{"id":1543,"date":"2025-02-28T09:44:41","date_gmt":"2025-02-28T17:44:41","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/powerplatform\/?p=1543"},"modified":"2025-02-28T09:44:41","modified_gmt":"2025-02-28T17:44:41","slug":"integrate-copilot-studio-agents-with-microsoft-entra-external-id-to-give-your-customers-access","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powerplatform\/integrate-copilot-studio-agents-with-microsoft-entra-external-id-to-give-your-customers-access\/","title":{"rendered":"Integrate Copilot Studio agents with Microsoft Entra External ID to give your customers access"},"content":{"rendered":"<p>Ensuring secure and seamless access to applications is crucial, especially when utilizing AI-driven agents. Copilot Studio is a cutting-edge platform that enables you to create and customize AI agents. However, integrating customer access to your Copilot Studio agents via Microsoft Entra External ID isn&#8217;t straightforward out-of-the-box.<\/p>\n<p>This tutorial video walks you through the process of integrating Copilot Studio agents with Microsoft Entra External ID using the Generic OAUTH 2.0 service provider option, ensuring your customers can securely log in to your agents. We have also added the step by steps here.<\/p>\n<p><iframe title=\"Connect customers to agents securely with Microsoft Entra External ID and Copilot Studio integration\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/BLyME148rYQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<h2>How to enable External ID on your Copilot Studio agents<\/h2>\n<h4>Prerequisites<\/h4>\n<ul>\n<li>A <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-copilot\/microsoft-copilot-studio\">Copilot Studio<\/a> account <\/li>\n<li>A published agent on Copilot Studio. If you don\u2019t have one, <a href=\"https:\/\/learn.microsoft.com\/microsoft-copilot-studio\/fundamentals-get-started?tabs=web\">create an agent<\/a> on Copilot Studio.<\/li>\n<li>An external tenant on <a href=\"https:\/\/entra.microsoft.com\/#home\">Microsoft Entra Admin Center<\/a>. \n<ul>\n<li>If you don\u2019t have one,\u202fcreate an external tenant\u202fwith an Azure subscription. <\/li>\n<\/ul>\n<\/li>\n<li>Ensure you have the <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/role-based-access-control\/permissions-reference#cloud-application-administrator\">Cloud Application Administrator<\/a> role on Microsoft Entra.<\/li>\n<\/ul>\n<h4>Get the redirect URL for the Copilot Studio agent<\/h4>\n<p>Now that you have your agent running, let\u2019s set up sign in for your customers by first getting the redirect URL. A redirect URI is the location where the Microsoft identity platform redirects a user&#8217;s client and sends security tokens after authentication.<\/p>\n<ol>\n<li>Navigate to your agent then <strong>Settings > Security > Authentication<\/strong>.<\/li>\n<li>Since there is no out of the box integration, we will manually set up authentication by selecting <strong>Authenticate manually<\/strong>. <\/li>\n<li>Make sure the <strong>Require users to sign in<\/strong> option is selected. <\/li>\n<li>\n<p>Copy the <strong>Redirect URL<\/strong>. This will be used to configure the Microsoft Entra External ID integration.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/Auth.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/Auth-1024x599.png\" alt=\"Image Auth\" width=\"1024\" height=\"599\" class=\"aligncenter size-large wp-image-1554\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/Auth-1024x599.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/Auth-300x176.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/Auth-768x449.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/Auth.png 1092w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<\/li>\n<\/ol>\n<h4>Create an app registration on Microsoft Entra<\/h4>\n<p>Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around. Once created, the application object cannot be moved between different tenants.<\/p>\n<ol>\n<li>Navigate to the <a href=\"https:\/\/entra.microsoft.com\/#home\">Microsoft Entra Admin Center<\/a>, Under <strong>Identity<\/strong>, click <strong>Applications<\/strong> and then select <strong>App registrations<\/strong>.(Make sure you are on the External tenant)<\/li>\n<li>\n<p>To create a new app registration, select the <strong>New registration<\/strong> option. Select an existing tenant to use from the drop-down, or select <strong>Create new<\/strong> to create a new <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/customers\/quickstart-tenant-setup\">external tenant<\/a>.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1-1024x965.png\" alt=\"Image appreg jpg\" width=\"1024\" height=\"965\" class=\"aligncenter size-large wp-image-1575\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1-1024x965.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1-300x283.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1-768x724.