Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Copilot Studio agents automatically receive Agent IDs when you create them—no manual app registration or SDK setup required. This automatic identity provisioning integrates with Agent 365 to provide registry visibility, observability, and governance controls.
This article explains how Copilot Studio orchestrates identity provisioning and how it differs from pro-code agent development.
Note
For general Agent 365 identity concepts (blueprints, agentic app instances, agentic users), see Microsoft Agent 365 Identity. This article focuses on Copilot Studio-specific identity integration.
How Copilot Studio creates Agent IDs
When you create a Copilot Studio agent, the platform automatically creates an Agent ID that defines the agent's identity and makes it visible in the agent registry.
This automation eliminates the manual setup required for pro-code agents while integrating with Agent 365 for governance and observability.
For details on Agent IDs in Copilot Studio, see Agent identity requirements, certificates, and configuration values.
Agent blueprint sharing model
Unlike pro-code agents where each agent has its own blueprint, all Copilot Studio app-based agents share a single blueprint:
- Blueprint: Shared across all Copilot Studio app-based agents in your tenant
- Agent ID: Created per agent with unique configuration
For details on the global blueprint (including the blueprint ID), see Understanding blueprint principals.
This shared blueprint model simplifies management:
- Permissions are managed at the Power Platform admin center level
- Data loss prevention (DLP) policies and advanced connector policies apply automatically
- No per-agent blueprint configuration required
Tip
For more details on agent blueprints, see Agent blueprint.
Identity creation timing
The Agent ID is created when you create your Copilot Studio agent:
- Created: At agent creation time
- Visible in: Copilot Studio, Agent 365 registry, Microsoft 365 Admin Center, Entra
Note
Identity provisioning happens at agent creation time, not during publish. Publishing makes your agent available to users, but the identity already exists.
Authentication flows for Copilot Studio agents
Copilot Studio agents use Power Platform connectors to access Microsoft 365 services. When you add a connector such as mail, calendar, SharePoint, or Teams, Power Platform handles authentication automatically - no manual token exchange or code required.
Most connectors use on-behalf-of (OBO) authentication, where the agent acts with the user's permissions. Users might see a consent prompt when first using a connector, after which Power Platform manages the connection and token refresh automatically. Actions appear in audit logs as performed by the user, with agent context for compliance.
Governance: Administrators control connector usage through Power Platform admin center policies:
- DLP policies: Control which connectors can be used in specific environments
- Advanced connector policies: Govern high-privilege connectors
For more information, see:
Next steps
- Agent registry integration to see how your agent appears to administrators
- Observability integration to monitor agent authentication and activity
- Agent 365 Identity for general identity concepts and advanced scenarios