- \n
- If you don\u2019t have one, you can create one using our 30-day free trial<\/a> or create an external tenant<\/a> with an Azure subscription. <\/li>\n<\/ul>\n<\/li>\n
- An account with at least Cloud Application Administrator<\/a> role. <\/li>\n<\/ul>\n
Step 1: Obtain the redirect URL for the Copilot Studio chat bot<\/h2>\n
In Copilot Studio, select the appropriate copilot and navigate to Settings<\/strong> > Security<\/strong> > Authentication<\/strong>.<\/p>\n
- \n
- Select Authenticate manually<\/strong>.<\/li>\n
- Make sure that the Require users to sign in<\/strong> option is selected. <\/li>\n
- Click Copy<\/strong>, and save the redirect URL for use in the next steps. <\/li>\n<\/ul>\n
![\"redirect](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Copilot-studio-settings.png\")
<\/p>\nStep 2: Configure Microsoft Entra External ID<\/h2>\n
Now that you have the redirect URL, it\u2019s time to set up and configure Microsoft Entra External ID.<\/p>\n
Navigate to the Microsoft Entra Admin Center<\/a>, click Applications<\/strong> and then select \u2018App registrations\u2019.<\/p>\n
- \n
- Register an app using the redirect URL obtained in the previous step. Refer to our docs for quickstart guidance on registering an app<\/a>. \n
- \n
- For Account type<\/strong>, select \u2018Accounts in this organizational directory only\u2019. <\/li>\n
- Select \u2018Web Platform\u2019, and make sure you use the redirect URL obtained in Step 1. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
![\"screenshot\"](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/10\/Redirect-uri-information.png\")
<\/p>\n- \n
- \n
Create a secret following the \u201cAdd Credentials\u201d section in the quick start guide on registering an app<\/a>. Copy it for use later.<\/p>\n<\/li>\n
- \n
Once the app is registered, copy and save the \u2018client id\u2019, \u2018tenant name\u2019, and \u2018tenant id\u2019 for the next step.<\/p>\n<\/li>\n<\/ul>\n
Step 3: Configure Authentication settings in Copilot Studio<\/h2>\n
For this step, make sure that the redirect URL from Step 1 is URL encoded as shown below (you can copy and paste the below).<\/p>\n
http%3A%2F%2Ftoken.botframework.com%2F.auth%2Fweb%2Fredirect\n<\/code><\/pre>\nLet\u2019s configure the Authentication options within Copilot Studio.<\/p>\n
- \n
- Go to Settings<\/strong> > Security<\/strong> > Authentication<\/strong> <\/li>\n
- Select Authenticate Manually<\/strong> <\/li>\n
- Select the Require users to sign in<\/strong> option. <\/li>\n<\/ul>\n
<\/p>\n- \n
- Redirect URL:<\/strong> Make sure this is the redirect URL from Step 1 (unencoded). <\/li>\n
- Service Provider:<\/strong> Select \u2019Generic OAuth2\u2019. <\/li>\n
- Client ID:<\/strong> Use the client id obtained from the app registration in the previous step. <\/li>\n
- Client Secret:<\/strong> Use the client secret obtained from the app registration in the previous step. <\/li>\n
- Scope List Delimiter:<\/strong> use a comma (,). <\/li>\n
- Authorization URL Template:<\/strong> Replace the ‘tenant name’ and ‘tenant id’ to obtain the value.<\/li>\n<\/ul>\n
The Authorization URL template should look like the below.<\/p>\n
https:\/\/<<TenantName>>.ciamlogin.com\/<<TenantName>>.onmicrosoft.com\/oauth2\/v2.0\/authorize\n<\/code><\/pre>\n- \n
- Authorization URL query string template:<\/strong> Replace
<<ClientId>><\/code> with the ‘client id’ obtained from the app registration in the previous step. Replace<<RedirectUri>><\/code> with the encoded value, as outlined above.<\/li>\n<\/ul>\nSee code sample:<\/p>\n
?client_id=<<ClientId>>&redirect_uri=<<RedirectUri>>&scope=openid%20profile&response_type=code&state={state}\n<\/code><\/pre>\n\n
Note:<\/strong> Make sure to include the state={state} as shown above. Do not replace {state} with any value as this will be done automatically.<\/p>\n<\/blockquote>\n
- \n
- Token URL template:<\/strong> Replace the ‘tenant name’ and ‘tenant id’ to obtain the value.<\/li>\n<\/ul>\n
The token URL template should look like the below.<\/p>\n
https:\/\/<<TenantName>>.ciamlogin.com\/<<TenantName>>.onmicrosoft.com\/oauth2\/v2.0\/token\n<\/code><\/pre>\n- \n
- \n
Token URL query string template:<\/strong> use a question mark (?).<\/p>\n<\/li>\n
- \n
Token body template:<\/strong> Replace
<<ClientId>><\/code> with the ‘client id’ obtained from the app registration. Replace<<RedirectUri>><\/code> with the encoded value, as outlined above.<\/p>\n<\/li>\n<\/ul>\nSee code sample.<\/p>\n
client_id=<<ClientId>>&redirect_uri=<<RedirectUri>>&grant_type=authorization_code&code={code}\n<\/code><\/pre>\n- \n
- Refresh URL template:<\/strong> Replace the ‘tenant name’ to obtain the value.<\/li>\n<\/ul>\n
The refresh URL template should look like the below.<\/p>\n
https:\/\/<<TenantName>>.ciamlogin.com\/\/<<TenantName>>.onmicrosoft.com\/oauth2\/v2.0\/token\n<\/code><\/pre>\n- \n
- \n
Refresh URL query string template:<\/strong> use a question mark (?).<\/p>\n<\/li>\n
- \n
Refresh body template:<\/strong> Replace
<<ClientId>><\/code> with the ‘client id’ obtained from the app registration in the previous step. Replace<<RedirectUri>><\/code> with the encoded value, as outlined above.<\/p>\n<\/li>\n<\/ul>\nSee code sample.<\/p>\n
client_id=<<ClientId>>&redirect_uri=<<RedirectUri>>&grant_type=refresh_token&refresh_token={refresh_token}\n<\/code><\/pre>\nStep 4: Test the Integration<\/h2>\n
- \n
- Visit the bot\u2019s demo website and click Login<\/strong>.<\/li>\n<\/ul>\n
![\"bot](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/10\/Bot-demo-website-login.png\")
<\/p>\n- \n
- Log in via External ID \n
- \n
- Use any of the available authentication options provided by External ID, such as username and password, email OTP, Facebook, or Google. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
![\"external](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/10\/External-id-login.png\")
<\/p>\n- \n
- After logging in, you will be redirected to a validation code page. Copy the code generated. <\/li>\n<\/ul>\n
![\"sign](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/10\/Sign-in-validation-code-screen.png\")
<\/p>\n- \n
- Return to Copilot Studio\u2019s authentication process and enter the code validator provided in previous step. <\/li>\n<\/ul>\n
![\"copilot](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/10\/Copilot-studio-code-validator-authentication-process.png\")
<\/p>\nLet\u2019s recap<\/h2>\n
Congratulations! You\u2019ve successfully integrated Copilot Studio with Microsoft Entra External ID using the Generic OAuth 2.0 service provider. By following the steps in this tutorial, you\u2019ve enabled external users to securely access your copilot-powered applications.<\/p>\n
If you found this tutorial helpful or have questions and feedback, feel free to leave a comment below. You can also use our feedback form to share your thoughts and suggest new features<\/a> to enhance External ID. We also encourage you to join our research panel<\/a> to receive invites to participate in customer research.<\/p>\n
To learn more and test out features in the Microsoft Entra portfolio, visit our\u202fdeveloper center<\/a>. Make sure you subscribe to the\u202fIdentity developer blog<\/a> for more insights and to keep up with the latest on all things Identity. And, follow us on\u202fYouTube<\/a> for video overviews, tutorials, and deep dives.<\/p>\n","protected":false},"excerpt":{"rendered":"
Learn how to securely integrate Microsoft Entra External ID with Copilot-powered applications in this step-by-step tutorial. Using the Generic OAuth 2.0 service provider in Copilot Studio, this guide shows you how to grant customers seamless access to your AI copilots.<\/p>\n","protected":false},"author":161557,"featured_media":2087,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48],"tags":[59,38,44,65,16,46],"class_list":["post-2085","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-ai","tag-authentication","tag-authorization","tag-copilot-studio","tag-entra","tag-entra-id"],"acf":[],"blog_post_summary":"
Learn how to securely integrate Microsoft Entra External ID with Copilot-powered applications in this step-by-step tutorial. Using the Generic OAuth 2.0 service provider in Copilot Studio, this guide shows you how to grant customers seamless access to your AI copilots.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/2085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/users\/161557"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/comments?post=2085"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/posts\/2085\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media\/2087"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/media?parent=2085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/categories?post=2085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/identity\/wp-json\/wp\/v2\/tags?post=2085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Return to Copilot Studio\u2019s authentication process and enter the code validator provided in previous step. <\/li>\n<\/ul>\n
- After logging in, you will be redirected to a validation code page. Copy the code generated. <\/li>\n<\/ul>\n
- Use any of the available authentication options provided by External ID, such as username and password, email OTP, Facebook, or Google. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Log in via External ID \n
- \n
- \n
- \n
- \n
- Token URL template:<\/strong> Replace the ‘tenant name’ and ‘tenant id’ to obtain the value.<\/li>\n<\/ul>\n
- Service Provider:<\/strong> Select \u2019Generic OAuth2\u2019. <\/li>\n
- Select Authenticate Manually<\/strong> <\/li>\n
- \n
- Select \u2018Web Platform\u2019, and make sure you use the redirect URL obtained in Step 1. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- For Account type<\/strong>, select \u2018Accounts in this organizational directory only\u2019. <\/li>\n
- Make sure that the Require users to sign in<\/strong> option is selected. <\/li>\n
- An account with at least Cloud Application Administrator<\/a> role. <\/li>\n<\/ul>\n