Troubleshoot errors in Copilot Studio Kit

This article provides tips for resolving data policy and authentication errors in Copilot Studio Kit, along with advice on how to resolve test run failures. It also provides information on how to escalate issues.

Data policy errors

If you encounter data loss prevention errors (such as AppForbidden) when using Copilot Studio Kit, ensure that the following connectors are allowed in your data policy:

• SharePoint
• Power Platform for Admins
• Office 365 Outlook
• Microsoft Dataverse
• [Legacy] Microsoft Dataverse
• Microsoft Entra ID
• Direct Line channels in Copilot Studio
• Power Apps for Makers

More information:

• Manage data policies
• Configure data policies for agents
• Troubleshoot data policy enforcement for Copilot Studio

Authentication errors

Typically, two app registrations are needed for end user authentication. For example:

• KitAuthApp: Used in Copilot Studio Kit agent configurations.
• CopilotStudioAuthApp: Used in Copilot Studio, linked to KitAuthApp.

General checklist

• Ensure that the custom agent (Copilot Studio) and the Copilot Studio Kit are on the same tenant.
• Before enabling user authentication, make sure authentication is disabled on both the custom agent and agent configuration in Copilot Studio Kit. Then, run a test to verify connectivity.

Checklist for KitAuthApp

• In the Azure portal, under Authentication, check that the Web Redirect URI is the Dataverse URI where Copilot Studio Kit is deployed.
• Verify that the Supported account types value is set to: Accounts in any organizational tenant (Any Microsoft Entra ID directory - Multitenant) and personal Microsoft accounts (for example, Skype, Xbox).
• In API permissions, check that User.Read permission is in the list, delegated, and has admin consent granted.
• Verify that client secret is created and that secret is in the Agent Configuration (User Authentication > Client Secret).

Checklist for CopilotStudioAuthApp

• In the Azure portal, under Authentication, verify that the Web Redirect URI has:
  • https://europe.token.botframework.com/.auth/web/redirect
  • https://token.botframework.com/.auth/web/redirect
• Verify that Implicit grant and Hybrid flows are enabled for Access Tokens and ID Tokens.
• Verify that the Supported account types value is set to: Accounts in any organizational tenant (Any Microsoft Entra ID directory - Multitenant) and personal Microsoft accounts (for example, Skype, Xbox).
• In Certificates & secrets, ensure the client secret is generated and used in Copilot Studio agent configuration (Settings > Security > Authentication > Client secret).
• In API permissions, verify that openid, profile, and User.Read are in the list, delegated, and admin consent granted.
• In Expose an API, check that the custom scope is created, that admins and users can consent, and that the scope is enabled. Verify that the custom scope is entered in Copilot Studio agent configuration (Settings > Security > Authentication > Token exchange URL).
• Check that the client ID of KitAuthApp is in the Authorized client applications.

Checklist for agent configuration in Copilot Studio

• In Copilot Studio, go to Settings > Security > Authentication and verify that:
  • Authenticate manually is enabled.
  • Require users to sign in is enabled (at least for troubleshooting purposes).
  • Redirect URL is set (to https://token.botframework.com/.auth/web/redirect).
  • Service provider is Microsoft Entra ID V2 with client secrets.
  • Client ID is the client ID of CopilotStudioAuthApp.
  • Client secret is the one generated for CopilotStudioAuthApp.
  • Token exchange Url is the custom scope created in CopilotStudioAuthApp.
  • Tenant ID is the tenant where both app registrations are created.
  • Scopes include at least profile and openid.
• Make sure the bot is published with this configuration.
• Ensure that the Copilot Studio test pane works.
• Ensure that the demo site works (including login).

Checklist for agent configuration in Copilot Studio Kit

• Make sure the token endpoint is set correctly (copy it from the mobile channel), or channel security is set and the correct secret is configured.
• Make sure user authentication is set to Entra ID v2.
• Make sure the client ID is the client ID of KitAuthApp.
• Make sure the scope is the custom scope created in CopilotStudioAuthApp and the same as in Copilot Studio authentication settings.
• Make sure the client secret in User Authentication > Client Secret matches the value of the client secret created for KitAuthApp.
• Make sure Channel Security is enabled in Direct Line settings and has valid configuration.

More information: Configure agents in Copilot Studio Kit.

Checklist for test configuration

Try your test with and without sending the conversation start event (find it in the Advanced tab of the test).

Checklist for the browser

Make sure the browser allows third-party cookies.

Test Run errors

If a cloud flow fails to run, the corresponding step status is Error.

On the Test Run record, the Error Details view displays a URL that you can use to navigate to the failed cloud flow run instance.

You can then troubleshoot the cloud flow further in Power Automate.

Where to get help

If you still experience issues, raise an issue on GitHub.

Copilot Studio Kit is an open source project licensed under the MIT License, for which Microsoft doesn't provide support.

For related, underlying core features in Microsoft Power Platform, use your standard channel to contact Microsoft Support.

Do not report security vulnerabilities through public GitHub issues. Instead, report them to the Microsoft Security Response Center (MSRC) at microsoft.com/msrc. Provide as much detail as possible about the potential security issue.

Related information

• Troubleshooting Compliance Hub issues
• Troubleshooting Microsoft authentication
• Troubleshooting common issues during rubrics refinement