By 
In this article, we will learn about how to configure authentication in Microsoft Copilot Studio step-by-step by following the Microsoft standard. The Microsoft Copilot Studio was announced in the Microsoft Ignite 2023 session, and the product as of today (November 2023) is in preview mode. However, we can still explore and learn about the Microsoft Copilot Studio by subscribing to the trial version of the Microsoft 365 Copilot Studio product.
Before getting into authentication in Copilot Studio, let’s understand in general what authentication is.
What is Authentication in Software Development?
Authentication is a crucial aspect of software development, ensuring that users and systems are who they claim to be. In the context of Microsoft technologies, authentication is commonly used to secure access to various services and applications. Here are some general concepts that might apply to authentication in a Microsoft environment:
- Azure Active Directory (AAD): Microsoft’s cloud-based identity and access management service, Azure Active Directory, is often used for authentication in cloud-based applications and services. AAD supports various authentication methods, including username and password, multi-factor authentication (MFA), and integration with other identity providers.
- OAuth and OpenID Connect: These are commonly used authentication and authorization protocols. OAuth is used for delegated authorization, allowing one application to access resources on behalf of another. OpenID Connect is built on top of OAuth and provides authentication services.
- Identity Providers: Microsoft Copilot Studio might support integration with different identity providers, allowing users to log in using their existing credentials from sources like Microsoft accounts, Google accounts, or other identity providers.
- API Keys and Secrets: Some applications may use API keys or client secrets for authentication. These are often used in scenarios where a service or application needs to authenticate itself to another service.
- Role-Based Access Control (RBAC): RBAC is a method of regulating access to computer or network resources based on the roles of individual users. In Microsoft environments, RBAC is commonly used to control access to Azure resources.
Now that we understand what authentication is in the application, let’s focus on how to configure authentication in Microsoft Copilot Studio.
How to Configure Authentication in Microsoft Copilot Studio Step by Step
In this section, we will learn about how to configure authentication in Microsoft Copilot Studio step by step. The configuration of authentication in Microsoft Copilot is done in two phases, such as 1) app registration in Azure Portal and 2) updating the authentication method in Copilot Studio.
Pre-requisites:
If you don’t have your Microsoft Developer Programme Free Subscription, create a trial tenant by referring to this article: Create Free Microsoft 365 developer program account step by step.
Now let’s register a sample app, practically following the above steps.
App registration in Azure Portal
Step 1: Login to Azure Portal.
Step 2: Go to app registration, search for the text “app registration” and click on the app registrations link.
Step 3: Click on the “New registration” and enter a name for the registration.
Note:
- Enter the user friendly name for your bot project. For example, if your bot is called “Contoso sales help,” you might name the app registration “ContosoSalesReg”.
Step 4: For supported account types, select Accounts in any organisational directory (any Microsoft Entra ID directory—multitenant) and personal Microsoft accounts (e.g., Skype, Xbox). You can even select a single tenant, i.e., accounts in this organisational directory only (MSFT only, single tenant).
Step 5: Keep the Redirect URI section blank for now. We need to enter this information in the next steps.
Step 6: Click on the “Register” button
Step 7: After the registration is complete, go to Overview.
Step 8: Copy the Application (client) ID and paste it in a temporary file editor like Notepad or Notepad++; we will need this in later steps.
For detailed steps with screenshots, refer to this article: App Registration in Azure: Quickly How Do I Register an Application Step by Step?
Add the redirect URL
To add the redirect URL follow the below steps:
- Go to Authentication menu from the left side panel, and then click on the “+ Add a platform” link.
- From the “Configure Platforms” screen, click on the “Web” link.
- For the “Redirect URIs“, enter the below URL:
https://token.botframework.com/.auth/web/redirect and https://europe.token.botframework.com/.auth/web/redirect.
4. For the Implicit grant and hybrid flows section, turn on both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows).
Generate a client secret
To generate a client secret follow the below steps:
- Select your app which you have created for app registration.
- Go to Certificates & secrets for y
- In the Client secrets section, select New client secret.
- (Optional) Enter a description, though it is an optional column but it is good to have description for the governance. Automatically one description will be provided if you leave it blank.
- Select the expiry period, keep the default selection which is six months (180 days).
- Select Add to create the secret.
- Store the secret’s Value in a secure temporary file, preferably in notepad or notepad++ . This is very important because we need it when you configure your bot’s authentication later on.
Next step is to configure the authentication in Copilot project, let’s follow the below section to do that.
Configure Authentication in Copilot
Let us follow the below steps to configure the authentication in Copilot:
- Select your copilot project from the copilot studio.
- Click on the security link from the settings menu.
- Click on the authentication link as shown below.
