Apps must be consistent with responsible AI checks.
Description
A good description offers a clear and concise summary of the Copilot agent's features. It enhances user awareness and allows Microsoft 365 Copilot to efficiently discover and execute search operations.
You must ensure to meet the following guidelines for Copilot agents:
The Teams Store validation guidelines related to app description for Microsoft 365 apps are applicable. For more information, see app descriptions.
Short description of Copilot agent, parameter, command description, semantic description, and operation ID mustn't include:
Instructional phrases, for example, 'if the user says X', 'ignore', 'delete', 'reset', 'new instructions', 'Answer in Bold', or 'Do not print anything'. [Must fix]
URLs, emojis, or hidden characters such as hexadecimal, binary, or unconventional symbols. [Must fix]
Grammar and punctuation errors. [Must fix]
Overly verbose, flowery, or marketing language. [Good-to-fix]
Superlative claims such as “#1,” “amazing,” or “best”. [Good-to-fix]
Note
In case of declarative agents, the short description guidelines apply to the instructions and conversation_starters fields also.
For API based plugins, these guidelines apply to description_for_human, description_for_model, capabilities, conversation_starters (both the title and and text), states\reasoning\description in functions fields, if provided. [Must fix]
When utilizing Swagger or OpenAPI file formats, adhere to these guidelines for the path content associated with keys and the description field for GET, POST, PUT, or DELETE APIs. [Must fix]
App long description must clearly call out that the Copilot agent works in Microsoft 365 Copilot. For example, use Contoso in Microsoft 365 Copilot to search and summarize your tasks. [Must fix]
The semanticDescription property isn't a mandatory field. However, if you add semanticDescription in app manifest, the existing validation checks for short, parameter, and command descriptions are also applicable for semantic descriptions.
Copilot agent responses provided as an Adaptive Card must meet the following requirements:
Adaptive Card response must include Adaptive Card content and preview card information as part of the same template. [Must fix]
Apart from the Copilot agent logo, title, thumbnail, and title of the information, the data in the Adaptive Card must represent at least two pieces of information. You can identify the fields from the most frequently searched attributes such as data modified, author, status, and flags. [Must fix]
Adaptive Card must be well-formatted to suit the desktop, web, and mobile (iOS and Android) clients. [Must fix]
Adaptive Cards must include a URL as part of the metadata, which allows cards to be easily copied from one hub to another. [Must fix]
Copilot agents must be fully responsive and functional on the latest versions of these clients: [Must fix]
Microsoft Teams on desktop and web
copilot.microsoft.com on web
Microsoft 365 Copilot in Word
Ensure your Copilot plugins work in Teams meetings
You must implement the following:
Adaptive Cards mustn't display a horizontal scroll. To avoid horizontal scrolls, don’t specify a fixed width: [Must fix]
ColumnSets
Don't define ColumnSets with more than three columns.
Don’t use explicit pixel width on more than one column in the set.
Ensure the column doesn't exceed one-quarter of the narrowest card width, such as in a meeting chat or Microsoft 365 Copilot.
Generally, an explicit width mustn't exceed 48 pixels, though some scenarios might allow for exceptions.
Sizing images
When using an image inside a ColumnSet with more than one column, specify the size of the column containing an image rather than the image itself.
If the image isn’t in a ColumnSet, we recommend you to set its size to auto or stretch.
If you want to define an explicit width in pixels, ensure that it doesn’t exceed three-fourths of the narrowest card width.
If you want to define explicit size in pixels, define it for the width or height. Setting explicit size for any one parameter preserves the image's aspect ratio.
We recommend that you set the width of the image, though some scenarios might allow for exceptions.
Ensure your Copilot agents work with Microsoft 365 - Word, Excel, PowerPoint, OneNote, Office, and Outlook Copilots
You must ensure to meet the following guidelines for Copilot agents:
If using SSO-enabled app, update Microsoft Entra app registration: [Must fix]
Microsoft Entra single sign-on (SSO) for message extension works in the same way as it does in Teams or Outlook. If you enabled SSO for your app, add the Office app Copilot’s client application identifier to the Microsoft Entra app registration of your bot in your tenant's App registrations portal.
Sign in to Azure portal with your sandbox tenant account.
Open App registrations.
Select the name of your application to open its app registration.
From the Manage section, select Expose an API.