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1-24x24.png 24w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appreg.jpg-1.png 1092w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>Enter a display <strong>Name<\/strong> for your application. Users of your application might see the display name when they use the app, for example during sign-in.<\/p>\n<\/li>\n<li>\n<p>Specify who can use the application, sometimes called its <strong>sign-in audience<\/strong>. In our case, since we want our customers to sign in, under <strong>Account type<\/strong>, select \u2018Accounts in this organizational directory only\u2019.<\/p>\n<\/li>\n<li>\n<p>In the Redirect URL section, select \u2018Web Platform\u2019 then paste the Redirect URL copied from Step 1. Then click <strong>Register<\/strong>.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/registerapp.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/registerapp-1024x815.png\" alt=\"Image registerapp\" width=\"1024\" height=\"815\" class=\"aligncenter size-large wp-image-1576\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/registerapp-1024x815.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/registerapp-300x239.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/registerapp-768x611.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/registerapp.png 1092w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>Once the app registration is done, you will be directed to the app registered and you\u2019ll see the below details.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appregistered.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appregistered-1024x520.png\" alt=\"Image appregistered\" width=\"1024\" height=\"520\" class=\"aligncenter size-large wp-image-1577\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appregistered-1024x520.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appregistered-300x152.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appregistered-768x390.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/appregistered.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>Next, let\u2019s add client credentials by clicking \u2018<strong>Add a certificate or secret<\/strong>\u2019 under Client credentials or selecting <strong>Certificates &amp; secrets<\/strong> under Manage. Then click <strong>New client secret<\/strong>. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime. A client secret, sometimes called an application password, is a string value your app can use in place of a certificate to identify itself.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/certsandsecrets.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/certsandsecrets-1024x447.png\" alt=\"Image certsandsecrets\" width=\"1024\" height=\"447\" class=\"aligncenter size-large wp-image-1578\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/certsandsecrets-1024x447.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/certsandsecrets-300x131.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/certsandsecrets-768x335.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/certsandsecrets.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>Add a description for your client secret and select an expiration period for the secret. Then select <strong>Add<\/strong>. The client secret is now added. Copy secret\u2019s value for use in the Copilot Studio agent.<\/p>\n<\/li>\n<li>\n<p>Copy and save the <strong>Application (client) ID, Directory (tenant) ID<\/strong> and <strong>tenant name<\/strong> for the next step.<\/p>\n<\/li>\n<\/ol>\n<h4>Configure authentication settings on Copilot Studio<\/h4>\n<p>Now that we have registered the app on Microsoft Entra, let\u2019s fill the details copied from Microsoft Entra on our Copilot Studio agent.<\/p>\n<ol>\n<li>Navigate back to your agent then <strong>Settings > Security > Authentication<\/strong>.<\/li>\n<li>Select <strong>Authenticate Manually<\/strong>.<\/li>\n<li>\n<p>Fill the rest of the details with the details below. Make sure to replace the <span style=\"color: red\">TENANTNAME<\/span> and <span style=\"color: red\">CLIENTID<\/span> with the actual names and values from Step 2.<\/p>\n<ul>\n<li><strong>Service provider<\/strong>: Generic OAuth 2<\/li>\n<li><strong>Client ID<\/strong>: Paste the client ID copied from step 2<\/li>\n<li><strong>Client secret<\/strong>: Paste the client secret copied from step 2 <\/li>\n<li><strong>Scope list delimiter<\/strong>: use a comma (,)<\/li>\n<li>\n<p><strong>Authorization URL template<\/strong>: https:\/\/<span style=\"color: red\">TENANTNAME<\/span>.ciamlogin.com\/<span style=\"color: red\">TENANTNAME<\/span>.onmicrosoft.com\/oauth2\/v2.0\/authorize<\/p>\n<\/li>\n<li>\n<p><strong>Authorization URL query string template<\/strong>: ?client_id=<span style=\"color: red\">CLIENTID<\/span>&amp;redirect_uri= https%3A%2F%2Ftoken.botframework.com%2F.auth%2Fweb%2Fredirect&amp;scope=openid%20profile&amp;response_type=code&amp;state={state}<\/p>\n<\/li>\n<li>\n<p><strong>Token URL template<\/strong>: https:\/\/<span style=\"color: red\">TENANTNAME<\/span>.ciamlogin.com\/<span style=\"color: red\">TENANTNAME<\/span>.onmicrosoft.com\/oauth2\/v2.0\/token<\/p>\n<\/li>\n<li>\n<p><strong>Token URL query string template<\/strong>: use a question mark (?)