Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authentication allows users to sign in, giving your agent access to a restricted resource or information. Users can sign in with Microsoft Entra ID, or with any OAuth2 identity provider such as Google or Facebook.
Note
In Microsoft Teams, you can configure a Copilot Studio agent to provide authentication capabilities, so that users can sign in with a Microsoft Entra ID or any OAuth2 identity provider, such as a Microsoft or Facebook account.
You can add user authentication to topics when you edit a topic.
Important
Changes to the authentication configuration only take effect after you publish your agent. Make sure to plan ahead before you make authentication changes to your agent.
Choose an authentication option
Copilot Studio supports several authentication options. Select and configure the option that meets your needs.
Go to Settings for your agent, and select Security.
Select Authentication.
Select an authenticaton option and configure as needed. The following authentication options are available:
Select Save.
No authentication
No authentication means your agent doesn't require your users to sign in when interacting with the agent. An unauthenticated configuration means your agent can only access public information and resources. Classic chatbots are configured by default to not require authentication.
Caution
Selecting the No authentication option allows anyone who has the link to chat and interact with your bot or agent.
We recommend you apply authentication, especially if you are using your bot or agent within your organization or for specific users, along with other security and governance controls.
Note
This option isn't available when data policy in the Power Platform admin center is configured to require authentication. For more information, see Data policy example - Require user authentication in agents.
Authenticate with Microsoft
Important
When the Authenticate with Microsoft option is selected, you have access to the Teams + Microsoft 365 channel. You can also use native app and custom app channels.
Additionally, the Authenticate with Microsoft option isn't available for agents that are integrated with Dynamics 365 Customer Service.
This configuration automatically sets up Microsoft Entra ID authentication for Teams without the need for any manual configuration. Since Teams authentication itself identifies the user, users aren't prompted to sign in while they're in Teams, unless your agent requires an expanded scope.
If you need to publish your agent to channels other than Teams + Microsoft 365 but still want authentication for your agent, choose Authenticate manually.
If you select Authenticate with Microsoft, the following variables are available in the topic authoring canvas:
User.IDUser.DisplayName
For more information about these variables and how to use them, see Add user authentication to topics.
User.AccessToken and User.IsLoggedIn variables aren't available with this option. If you need an authentication token, use the Authenticate manually option.
If you change from Authenticate manually to Authenticate with Microsoft, and your topics contain the variables User.AccessToken or User.IsLoggedIn, they're displayed as Unknown variables after the change. Make sure to correct any topics with errors before you publish your agent.
Authenticate manually
Copilot Studio supports the following authentication service providers under the Authenticate manually option:
- Microsoft Entra ID V2 with federated credentials
- Microsoft Entra ID V2 with certificates
- Microsoft Entra ID V2 with client secrets
- Microsoft Entra ID
- Generic OAuth 2 - Any identity provider that complies with the OAuth2 standard
If you select Authenticate manually, the following variables are available in the topic authoring canvas:
User.IdUser.DisplayNameUser.AccessTokenUser.IsLoggedIn
For more information about these variables and how to use them, see Add user authentication to topics.
Once the configuration is saved, make sure to publish your agent so the changes take effect.
Note
- Authentication changes only take effect after the agent is published.
- Control this setting with the corresponding admin control in Power Platform. When the control is enabled, it prevents the Authenticate manually option from being turned on or off within Copilot Studio. The control is always turned on, and the Authenticate manually option can't be modified in Copilot Studio.
Required user sign in and agent sharing
Require users to sign in determines whether a user needs to sign in before talking with the agent. We highly recommend that you turn on this setting for agents that need to access sensitive or restricted information.
This option isn't available for the No authentication and Authenticate with Microsoft options.
Note
This option can not be turned off when the data policy in the Power Platform admin center is set to require authentication. For more information, see Data policy example - Require user authentication in agents.
If you turn off this option, your agent doesn't ask users to sign in until it encounters a topic that requires them to.
When you turn on this option, it creates a system topic called Require users to sign in. This topic is only relevant for the Authenticate manually setting. Users are always authenticated on Teams.
