Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Copilot Studio supports end-user authentication and authorization through Microsoft Entra ID, so that users of your agents can use their Microsoft Entra ID credentials to authenticate. Your organization manages these credentials.
However, there may be instances where users encounter issues related to Conditional Access policies that affect their ability to use Copilot Studio agents effectively.
Symptoms
Agents may be unresponsive to end users on specific channels, such as Teams, due to Conditional Access policies implemented through Microsoft Entra ID.
Users of your agents might see a blank page in the chat window or receive an error message indicating that the agent isn't available, and the test chat won't respond to queries.
Reason
Policy Enforcement: Due to recent security updates that provide stronger authentication controls, Copilot Studio agent acquires the authentication token specific to a given customer tenant.
With these policy enforcements in place, agents won't initiate a conversation or respond to end users if Conditional Access policies are in place that block the acquisition of the authentication token.
The enforcement applies to existing agents created in tenants with Conditional Access policies that, previously, didn't prevent the agent from responding to end users.
Mitigation
You can see which Conditional Access policy is blocking the request so that you can investigate and act accordingly. See the additional resources at the end of this article for guidance on how to resolve issues or modify Conditional Access policies.
You might also need to allow specific IP addresses and IP ranges that are used by Copilot Studio, Power Platform, or other Microsoft services.
You can get to the Conditional Access logs for a specific Copilot Studio agent from the agent's app registration in Entra. You can also see logs for all agents by manually filtering within the Identity section in Entra.
Tip
Depending on who made the request, the associated log could be in one of multiple sign-in categories in Entra.
Check each tab on the Conditional Access sign-in logs page.
Get Conditional Access logs for all Copilot Studio agents
Sign in to the Microsoft Entra admin center as at least a Reports Reader.
Open the Identity section on the side menu. Select Monitoring & health, and then Audit logs.
Select the Date range you want to query.
Select Add filters above the list of sign ins, then select Application. After it's added, set the filter to Application contains: Copilot Studio.
Add the Conditional Access filter in the same way, and set it to Failure. Select Apply.
Get Conditional Access logs for a specific Copilot Studio agent
Sign in to the Microsoft Entra admin center.
Open App registrations from the side menu, homepage, or by searching for it in the search bar at the top of the screen.
Open the registration for the agent you want to review.
On the Overview page, under the Essentials section, select the link for the Managed application in local directory. This takes you to a prefiltered list of Conditional Access logs for that agent.
Identify and remediate policy failures
By default, the audit logs display all activities. Open the Activity filter to narrow down the activities, if necessary. For a list of audit log activities for Conditional Access, see the Microsoft Entra audit log activities article in the Entra Conditional Access documentation.
Review the activities under each tab to locate any that triggered a Conditional Access policy failure for Copilot Studio.
Select an entry to open the Activity Details blade, then go to the Conditional Access tab. The associated policies that triggered the issue is listed, along with the action taken as a result of the policy, such as Block.
After you identify the associated policy, you can troubleshoot to determine what you need to do. For example, you can continue allowing the policy to block agent interactions, change the policy's scope, or modify or disable the policy.
The following articles in the Microsoft Entra Conditional Access documentation detail the next steps you can take in Entra to resolve the issue: