Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
[This article is prerelease documentation and is subject to change.]
Authentication for agents is an admin control in the Power Platform admin center that lets admins govern which authentication methods users can choose when they configure an agent in Microsoft Copilot Studio. Use this control to enforce your organization's security policies and ensure agent authentication settings align with identity requirements.
For organizations that want to reduce exposure to anonymous access or non-compliant authentication patterns, the Authentication for agents admin control provides a centralized, environment-level control.
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
Configure authentication for agents in specific environments
Sign in to the Power Platform admin center.
In the navigation pane, select Security.
In the Security pane, select Identity and access. The Identity and access management page appears.
Select Authentication for agents. The Authentication for agents (preview) pane appears.
Select the environment group or environment that you want to configure. Select Set up.
Choose one of the following authentication options for your agent:
No authentication (Publicly available): Authentication isn't required for agents.
Require Microsoft authentication: User-created agents must require Microsoft Entra ID authentication in Microsoft Teams, SharePoint, Power Apps, or Microsoft 365 Copilot. When you select this option, all other authentication options in Copilot Studio aren't available.
Require Entra authentication: User-created agents require either manual authentication or Microsoft authentication. When you select this option, manual authentication with Generic OAuth 2 isn't supported.
Allow all supported authentication methods: User-created agents support either Microsoft or manual authentication. When you select this option, no authentication is blocked.
Select Save to apply the changes.
If you change the authentication settings, users in managed environments receive a notification in Copilot Studio when their previous authentication method is no longer available. For example, a user-created agent might be set to Authenticate manually with Microsoft Entra ID, while Allow all supported authentication methods is the admin policy. If you later change the environment policy to Require Microsoft authentication, the user's Copilot agent authentication setting updates after the page is refreshed, and disallowed options are no longer selectable. This behavior keeps existing agents aligned with current environment governance.
If the admin no longer allows the authentication setting for an already published agent, the agent is blocked from further publishing updates and won't respond to users until its authentication settings meet the admin's requirements.
How admin settings map to user options in Copilot Studio
No authentication
When you select No authentication, users can configure any supported authentication type for their agents in Copilot Studio, including anonymous access. Choose No authentication only when users must be able to configure public or anonymous experiences.
Require Microsoft authentication
When you select Require Microsoft authentication, only Authenticate with Microsoft is available for user-created agents in Copilot Studio. This configuration blocks no authentication, manual authentication, and anonymous access. Choose this option when your organization wants the strictest user-facing experience and supports only Microsoft-based sign-in.
Require Entra authentication
When you select Require Entra authentication, user-created agents can be configured to use Microsoft authentication or manual authentication with Microsoft Entra ID in Copilot Studio. This configuration blocks no authentication, manual authentication with Generic OAuth 2, and anonymous access. Choose this option if users must use Microsoft sign-in, but still need manual configuration scenarios that depend on Microsoft Entra ID.
Allow all supported authentication methods
When you select Allow all supported authentication methods, users can configure their agents to support all authentication methods (authenticate with Microsoft, manual authentication with Microsoft Entra ID, and manual authentication with Generic OAuth 2). This configuration blocks no authentication and anonymous access. Choose this option when authentication is required, but your organization wants to support both Microsoft Entra ID and Generic OAuth 2 in manual authentication scenarios.