The Require users to sign in topic is automatically triggered for any user who talks to the agent without being authenticated. If the user fails to sign in, the topic redirects to the Escalate system topic.
The topic is read-only and can't be customized. To see it, select Go to the authoring canvas.
Control who can chat with the agent in the organization
The combination of your agent's authentication type and Require user to sign in setting determine whether you can share the agent to control who in your organization can chat with it. The authentication setting doesn't affect sharing an agent for collaboration.
No authentication: Any user who has a link to the agent (or can find it; for example, on your website) can chat with it. You can't control which users in your organization can chat with the agent.
Authenticate with Microsoft: The agent works only on the Teams channel. Since the user is always signed in, the Require users to sign in setting is turned on and can't be turned off. You can use agent sharing to control who in your organization can chat with the agent.
Authenticate manually:
If the service provider is Microsoft Entra ID, you can turn on Require users to sign in to control who in your organization can chat with the agent using agent sharing.
If the service provider is Generic OAuth2, you can turn Require users to sign in on or off. When turned on, a user who signs in can chat with the agent. You can't control which specific users in your organization can chat with the agent using agent sharing.
When the agent's authentication setting doesn't allow you to control who can chat with it, and you select Share on the agent's overview page, a message informs you that anyone can chat with your agent.
Manual authentication fields
The following table describes fields you may encounter when configuring manual authentication. The specific fields you see depend on your selection for service provider.
| Field name | Description |
|---|---|
| Authorization URL template | The URL template for authorization, as defined by your identity provider. For example, https://login.microsoftonline.com/common/oauth2/v2.0/authorize |
| Authorization URL query string template | The query template for authorization, as provided by your identity provider. Keys in the query string template vary, depending on the identity provider (?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}). |
| Client ID | Your client ID, obtained from the identity provider. |
| Client secret | Your client secret, obtained when you created the identity provider app registration. |
| Client Certificate KeyVault URL | The URL of the KeyVault where your client certificate is stored. Required for Microsoft Entra ID with certificates authentication. |
| Grant type | The OAuth2 grant type you want to use. |
| Is x5c Claim required | Specify whether the x5c claim is required in the token request. Required for Microsoft Entra ID with certificates authentication. |
| Login URL | The URL where users are directed to log in. |
| Refresh body template | The template for the refresh body (refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}). |
| Refresh URL query string template | The refresh URL query string separator for the token URL, usually a question mark (?). |
| Refresh URL template | The URL template for refresh; for example, https://login.microsoftonline.com/common/oauth2/v2.0/token. |
| Resource URL | The resource URL for which the token is requested. |
| Scope list delimiter | The separator character for the scope list. Empty spaces aren't supported in this field.1 |
| Scopes | The list of scopes that you want users to have after they sign in. Use the Scope list delimiter to separate multiple scopes.1 Only set necessary scopes and follow the least privilege access control principle. |
| Service provider | The service provider you want to use for authentication. For more information, see OAuth generic providers. |
| Tenant ID | Your Microsoft Entra ID tenant ID. Refer to Use an existing Microsoft Entra ID tenant to learn how to find your tenant ID. |
| Token body template | The template for the token body. (code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}) |
| Token exchange URL (required for single sign-on (SSO)) | This optional field is used when you're configuring single sign-on. |
| Token URL template | The URL template for tokens, as provided by your identity provider; for example, https://login.microsoftonline.com/common/oauth2/v2.0/token. |
| Token URL query string template | The query string separator for the token URL, usually a question mark (?). |
1 You can use spaces in the Scopes field if the identity provider requires it. In that case, enter a comma (,) in Scope list delimiter, and enter spaces in the Scopes field.
Turn off authentication
With your agent open, select Settings on the top menu bar.
Select Security, then select Authentication.
Select No authentication.
If authentication variables are used in a topic, they become Unknown variables. Go to the Topics page to see which topics have errors and fix them before publishing.
Publish the agent.
Important
If your agent has tools configured to require user credentials, don't turn off authentication at the agent level, since this would prevent these tools from working.