Lưu ý
Cần có ủy quyền mới truy nhập được vào trang này. Bạn có thể thử đăng nhập hoặc thay đổi thư mục.
Cần có ủy quyền mới truy nhập được vào trang này. Bạn có thể thử thay đổi thư mục.
Dynamic client registration (DCR) enables a plugin to register an OAuth client with your identity provider automatically, without requiring you to manually create a client ID and secret ahead of time. Instead of statically registering an OAuth app and copying the credentials into an auth config, the authorization server issues client credentials on demand following RFC 7591.
DCR builds on the OAuth 2.0 authorization code flow. Unlike static OAuth, you don't configure a redirect URI or client credentials yourself - the Enterprise token store registers the client and handles those details behind the scenes. For general OAuth concepts, see Configure OAuth 2.0 authentication.
Note
- DCR is supported for Model Context Protocol (MCP) plugins.
- DCR without a client secret isn't supported yet. The authorization server must issue a client secret during registration.
- PKCE is enabled by default for DCR.
Configure DCR in two steps: confirm the prerequisites and create the DCR auth config.
Step 1: Confirm prerequisites
- Your MCP server exposes OAuth 2.0 protected resource metadata at its
.well-known/oauth-protected-resourceendpoint (RFC 9728), identifying the authorization server that protects it. - The authorization server publishes its metadata at the
.well-known/oauth-authorization-serverendpoint (RFC 8414), including aregistration_endpoint, and supports dynamic client registration (RFC 7591) that issues a client secret.
Step 2: Create the DCR auth config
DCR authentication relies on an authentication configuration (auth config) - a record stored in the Microsoft Enterprise token store that Microsoft 365 Copilot uses to obtain and refresh tokens for your MCP plugin. You can create the DCR auth config in two ways: Microsoft 365 Agents Toolkit and the declarative agent developer skill. Both create the auth config and update your plugin manifest automatically.
Note
The Microsoft Teams developer portal doesn't support DCR yet. Use Agents Toolkit or the declarative agent developer skill.
Use Microsoft 365 Agents Toolkit (recommended)
When you build an agent with an MCP plugin in Microsoft 365 Agents Toolkit and select dynamic client registration as the authentication type, no further input is required. Agents Toolkit fetches the registration details from the well-known endpoint of your MCP server, registers a new client with the authorization server automatically, creates the auth config in the Enterprise token store, and updates the runtime authentication object in your plugin manifest.
Use the declarative agent developer skill
The declarative agent developer skill (declarative-agent-developer) is an agent skill in Microsoft Work IQ that packages the knowledge needed to build declarative agents. Instead of running commands or editing manifests yourself, describe what you want to Copilot or the GitHub CLI in natural language. The skill scaffolds the declarative agent, adds the MCP plugin, and handles the authentication configuration for you. For DCR, the skill registers the client, creates the auth config in the Enterprise token store, and updates the plugin manifest without manual steps.
Tip
For a video walkthrough of using the declarative agent developer skill, see Build declarative agents with the declarative agent developer skill.
Plugin manifest
No action is required from you - this section is for reference only, to show the changes that Agents Toolkit and the declarative agent developer skill make to the plugin manifest for you. DCR uses the same runtime authentication object as OAuth 2.0: the type property is set to OAuthPluginVault, and the reference_id is set to the auth config ID.
"auth": {
"type": "OAuthPluginVault",
"reference_id": "auth config ID"
},