Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Copilot Studio supports end-user authentication and authorization through Microsoft Entra ID, so that users of your agents can use their Microsoft Entra ID credentials to authenticate. Your organization manages these credentials.
However, users might encounter problems related to Conditional Access policies that affect their ability to use Copilot Studio agents effectively.
Symptoms
Agents might be unresponsive to end users on specific channels, such as Teams, due to Conditional Access policies implemented through Microsoft Entra ID.
Users of your agents might see a blank page in the chat window or receive an error message indicating that the agent isn't available, and the test chat doesn't respond to queries.
Reason
Policy enforcement: Due to recent security updates that provide stronger authentication controls, Copilot Studio agent acquires the authentication token specific to a given customer tenant.
With these policy enforcements in place, agents don't initiate a conversation or respond to end users if Conditional Access policies block the acquisition of the authentication token.
The enforcement applies to existing agents created in tenants with Conditional Access policies that, previously, didn't prevent the agent from responding to end users.
Mitigation
You can see which Conditional Access policy is blocking the request so that you can investigate and act accordingly. For guidance on how to resolve issues or modify Conditional Access policies, see the other resources at the end of this article.
You might also need to allow specific IP addresses and IP ranges that are used by Copilot Studio, Power Platform, or other Microsoft services.
You can access the Conditional Access logs for a specific Copilot Studio agent from the agent's app registration in Microsoft Entra. You can also see logs for all agents by manually filtering within the Identity section in Entra.
Tip
Depending on who made the request, the associated log could be in one of multiple sign-in categories in Entra.
Check each tab on the Conditional Access sign-in logs page.
Get Conditional Access logs for all Copilot Studio agents
Sign in to the Microsoft Entra admin center as at least a Reports Reader.
Open the Identity section on the side menu. Select Monitoring & health, and then Audit logs.
Select the Date range you want to query.
Select Add filters above the list of sign-ins, and then select Application. Set the filter to Application contains: Copilot Studio.
Add the Conditional Access filter in the same way, and set it to Failure. Select Apply.
Get Conditional Access logs for a specific Copilot Studio agent
- Sign in to the Microsoft Entra admin center.
- Open App registrations from the side menu, homepage, or by searching for it in the search bar at the top of the screen.
- Open the registration for the agent you want to review.
- On the Overview page, under the Essentials section, select the link for the Managed application in local directory. A prefiltered list of Conditional Access logs for that agent appears.
Identify and remediate policy failures
By default, the audit logs display all activities. Open the Activity filter to narrow down the activities, if necessary. For a list of audit log activities for Conditional Access, see the Microsoft Entra audit log activities article in the Entra Conditional Access documentation.
Review the activities under each tab to locate any that triggered a Conditional Access policy failure for Copilot Studio.
Select an entry to open the Activity Details panel, then go to the Conditional Access tab. The associated policies that triggered the issue are listed, along with the action taken as a result of the policy, such as Block.
After you identify the associated policy, troubleshoot to determine what you need to do. For example, you can continue allowing the policy to block agent interactions, change the policy's scope, or modify or disable the policy.
The following articles in the Microsoft Entra Conditional Access documentation detail the next steps you can take in Entra to resolve the issue: