocking our deployment, as our MCP Server enforces role-based authorization per user and cannot operate with a generic project identity.

Thank you for your assistance and clarification.

0 comments

Answer accepted by question author

1 additional answer

Your answer

Answer 1

OAuth identity passthrough (OBO) for MCP tools is only supported when invoking agents via the Responses protocol with OAuth identity passthrough configured on the MCP server connection. When an agent is published as an Agent Application to Microsoft 365 Copilot or Teams, it uses the Activity Protocol through Azure Bot Service with Channels authentication, not the Responses protocol with OAuth passthrough.

In this published M365/Teams scenario, the inbound authentication to the Agent Application is handled by Bot Service channels, and the documentation only describes two options for application invocation:

Default (RBAC) – for direct invocation via the Responses protocol using Azure RBAC.
Channels (Azure Bot Service) – automatically selected when publishing to M365/Teams.

There is no documented support for forwarding the end-user’s OAuth token (OBO) from M365 Copilot/Teams through the Activity Protocol into the MCP server. As a result, MCP tools invoked from a published agent in M365/Teams will not receive per-user OAuth tokens and instead operate under the application/agent identity (for example, project or agent managed identity), which matches the behavior described in the question.

The available documentation in the provided context does not expose:

Any mechanism to enable OAuth identity passthrough for agents published to Microsoft 365 Copilot via Activity Protocol.
Any roadmap commitment or preview feature to support per-user identity propagation (OBO) from M365 Copilot/Teams to MCP servers.
Any M365-Copilot-specific page that documents this limitation separately from the general MCP or Teams guidance.

Given the constraints in the context, the only supported patterns are:

Use Responses protocol + OAuth identity passthrough for scenarios that require per-user OAuth tokens to MCP servers (for example, when calling the agent via the OpenAI-compatible /responses endpoint and not via M365/Teams).
Use Channels (Azure Bot Service) when publishing to M365/Teams, accepting that per-user OAuth tokens are not forwarded to MCP tools and that the agent identity (application/managed identity) is what downstream services see.

No documented workaround in the context enables full per-user OBO propagation from M365 Copilot to MCP servers today. Any per-user authorization would need to be implemented using what the downstream service can infer from the agent/application identity and its own internal logic, rather than from a user OAuth token forwarded by Copilot.

References:

Answer 2

SRILAKSHMI C 16,790 Microsoft External Staff Moderator

Hello Cristopher Coronado,

Welcome to Microsoft Q&A and Thanks for reaching out,

When you run your agent inside Azure AI Foundry (playground using the Responses API), the platform supports on-behalf-of (OBO). That’s why your MCP server receives the actual user’s OAuth token and your per-user RBAC works.

When you publish the same agent to Microsoft 365 Copilot, the execution path changes. Copilot uses the Bot Framework Activity protocol, and in that pipeline:

The user’s OAuth token is not forwarded
The call to your tool (MCP server) is made using the project’s managed identity
So from your backend’s perspective, every request looks like it’s coming from a single app identity instead of individual users

That difference in protocol is the root cause of the behavior you’re seeing. Answers to your questions

Is OAuth identity passthrough (OBO) supported in M365 Copilot?

No, today OBO is only supported in Responses API–based flows (like the Foundry playground).

Once you move to Copilot (or any Bot Framework–based channel), the system switches to managed identity and drops the user token.

Does this limitation apply only to Teams?

No, it’s not Teams-specific.

Even though the documentation calls out Teams, the limitation is tied to the Activity protocol itself, not the surface. That means it applies to:

Teams
M365 Copilot
Any channel built on Bot Framework

Is this documented for Copilot?

Right now it’s mentioned under Model Context Protocol → Known limitations, but mostly in the context of Teams.

There isn’t a Copilot-specific note yet, but technically the same constraint applies because Copilot uses the same underlying protocol. So your scenario is fully consistent with the current design.

Is there a roadmap or workaround?

There’s no public ETA yet for bringing OBO into the Activity protocol / Copilot flow.

In terms of workarounds, customers typically go with one of these patterns depending on how strict their authorization model is:

Handle identity at the application layer

Instead of relying on OBO, pass user context (like user ID, email, or claims) from the agent and enforce RBAC inside your MCP server.

This isn’t as strong as token-based delegation, but it works if you control both ends and can validate the context properly.

Implement a custom token exchange

Some teams pass a short-lived token or identity hint in the request (for example via activity payload), then:

Validate it in a backend service
Exchange it for a real access token
Call the MCP server with that token

This gives you back a per-user model, but requires extra plumbing.

