By 
In this article, we will learn about how to configure single sign on in Copilot Studio bots and the Microsoft Teams channel. Before that, we will recap what a single sign is in general.
What is single-sign-on (SSO) in Microsoft applications?
Single sign-on (SSO) is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. With SSO, users can access all needed applications without being required to authenticate using different credentials1. In the context of Microsoft Entra ID, SSO provides easy and secure logins for users of various applications within the Microsoft ecosystem2.
Here are some key points about SSO in Microsoft applications:
Federation-Based SSO:
- Description: Federation-based SSO allows seamless authentication between multiple identity providers. It improves security, reliability, and end-user experiences.
- Supported Protocols: SAML 2.0, WS-Federation, or OpenID Connect.
- Use Case: When an application supports federation, use this method instead of password-based SSO or Active Directory Federation Services (AD FS).
Application-Specific Considerations:
- App Registrations: If an application was registered using App registrations in the portal, it is configured to use OpenID Connect and OAuth by default.
- Tenant Hosting: SSO is not available when an application is hosted in another tenant.
- Permissions: Ensure that your account has the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal) to enable SSO.
Enabling SSO for an Application:
At a high level, the following are the steps to enable SSO for an application:
- Sign in to the Microsoft Entra admin center as a Cloud Application Administrator.
- Navigate to Identity > Applications > Enterprise applications > All applications.
- Search for the existing application and select it.
- In the Manage section, choose Single sign-on to configure SSO settings.
The SSO simplifies user access and enhances security by reducing the need for multiple logins across different applications. It’s a powerful feature for managing authentication in enterprise environments
Now let’s move on to the actual agenda of this article: configuring SSO for Copilot Chatbot with Microsoft Teams.
Authentication in Copilot Studio Chatbot
In Copilot studio, there are three types of authentications:
- No Authentication: Basic copilot setup with no authentication action or authentication variables.
- Only For Teams and Power Apps: User ID and User Display Name authentication variables available. Automatically sets up Azure Active Directory (AAD) authentication for Teams and Power Apps. All other channels will be disabled.
- Manual (for custom website): Support AAD or any OAuth2 identity provider. Authentication variables are available including authentication token. Enter the information provided by your Identity Provider (IdP), and then test the connection. For single sign-on with AAD include the token exchange URL.
The default authentication selection is “Only For Teams and Power Apps.” With this authentication type, we can integrate the Copilot chatbot with Microsoft Teams and query documents stored in the SharePoint Online site from the Teams Copilot chatbot. It works fine with documents like Word and PDF files, but it does not work if your content is stored in SharePoint pages (.aspx files). For this, we need to go with the custom authentication that is “Manual (for the custom website).
For details about authentication in Microsoft Copilot Studio, refer to this article: How to Configure Authentication in Microsoft Copilot Studio Step by Step
With the “Manual (for custom website)” authentication type, we will configure the single sign for the Copilot chatbot with the Microsoft Teams channel. After setting up the SSO (single sign on) in Microsoft Teams, the user will be able to connect to the Copilot chatbot seamlessly from Microsoft Teams.
For this “Manual (for custom website)” authentication configuration, we need to configure the following, and all the values will be obtained from the application registration in the Azure portal.
Configure Single Sign On in Copilot: Configure single sign-on in Microsoft Teams for Microsoft Copilot Studio bots with Microsoft Entra ID
Configuring the single sign-on in Microsoft Teams for Copilot Studio chatbots has a two-step process:
- Configure app registration in the Azure Portal.
- Configure the app ID in the Microsoft Teams channel.
Configure app registration in the Azure Portal
Before configuring SSO for Teams, first we need to configure user authentication with Microsoft Entra ID. During this process, you will create an app registration which you’ll use to setup SSO.
- Create an app registration.
- Add the redirect URL.
- Generate a client secret.
- Configure manual authentication.
Follow the below articles in Configure user authentication with Microsoft Entra ID, then return to this article:
- App Registration in Azure: Quickly How Do I Register an Application Step by Step?
- How to Configure Authentication in Microsoft Copilot Studio Step by Step
Configure the app ID in the Microsoft Teams channel: Locate your Microsoft Teams channel app ID
Follow the below steps to get the Copilot Chatbot App ID:
- In Microsoft Copilot Studio, open the bot that you want to configure SSO for.
- In the navigation menu under Settings, select Channels. Select the Microsoft Teams tile.
Click on the “Turn on Teams” button.
- Select Edit details:
Click on the expand More option.
And then copy the App ID by selecting Copy.
Add your Microsoft Teams channel app ID to your app registration
Login to the Azure Portal.
Go to the app registration section.
Locate your app in the application registration list.
Click on the “Expose an API” link from the left-side menu.
Enter the below:
api://botid-{teamsbotid} and replace {teamsbotid} with your Teams channel app ID that you found earlier.
Example:
api://botid-863f8437-ef53-493a-02b0-fe3af79f54a9
Click on the “Save” button.
Grant admin consent for the Graph APIs (Delegated Permissions)
Add the following graph APIs and allow admin consent.
Define a custom scope for your Copilot Chatbot
In the Azure portal on your app registration blade, go to Expose an API.
Select Add a scope.
