November 1st, 2024

Allow your customers to access your copilots by integrating Copilot Studio with Microsoft Entra External ID

Providing secure and seamless access to applications is essential, especially when those applications leverage the power of AI-driven copilots. Copilot Studio is an innovative platform that allows you to create and customize AI copilots. However, if you’re trying to allow customers to access your Copilot-powered apps through Microsoft Entra External ID, you’ve probably noticed that there is no out-of-the-box integration.

Using the Generic OAUTH 2.0 service provider option within Copilot, this tutorial will guide you step-by-step on how to integrate Copilot and Microsoft Entra External ID—ensuring your customers can securely access your Copilot-powered applications.

Prerequisites

Before we dive in, make sure you have the following prerequisites in place:

Step 1: Obtain the redirect URL for the Copilot Studio chat bot

In Copilot Studio, select the appropriate copilot and navigate to Settings > Security > Authentication.

  • Select Authenticate manually.
  • Make sure that the Require users to sign in option is selected.
  • Click Copy, and save the redirect URL for use in the next steps.

redirect url for copilot studio chat bot

Step 2: Configure Microsoft Entra External ID

Now that you have the redirect URL, it’s time to set up and configure Microsoft Entra External ID.

Navigate to the Microsoft Entra Admin Center, click Applications and then select ‘App registrations’.

  • Register an app using the redirect URL obtained in the previous step. Refer to our docs for quickstart guidance on registering an app.
    • For Account type, select ‘Accounts in this organizational directory only’.
    • Select ‘Web Platform’, and make sure you use the redirect URL obtained in Step 1.

screenshot

  • Create a secret following the “Add Credentials” section in the quick start guide on registering an app. Copy it for use later.

  • Once the app is registered, copy and save the ‘client id’, ‘tenant name’, and ‘tenant id’ for the next step.

Step 3: Configure Authentication settings in Copilot Studio

For this step, make sure that the redirect URL from Step 1 is URL encoded as shown below (you can copy and paste the below).

http%3A%2F%2Ftoken.botframework.com%2F.auth%2Fweb%2Fredirect

Let’s configure the Authentication options within Copilot Studio.

  • Go to Settings > Security > Authentication
  • Select Authenticate Manually
  • Select the Require users to sign in option.

copilot studio authentication options

  • Redirect URL: Make sure this is the redirect URL from Step 1 (unencoded).
  • Service Provider: Select ’Generic OAuth2’.
  • Client ID: Use the client id obtained from the app registration in the previous step.
  • Client Secret: Use the client secret obtained from the app registration in the previous step.
  • Scope List Delimiter: use a comma (,).
  • Authorization URL Template: Replace the ‘tenant name’ and ‘tenant id’ to obtain the value.

The Authorization URL template should look like the below.

https://<<TenantName>>.ciamlogin.com/<<TenantName>>.onmicrosoft.com/oauth2/v2.0/authorize
  • Authorization URL query string template: Replace <<ClientId>> with the ‘client id’ obtained from the app registration in the previous step. Replace <<RedirectUri>> with the encoded value, as outlined above.

See code sample:

?client_id=<<ClientId>>&redirect_uri=<<RedirectUri>>&scope=openid%20profile&response_type=code&state={state}

Note: Make sure to include the state={state} as shown above. Do not replace {state} with any value as this will be done automatically.

  • Token URL template: Replace the ‘tenant name’ and ‘tenant id’ to obtain the value.

The token URL template should look like the below.

https://<<TenantName>>.ciamlogin.com/<<TenantName>>.onmicrosoft.com/oauth2/v2.0/token
  • Token URL query string template: use a question mark (?).

  • Token body template: Replace <<ClientId>> with the ‘client id’ obtained from the app registration. Replace <<RedirectUri>> with the encoded value, as outlined above.

See code sample.

client_id=<<ClientId>>&redirect_uri=<<RedirectUri>>&grant_type=authorization_code&code={code}
  • Refresh URL template: Replace the ‘tenant name’ to obtain the value.

The refresh URL template should look like the below.

https://<<TenantName>>.ciamlogin.com//<<TenantName>>.onmicrosoft.com/oauth2/v2.0/token
  • Refresh URL query string template: use a question mark (?).

  • Refresh body template: Replace <<ClientId>> with the ‘client id’ obtained from the app registration in the previous step. Replace <<RedirectUri>> with the encoded value, as outlined above.

See code sample.

client_id=<<ClientId>>&redirect_uri=<<RedirectUri>>&grant_type=refresh_token&refresh_token={refresh_token}

Step 4: Test the Integration

  • Visit the bot’s demo website and click Login.

bot demo website login

  • Log in via External ID
    • Use any of the available authentication options provided by External ID, such as username and password, email OTP, Facebook, or Google.

external id login

  • After logging in, you will be redirected to a validation code page. Copy the code generated.

sign in validation code page

  • Return to Copilot Studio’s authentication process and enter the code validator provided in previous step.

copilot studio code validator authentication process

Let’s recap

Congratulations! You’ve successfully integrated Copilot Studio with Microsoft Entra External ID using the Generic OAuth 2.0 service provider. By following the steps in this tutorial, you’ve enabled external users to securely access your copilot-powered applications.

If you found this tutorial helpful or have questions and feedback, feel free to leave a comment below. You can also use our feedback form to share your thoughts and suggest new features to enhance External ID. We also encourage you to join our research panel to receive invites to participate in customer research.

To learn more and test out features in the Microsoft Entra portfolio, visit our developer center. Make sure you subscribe to the Identity developer blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.

Author

3 comments

  • KP

    Is it possible to create a step by step guide SSO with a Custom Agent that uses the Teams channel and that uses the ServiceNow prebuilt actions.
    I trying to have the action use the users context so who ever engages the Agent it utilises that users access permissions to only surface what they have access too.

  • Aryman Deshwal

    Hi, Thank you for the excellent guide. I just had one question, is it possible to somehow bypass the validation code step? So, the user just has to login into their microsoft account and the copilot just works.

    • Fabian AlvesMicrosoft employee Author · Edited

      Hi Aryman Deshwal,

      Thank you for your kind words about the guide! I'm glad you found it helpful.

      Regarding your question, the current integration does indeed require the validation code step as part of the login process. We understand that this can create some friction for users. However, we are planning to create an out-of-the-box integration between Copilot Studio and EEID that will streamline this process and improve the overall user experience.

      Regards

      Read more