<\/p>\n<\/li>\n<li>\n<p><strong>Token body template<\/strong>: client_id=<span style=\"color: red\">CLIENTID<\/span>&amp;redirect_uri= https%3A%2F%2Ftoken.botframework.com%2F.auth%2Fweb%2Fredirect&amp;grant_type=authorization_code&amp;code={code}<\/p>\n<\/li>\n<li>\n<p><strong>Refresh URL template<\/strong>: https:\/\/<span style=\"color: red\">TENANTNAME<\/span>.ciamlogin.com\/\/<span style=\"color: red\">TENANTNAME<\/span>.onmicrosoft.com\/oauth2\/v2.0\/token<\/p>\n<\/li>\n<li>\n<p><strong>Refresh URL query string template<\/strong>: use a question mark (?)<\/p>\n<\/li>\n<li>\n<p><strong>Refresh body template<\/strong>: client_id=<span style=\"color: red\">CLIENTID<\/span>&amp;redirect_uri= https%3A%2F%2Ftoken.botframework.com%2F.auth%2Fweb%2Fredirect&amp;grant_type=refresh_token&amp;refresh_token={refresh_token}<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h4>Test the integration<\/h4>\n<ol>\n<li>\n<p>Publish the agent and navigate to the demo website and click Login.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/agent.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/agent-248x300.png\" alt=\"Image agent\" width=\"248\" height=\"300\" class=\"alignright size-medium wp-image-1579\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/agent-248x300.png 248w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/agent.png 715w\" sizes=\"(max-width: 248px) 100vw, 248px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>This will take you to the External ID login page as shown below.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/signin.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/signin-300x229.png\" alt=\"Image signin\" width=\"300\" height=\"229\" class=\"alignright size-medium wp-image-1580\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/signin-300x229.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/signin-768x586.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/signin.png 1006w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>After logging in, you will be redirected to a validation code page. Copy the code generated.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/validationcode.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/validationcode-300x88.png\" alt=\"Image validationcode\" width=\"300\" height=\"88\" class=\"alignright size-medium wp-image-1581\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/validationcode-300x88.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/validationcode.png 713w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<\/li>\n<li>\n<p>Return to Copilot Studio agent authentication process and enter the code validator provided in previous step.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/copilotstudioagent.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/copilotstudioagent-252x300.png\" alt=\"Image copilotstudioagent\" width=\"252\" height=\"300\" class=\"alignright size-medium wp-image-1582\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/copilotstudioagent-252x300.png 252w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2025\/02\/copilotstudioagent.png 684w\" sizes=\"(max-width: 252px) 100vw, 252px\" \/><\/a><\/p>\n<\/li>\n<\/ol>\n<p>Now your customers can access your copilot studio agents.<\/p>\n<p>Explore other ways of integrating Microsoft Entra External ID and share feedback with us and checkout our YouTube playlist on \u2018<a href=\"https:\/\/www.youtube.com\/watch?v=wagvRLJy40I&amp;list=PLlrxD0HtieHhL0PwUew_ogYMEH7Wyfldm\">Identity for developers<\/a>\u2019 to learn more on other integrations.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to integrate Copilot Studio agents with Microsoft Entra External ID using the Generic OAUTH 2.0 service provider option, ensuring your customers can securely log in to your agents.<\/p>\n","protected":false},"author":81671,"featured_media":1632,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[58,49,64],"class_list":["post-1543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powerplatform","tag-agents","tag-copilot-studio","tag-microsoft-entra"],"acf":[],"blog_post_summary":"<p>Learn how to integrate Copilot Studio agents with Microsoft Entra External ID using the Generic OAUTH 2.0 service provider option, ensuring your customers can securely log in to your agents.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/posts\/1543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/users\/81671"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/comments?post=1543"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/posts\/1543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/media\/1632"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/media?parent=1543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/categories?post=1543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/tags?post=1543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}