Then we will see the various authentication types available for your Copilot Chatbot:
- No authentication: This is the default selection. Basic bot setup with no authentication action or authentication variables. If we want to read data from public website we need to configure this setting, for example: Wikipedia site.
- Only for Teams and Power Apps: User ID and User Display Name authentication variables available. Automatically sets up Azure Active Directory (AAD) authentication for Teams and Power Apps. All other channels will be disabled.
- Manual (for custom website): Support AAD or any OAuth2 identity provider. Authentication variables are available including authentication token. Enter the information provided by your Identity Provider (IdP), and then test the connection. For single sign-on with AAD include the token exchange URL. Example, if we want to read data from SharePoint site, we need to select this option.
Authentication types in Copilot studio
Select Manual (for custom website) as an authentication type and require users to sign in. Then, pass the following parameters:
- Service Provider: Select service provider as Azure Active Directory V2.
- Client ID: Enter the client id you have copied from your Azure Portal app registration.
- Client Secret: Enter the client secret value from your Azure Portal app registration.
- Tenant ID: This is auto updated.
- Scopes: Keep the default value.
Manual (for custom website) authentication types in Copilot studio
Configure API permissions for your App in Azure
To configure the API permissions for your app registered in Azure Portal, follow the below steps:
- Go to API permissions.
- Select Grant admin consent for <your tenant name>, and then select Yes.
- Select Add a permission, and then select Microsoft Graph.
- Select Delegated permissions.
- Expand OpenId permissions and turn on openid and profile.
- Select Add permissions.
Finally, we will see the app permissions like below:
Copilot not accessing SharePoint files for generative answers
If your Copilot doesn’t answer the question from SharePoint content even though it is valid, then add the following SharePoint API as well in the above API permission lists, and it will work.
- Files.Read.All: Read all files that user can access
- Sites.Read.All: Read items in all site collections
Copilot API Graph API permissions for SharePoint sites and files
Configure custom scope for your bot
The next step is to define a custom scope for your chatbot. To do that, follow the below steps:
- Go to Expose an API and select Add a scope.
- Set the following properties. You can leave the other properties blank.
| Property | Value |
| Scope name | Enter a name that makes sense in your environment, such as Test.Read |
| Who can consent? | Select Admins and users |
| Admin consent display name | Enter a name that makes sense in your environment, such as Test.Read |
| Admin consent description | Enter Allows the app to sign the user in. |
| State | Select Enabled |
- Then, select add scope.
Finally, we can see the scope as below:
Test your Chatbot built on Copilot Studio
Finally, we need to test the chatbot we created using the Copilot Studio. To test the bot, we need to follow the below steps:
- Publish your Copilot Chatbot.
- In the Test bot pane, send a message to your bot.
- When the bot responds, select Login.
- Sign in, and then copy the validation code that’s displayed.
- Paste the code in the bot chat to complete the sign-in process.
Click on the “Login” button.
The validation code will be generated automatically on another screen; copy this validation code.
Copilot Custom Authentication – Please enter this validation code into the chat window to complete the sign-inPaste or enter the validation in the box, hit enter, or click on the right arrow button. Then, we will get the below auto generated message:
“Hello, I’m Copilot – SharePoint Demo, a virtual assistant. Just so you are aware, I sometimes use AI to answer your questions. How can I help?”
Then, ask some questions about the document you have stored in your SharePoint Online document library.
I asked, “What is the REST API?” and got the answer with the citation link references. Below is a sample document about the REST API stored on my SharePoint Online site. The generative AI of Copilot scanned this document and generated the above answer.
Summary: Configure Authentication in Microsoft Copilot Studio
Thus, in this article, we have learned about how to configure authentication in Microsoft Copilot Studio with the help of app registration in Azure Portal and tested the Copilot Chatbot demo successfully.
Configuring authentication in Microsoft Copilot Studio is a critical aspect of project development. By following this comprehensive guide, developers can ensure that their applications are not only efficient and collaborative but also fortified against potential security vulnerabilities. Embrace the power of secure authentication to build robust and resilient projects in Copilot Studio.
Read Also: Microsoft Copilot Articles
You may also read the following Microsoft Copilot articles, which will help you in your Microsoft AI based Chatbot journey:
- How To Extend Copilot Studio Trial License: Your Microsoft Copilot Studio Trial Has Expired
- Top 30 Microsoft 365 Copilot FAQ: Your Questions Answered
- Develop Copilot for Microsoft Teams in just 5 minutes
- Microsoft Copilot Studio: How to Get Started Step by Step
- In 2 Steps Enable Power Platform Copilot: The Next Generation of Productivity Tools
About Post Author