And enter the following values:
| Property | Value |
|---|---|
| Scope name | Enter Test.Read |
| Who can consent? | Select Admins and users |
| Admin consent display name | Enter Test.Read |
| Admin consent description | Enter Allows the app to log in the user. |
| State | Select Enabled |
The scope should look like below:
Add Microsoft Teams client IDs
Add the following Microsoft Teams client IDs:
- Client ID 1: 1fec8e78-bce4-4aaf-ab1b-5451cc387264
- Client ID 2: 5e3ce6c0-2b1f-4285-8d4b-75ee78787346
Click on the “Expose an API” link menu from the left side panel.
Click on the “+ Add an client application” button.
Enter the client id 1 mentioned above, select the “authorized scopes” checkbox.
Click on the “Add application” button.
Repeat the same for the client id 2.
Finally, the client ids should look like below:
Add token exchange URL in Copilot Chatbot manual (for custom website) screen
Copy the chatbot scope id as shown below:
Paste the scope id in the “Token exchange URL (required for SSO) box:
Click on the “Save” button.
Add SSO to your Copilot Chatbot bot’s Microsoft Teams channel
Follow the below steps to add SSO to your Copilot Chatbot’s Microsoft Teams channel:
- In Microsoft Copilot Studio, in the navigation menu under Settings, select Channels, Select the Microsoft Teams tile. Select Edit details and expand More.
- For AAD application’s client ID, enter the Application (client) ID from your Azure portal app registration overview page.
- For Resource URI, enter the Application ID URI from your Azure portal app registration overview page.
The above configuration mapping is as below:
- Application (Client) ID in Azure Portal -> AAD Application Client ID in Teams channel SSO
- Application ID URI in Azure Portal -> Resource URI in Teams channel SSO
App registration overview page in Azure Portal:
Add SSO to your Copilot Chatbot bot’s Microsoft Teams channelClick on the “Save” button, and then close. Then, follow the below steps:
- In the Copilot navigation left menu, click on the Publish option.
- Click on the “Publish” button to make the latest Copilot chatbot content available to your customers.
- In the left-side navigation menu, under Settings, select Channels.
- Click on the Microsoft Teams channel, then click on the Open bot.
Start a new conversation with your bot in Microsoft Teams to see if it automatically signs you in. That’s it. We are done with the single sign-on configuration with the Copilot chatbot in the Microsoft Teams channel.
Add this Copilot chatbot in Microsoft Teams.
Test this Copilot Chatbot app from Microsoft Teams after SSO configuration.
It is asking you to sign in but not giving you the option to sign in. Cool ! It is a common issue, and many of the folks in the Power Platform community ask this same question. How do we deal with this issue? To fix this issue, let’s go to the below section.
How to Export the Copilot chatbot manifest file
Follow the below steps to export the Copilot chatbot manifest file:
Download as .zip file
Click on the “Availability” button.
Click on the “Downlod.zip” button from the “Download as .zip” section.
Install your bot in Teams
Follow the below steps to install your Copilot chatbot in Teams:
1. Go to the Teams Store
2. Select Upload a custom app
3. Follow the prompts
If you aren’t able to do this yourself, ask your Teams admin for help.
Note:
- If you have already integrated your chatbot using the Copilot studio, disconnect it.
Disconnect Copilot chatbot from Microsoft Teams
Login to the Microsoft Teams Admin Centre or ask your Teams Administrator if you don’t have access.
From the Manage Apps Teams section, upload the Copilot chatbot manifest (.zip) file.
A custom Copilot app was uploaded to the Microsoft Teams Admin Centre.
Note:
- After uploading your custom Copilot Chatbot in the Microsoft Admin Centre, turn on your Copilot Chatbot app for Microsoft Teams again in Copilot Studio and publish it before going to the next step; otherwise, you will get an error and not be able to successfully add the Copilot Chatbot app and test it. This is a very important point to keep in mind. It is shown below, how to Turn on Teams.
Login to your Microsoft Teams as a normal user and find the Copilot chatbot app; you just added it.
Add the Copilot chatbot to your Microsoft Teams.
We can see that my custom copilot chatbot has been added to my Teams.
Note:
- This time, without signing in to my Copilot Chatbot app, Copilot is able to generate answers from SharePoint sites. This is the beauty of having configured SSO (single sign-on) in Copilot Studio and Teams.
The Copilot Sign-In button is missing from Microsoft Teams after SSO configuration.
Many users reported in the Power Platform Copilot community forums that after configuring the single sign-on with Microsoft Teams, the copilot chatbot is asking to sign in, but it doesn’t provide any login buttons to sign in from Microsoft Teams.
This is just a standard message from Microsoft; you can ignore it. If you have successfully configured the SSO following the above steps, the Copilot chatbot will display the sign-in request message from Teams, but it works without signing in because of single-on configuration. If your chatbot answers your query without signing in, then you can say that your SSO configuration has been implemented successfully. For example, it worked for me, please see the below screenshot:
Summary: Configure Single Sign-on in Copilot Studio
Thus, in this article, we have learned what a single sign is in Microsoft Copilot Studio and how to integrate the Copilot chatbot with Microsoft Teams by configuring the SSO (single sign on) in the Copilot chatbot and Azure App registration.
See Also: Microsoft Copilot Articles
You may also read the following Microsoft Copilot Studio articles:
- Top 30 Microsoft 365 Copilot FAQ: Your Questions Answered
- Develop Copilot for Microsoft Teams in just 5 minutes
- How to Configure Authentication in Microsoft Copilot Studio Step by Step
- Microsoft Copilot Studio: How to Get Started Step by Step
- What is Copilot Visual Studio from Microsoft Ignite 2023?
- In 2 Steps Enable Power Platform Copilot: The Next Generation of Productivity Tools
About Post Author
