Поділитися через

Configure user authentication in Copilot Studio

Authentication allows users to sign in, giving your copilot access to a restricted resource or information. Users can sign in with Microsoft Entra ID, or with any OAuth2 identity provider such as Google or Facebook.


In Microsoft Teams, you can configure a Copilot Studio copilot to provide authentication capabilities, so that users can sign in with a Microsoft Entra ID or any OAuth2 identity provider, such as a Microsoft or Facebook account.

You can add end-user authentication to your copilot when you edit a topic.

Copilot Studio supports the following authentication providers:

  • Azure Active Directory v1
  • Microsoft Entra ID
  • Any identity provider that complies with the OAuth2 standard


Changes to the authentication configuration only take effect after you publish your copilot. Make sure to plan ahead before you make authentication changes to your copilot.

Choose an authentication option

Copilot Studio supports several authentication options. Choose the one that meets your needs.

To change your copilot's authentication settings, in the navigation menu under Settings, go to the Security tab and select the Authentication card.

Screenshot of the Security page under the Settings menu, highlighting the Authentication card.

The following authentication options are available:

  • No authentication
  • Authenticate with Microsoft
  • Authenticate manually

Screenshot of the Authentication pane showing the three authentication options.

No authentication

No authentication means your copilot doesn't require your users to sign in when interacting with the copilot. An unauthenticated configuration means your copilot can only access public information and resources.


Selecting the No authentication option will allow anyone who has the link to chat and interact with your bot or copilot.

We recommend you apply authentication, especially if you are using your bot or copilot within your organization or for specific users, along with other security and governance controls.

Authenticate with Microsoft


When the Authenticate with Microsoft option is selected, all channels except the Teams channel will be disabled.

Additionally, the Authenticate with Microsoft option is not available if your copilot is integrated with Dynamics 365 Customer Service.

Teams and Power Apps authentication is enabled by default for copilots and copilots that you create in Copilot Studio.

This configuration automatically sets up Microsoft Entra ID authentication for Teams without the need for any manual configuration. Since Teams authentication itself identifies the user, users aren't prompted to sign in while they're in Teams, unless your copilot needs expanded scope.

Only the Teams channel is available if you select this option. If you need other channels but still want authentication for your copilot (such as when using generative AI features), choose Authenticate manually.

If you select the Authenticate with Microsoft option, the following variables are available in the authoring canvas:

  • UserID
  • UserDisplayName

For more information about these variables and how to use them, see Add end-user authentication to topics.

AuthToken and IsLoggedIn variables aren't available with this option. If you need an authentication token, use the Manual option.

If you change from Authenticate manually to Authenticate with Microsoft authentication, and your topics contain the variables AuthToken or IsLoggedIn, they're displayed as Unknown variables after the change. Make sure to correct any topics with errors before you publish your copilot.

Authenticate manually

You can configure any Microsoft Entra ID v1, Microsoft Entra ID, or OAuth2-compatible identity provider with this option. The following variables are available in the authoring canvas after you configure manual authentication:

  • UserID
  • UserDisplayName
  • AuthToken
  • IsLoggedIn

For more information about these variables and how to use them, see Add end-user authentication to topics.

Once the configuration is saved, make sure to publish your copilot so the changes take effect.


  • Authentication changes only take effect after the copilot is published.
  • This setting can be controlled by the corresponding admin control in Power Platform. When the control is enabled, it prevents the Manual setting from being enabled or disabled within Copilot Studio. The control is always enabled, and the Manual setting can't be modified in Copilot Studio.

Required user sign in and copilot sharing

Require users to sign in determines whether a user needs to sign in before talking with the copilot. We highly recommend that you turn on this setting when your copilot needs to access sensitive or restricted information.

Screenshot of the Authentication pane showing the Require user to sign in option.

This option isn't available when the No authentication option is chosen.


This option is also not configurable when DLP policy in the Power Platform admin center is configured to require authentication. For more information, see Data loss prevention example - Require end-user authentication in copilots.

If you turn off this option, your copilot doesn't ask users to sign in until it encounters a topic that requires them to.

When you turn on this option, it creates a system topic called Require users to sign in. This topic is only relevant for the Authenticate manually setting. Users are always authenticated on Teams.

The Require users to sign in topic is automatically triggered for any user who talks to the copilot without being authenticated. If the user fails to sign in, the topic redirects to the Escalate system topic.

The topic is read-only and can't be customized. To see it, select Go to the authoring canvas.

Control who can chat with the copilot in the organization

Your copilot's authentication and Require user to sign in setting in combination determines whether you can share the copilot to control who in your organization can chat with it. The authentication setting doesn't affect sharing a copilot for collaboration.

  • No authentication: Any user who has a link to the copilot (or can find it; for example, on your website) can chat with it. You can't control which users in your organization can chat with the copilot.

  • Authenticate with Microsoft: The copilot works only on the Teams channel. Since the user is always signed in, the Require users to sign in setting is turned on and can't be turned off. You can use copilot sharing to control who in your organization can chat with the copilot.

  • Authenticate manually:

    • If the service provider is either Azure Active Directory or Microsoft Entra ID, you can turn on Require users to sign in to control who in your organization can chat with the copilot using copilot sharing.

    • If the service provider is Generic OAuth2, you can turn Require users to sign in on or off. When turned on, a user who signs in can chat with the copilot. You can't control which specific users in your organization can chat with the copilot using copilot sharing.

When a copilot's authentication setting can't control who can chat with it, if you select Share on the copilot's overview page a message informs you that anyone can chat with your copilot.

Screenshot of a message stating everyone in the organization can chat with the copilot because of its authentication setting.

Manual authentication fields

The following are all the fields you can see when you're configuring manual authentication. Which fields you see depends on your choice for service provider.

Field name Description
Authorization URL template The URL template for authorization, as defined by your identity provider. For example, https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Authorization URL query string template The query template for authorization, as provided by your identity provider. Keys in the query string template vary, depending on the identity provider (?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}).
Client ID Your client ID, obtained from the identity provider.
Client secret Your client secret, obtained when you created the identity provider app registration.
Refresh body template The template for the refresh body (refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}).
Refresh URL query string template The refresh URL query string separator for the token URL, usually a question mark (?).
Refresh URL template The URL template for refresh; for example, https://login.microsoftonline.com/common/oauth2/v2.0/token.
Scope list delimiter The separator character for the scope list. Empty spaces aren't supported in this field.1
Scopes The list of scopes that you want users to have after they've signed in. Use the Scope list delimiter to separate multiple scopes.1 Only set necessary scopes and follow the least privilege access control principle.
Service provider The service provider you want to use for authentication. For more information, see OAuth generic providers.
Tenant ID Your Microsoft Entra ID tenant ID. Refer to Use an existing Microsoft Entra ID tenant to learn how to find your tenant ID.
Token body template The template for the token body. (code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret})
Token exchange URL (required for SSO) This is an optional field used when you're configuring single sign-on.
Token URL template The URL template for tokens, as provided by your identity provider; for example, https://login.microsoftonline.com/common/oauth2/v2.0/token.
Token URL query string template The query string separator for the token URL, usually a question mark (?).

1 You can use spaces in the Scopes field if the identity provider requires it. In that case, enter a comma (,) in Scope list delimiter, and enter spaces in the Scopes field.

Remove the authentication configuration

  1. In the navigation menu, under Settings, select Security. Then select the Authentication card.
  2. Select No authentication.
  3. Publish the copilot.

If authentication variables are being used in a topic, they become Unknown variables. Go to the Topics page to see which topics have errors and fix them before publishing.