In the Authorized client applications section, ensure that the following client ID values are listed:
Microsoft 365 client application
Client ID
Word, PowerPoint, Excel (web, desktop)
3068386c-7a16-4f6a-a664-043b6b232816
Teams desktop, mobile
1fec8e78-bce4-4aaf-ab1b-5451cc387264
Teams web
5e3ce6c0-2b1f-4285-8d4b-75ee78787346
Microsoft 365 web
4765445b-32c6-49b0-83e6-1d93765276ca
Microsoft 365 desktop
0ec893e0-5785-4de6-99da-4ed124e5296c
Microsoft 365 mobile
d3590ed6-52b3-4102-aeff-aad2292ab01c
Outlook desktop
d3590ed6-52b3-4102-aeff-aad2292ab01c
Outlook web
bc59ab01-8403-45c6-8796-ac3ef710b3e3
Outlook mobile
27922004-5251-4030-b22d-91ecd9a37ea4
Bing
9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7
Note
For more information about how SSO works for message extensions, see enable SSO for your app.
Ensure your registered bot is connected to Microsoft 365 and Microsoft Teams channel: [Must fix]
Sign in to Azure portal with your sandbox tenant account.
Open Bot Services.
Select the name of your bot to update its channels.
From the Settings section, select Channels.
From Available channels, select Microsoft 365 & Microsoft Teams, and then select Apply.
If your Copilot agent makes use of Content Security Policy (CSP) headers, ensure that all the following frame-ancestors are included in your CSP headers:
Response time mustn't exceed nine seconds for 99 percent, five seconds for 75 percent and two seconds for 50 percent. [Must fix]
Reliability
Apps must maintain 99.9% availability. For instance, if Microsoft 365 Copilot calls an agent 1,000 times, it must provide a meaningful response 999 times. [Must fix]
Zero regressions
If you need to resubmit your Copilot agent for validation, the existing message extension functionality that was working earlier mustn't break. This requirement is only applicable to independent software vendor (ISV) apps and not apps built for your organization. [Must fix]
Microsoft 365 channel
For users to interact with your message extension from Outlook, you need to add Microsoft 365 channel to your bot. For more information, see add Microsoft 365 channel for your app. [Must fix]
Single sign-on (SSO)
If applicable, update your Microsoft Entra app registration for SSO. [Must fix]
User disclosure and confirmation for action scenarios
For action scenarios, Copilot agents must share user disclosure and seek user confirmation:
Data shown in third-party service (through dialogue) must be reflective of confirmation provided by the user. [Must fix]
A confirmation of the completion of the action must be shared by the agent in the form of a card. [Must fix]
Action taken by a user must be correctly reflected in third-party service. [Must fix]
Modification requests by the user prior to confirmation of the action must be honored. [Must fix]
Highly consequential tasks such as bulk delete mustn't be supported. [Good-to-fix]
The declarative agent must provide confirmation prompts aligned with user-initiated actions, using clear language that explicitly seeks the user's permission. [Must fix]
Confirmation prompt can be set by using body property in the Confirmation object in the function's Function capabilities object in the manifest. For more information, see customizing confirmation text.
Pass example
Fail example
For a function which searches tickets - "Do you want to allow searching in Contoso?" "Do you want to allow searching for tickets?"
Do you want to proceed?" --> Does not indicate what the function does.
For a function which creates a new order "Do you want to proceed with creating a new order?"
Searches tickets" --> Does not seek permission
For a function which creates a new ticket: "Do you want to proceed with creating a new ticket?"
"Creates tickets" --> Does not seek permission
For declarative agents, any action with consequences on the external system mustn't have isConsequential flag set as ‘False’. [Must fix]
Copilot agent must have Action or knowledge source
Your Copilot agent must have nodes defined as actions in the app manifest. All agents must have a core use case that's served through API actions. [Must fix]
For capabilities such as Websearch, Graphic Art, or Code Interpreter, the Instruction field must include details on how to use the capabilities within the context of the agent. [Must fix]
All Copilot agents must handle the following scenarios gracefully, that is, the agent must reject the user request and provide a way forward: [Must fix]
For incorrect search parameters
For misuse or inappropriate language
For topics in which the Copilot agent doesn’t specialize
For example, graceful error message with way forward for declarative agent:
Copilot agents that use OpenAPI specs must ensure the following security standards:
All API calls must use HTTPS with TLS 1.2 or higher. [Must fix]
API calls mustn't lead to any URL redirection. Actual API calls must be served from the same domain or subdomain as the root domain verified for the developer. [Must fix]
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Platform Docs feedback
Platform Docs is an open source project. Select a link to provide feedback:
Extend declarative agents for Microsoft 365 Copilot with API plugins is a multi-part series that teaches you basic concepts of extending declarative agents with actions using API plugins. You learn what API plugins are, how they work, and when you should consider building them. You also learn how to use Adaptive Cards to show data in a rich way and how to connect to secured APIs.