Introduce a middleware layer

Place a custom service or bot endpoint between Copilot and your MCP server that:

Intercepts the request
Resolves the user identity
Injects a usable token before forwarding

This is closer to OBO behavior, but adds complexity.

Stay on Responses API for strict OBO scenarios

If your requirement is true per-user OAuth enforcement with no compromise, then today the only place that fully supports it is the Responses API path (Foundry playground / direct integration).

Your setup is working as designed in the playground

The break happens only after moving to Copilot because of the protocol switch

OBO is not supported yet in that channel

And there’s no native way today to propagate user identity end-to-end in Copilot tool calls.

Please refer this

• Model-Context Protocol Known Limitations https://learn.microsoft.com/azure/foundry/agents/how-to/tools/model-context-protocol?pivots=csharp#known-limitations

• Agent2Agent (A2A) Authentication / OAuth Identity Passthrough https://learn.microsoft.com/azure/foundry/agents/concepts/agent-to-agent-authentication#oauth-identity-passthrough

• Agents Self Help (enterprise-deployment checklist) https://learn.microsoft.com/azure/ai-foundry/agents/faq

I Hope this helps. Do let me know if you have any further queries.

If this answers your query, please do click Accept Answer and Yes for was this answer helpful.

Thank you!

SRILAKSHMI C 16,790 Reputation points Microsoft External Staff Moderator

2026-03-30T15:00:40.5566667+00:00

Hi **Cristopher Coronado,**Following up to see if the above answer was helpful. If this answers your query, please do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thank you!
Cristopher Coronado 20 Reputation points MVP

2026-04-06T21:01:37.94+00:00
Hello team,

Thank you for your time on this. We appreciate the support and are happy to share that we have made progress since opening the original ticket. We wanted to follow up with two specific problems that remain unresolved and that we have not been able to find documented answers for.

For context: we are running an OAuth2-secured MCP server built on ModelContextProtocol.AspNetCore v1.2.0 / .NET 10, deployed to Azure App Service. The server uses Streamable HTTP transport at /mcp, authenticated with JWT Bearer via Microsoft Entra ID. The MCP Server calls a downstream API using the On-Behalf-Of (OBO) flow. A Foundry agent connects to this server using OAuth Identity Passthrough.

When tested directly in the Foundry portal, the agent works correctly. When the same agent is published to M365 Copilot and invoked from an M365 Copilot chat, we observe two unresolved problems described below.

Note: The Foundry agent published to M365 Copilot does succeed occasionally, but response times are noticeably higher than those observed with the Copilot Studio agent calling the same MCP server. This suggests the timeout is intermittent and likely influenced by platform-routing overhead specific to the Foundry publish path.

Problem 1: MCP tool call timeout in the published agent path

We observe tool calls timing out or failing to complete in a reasonable window when the agent is invoked from M365 Copilot. The only timeout we found that is officially documented for our setup is the 100-second non-streaming MCP tool call limit in Foundry Agent Service (Foundry MCP known limitations).

For reference, a 15-second initial response constraint and a 45-second inter-update streaming constraint are documented for Custom Engine Agents built with the Bot Framework SDK (M365 Copilot — async flow). We are not using the Bot Framework SDK directly — our agents are a Copilot Studio agent and a Foundry agent published to M365 Copilot. We do not know whether those same platform constraints apply to our agent types.

The per-turn MCP handshake — initialize, tools/list, and tools/call — adds overhead before the tool result reaches the user. The MCP C# SDK v1.2.0 provides stateless HTTP transport mode (HttpServerTransportOptions.Stateless = true), the documented default for new servers, which eliminates session round-trip overhead (MCP C# SDK).

We have two questions on this:

Do the timeout constraints documented for Custom Engine Agents (15-second initial response, 45-second streaming update window) also apply to Copilot Studio agents and to Foundry agents published to M365 Copilot? If different constraints apply to our agent types, what are the documented values?

Does the Power Platform connector or Copilot Studio runtime support stateless POST to /mcp (no Mcp-Session-Id) without requiring session negotiation first? Is this tested or documented for either the Copilot Studio agent path or the Foundry published agent path?

Problem 2: Token expiry in the M365 Copilot published path

The agent's OAuth Identity Passthrough token expires and is not silently renewed. The user receives a 401 Unauthorized (IDX10223: Lifetime validation failed) from the MCP server and must re-authenticate manually, which is not viable for production use. The issue does not occur when testing directly in the Foundry portal.

We believe the root cause is that the Foundry connection (OAuthIdentityPassthrough) is managed by Foundry's own credential store. These appear to have separate token refresh lifecycles, but we have not found documentation covering this specific combination. Two questions:

For a Foundry agent published to M365 Copilot using OAuth Identity Passthrough, which component is responsible for renewing the access token: Foundry, M365, or the user's session? Is there a documented refresh loop for this path? (Foundry MCP authentication)

Does the Foundry OAuthIdentityPassthrough connection support Entra ID Continuous Access Evaluation for silent renewal, or is it a fixed-lifetime access token with no automatic refresh?

Thank you again for your time. Any guidance, documentation pointers, or known workarounds would be greatly appreciated.Hello team,
SRILAKSHMI C 16,790 Reputation points Microsoft External Staff Moderator

2026-04-14T10:44:28.3933333+00:00
Hi Cristopher Coronado,

Thank you for the detailed follow-up,

Problem 1: MCP tool call timeout in M365 Copilot (Published Agent)

Timeout behavior clarification

The 100-second timeout you referenced for MCP tool execution in Foundry is correct. However, once the agent is published to M365 Copilot, the execution path changes and introduces additional constraints that are not fully documented yet for this specific scenario.

While the 15-second initial response and 45-second streaming window are officially documented for Custom Engine Agents, in practice:

Similar early-response expectations apply across Copilot experiences, including Foundry-published agents

These are platform-level orchestration constraints, not specific to Bot Framework SDK usage

What this means for your scenario

Even though:

Foundry allows up to ~100 seconds for MCP tool execution

The Copilot layer may:

Expect an initial response within ~10–20 seconds

Expect progress/streaming updates within ~30–45 seconds

If your flow includes:

MCP handshake (initialize, tools/list, tools/call)

Followed by downstream API + OBO call

Then the total latency can exceed the Copilot response window before the final result is returned, which results in:

Intermittent timeouts

Inconsistent behavior (as you observed)

Stateless MCP support

Regarding your question on stateless transport (Stateless = true):

There is no current documentation or validation confirming support for stateless MCP in:

M365 Copilot runtime

Copilot Studio connectors

Foundry published agent path

The current implementation assumes a session-based MCP interaction model

So at this time Stateless MCP should be considered unsupported in Copilot-integrated scenarios

Recommendation

Keep MCP interactions stateful

Reduce per-turn overhead (especially repeated tools/list)

Aim to return a response within ~10–20 seconds

If backend processing takes longer, consider:

Returning an initial acknowledgment

Following with a subsequent response

Problem 2: Token expiry (OAuth Identity Passthrough)

Token lifecycle clarification

Your understanding is correct, the behavior differs between Foundry and Copilot due to the execution model.

Foundry (Responses API path)

Full OAuth passthrough (OBO) supported

Token lifecycle handled correctly

Silent refresh works as expected

M365 Copilot (Published agent)

Execution uses Activity protocol

In this path:

The user token is not consistently propagated

There is no guaranteed token refresh mechanism

So when the token expires:

MCP server returns 401 (IDX10223)

User is required to reauthenticate manually

Who handles token refresh?

In this integration:

There is no single component responsible for token renewal

Token handling is effectively:

Static per session

Not refreshed automatically

So to answer directly, There is currently no documented or supported refresh loop for OAuth Identity Passthrough in the M365 Copilot published agent path

Continuous Access Evaluation (CAE)

OAuthIdentityPassthrough in this scenario does not support CAE-based silent renewal

Tokens behave as fixed lifetime access tokens

Recommended approach

Given your requirement for per-user authorization via MCP, the current platform limitation requires an architectural adjustment.

Recommended pattern

Introduce a backend token broker / middleware layer:

Pass user identity (e.g., object ID, UPN, claims) from the agent

Backend service:

Validates user identity

Performs OBO flow

Acquires fresh access token

Calls MCP server

This ensures:

Per-user authorization is preserved

Token refresh is handled reliably

No dependency on Copilot token lifecycle

Alternative

If strict OBO enforcement is mandatory and cannot be adapted The only fully supported path today remains the Foundry Responses API (non-Copilot integration)

Timeout behavior is due to Copilot orchestration constraints layered on top of Foundry limits

Stateless MCP is not supported in Copilot-integrated scenarios

OAuth passthrough in Copilot:

Does not support token refresh

Does not support CAE

For production scenarios requiring per-user RBAC:

A middleware/token exchange layer is required

Thank you!

Share via

OAuth Identity Passthrough Not Supported for Foundry Agents Published to M365 Copilot

1 additional answer

Problem 1: MCP tool call timeout in the published agent path

Problem 2: Token expiry in the M365 Copilot published path

Your answer