Share via

Dragon Copilot access token requirements using Microsoft Entra

Tip

If you're not using Microsoft Entra, see Dragon Copilot access token requirements using alternative identity providers. Dragon Copilot web app for mobile doesn't use Microsoft Entra access tokens.

Add Dragon Copilot permissions to your Microsoft Entra app registration

Prerequisites

You need your app to be registered in Microsoft Entra ID.

You need a user account with the global admin role in your Entra tenant.

Add Dragon Copilot to your app registration

  1. Sign in to Microsoft Graph Explorer using an account that has the global admin role in your tenant.

    Screenshot highlighting the Graph Explorer user account icon

  2. Make a POST request to https://graph.microsoft.com/v1.0/servicePrincipals.

    The body of the POST:

     {
     "appId": "40d36082-d340-492f-a5af-e42ef68f4b2b"
 }

    Screenshot demonstrating how to make a POST request in Graph Explorer

  3. Update your app registration to request the Dragon Copilot permissions.

    Sreenshot indicating app registration

  4. Request all of the available permissions.

    screenshot showing list of permissions to request

From the customer's tenant

Once your app registration is updated, you'll need to re-consent in the tenants that are used for end user login:

  1. Sign in to Microsoft Entra as a global administrator.

  2. Consent to the partner app registration created above:

    • Open the following URL in your browser and accept the permissions requested for the organization: https://login.microsoftonline.com/<customer tenant id>/v2.0/adminconsent?client_id=<PARTNER_CLIENT_ID >&scope=<PARTNER_CLIENT_ID >/.default

    • The EHR partner will provide you with their partner client ID.

Troubleshooting

If the admin consent URL displays an error that the service principal isn't found, you might need to add the Microsoft Dragon Services service principal to the customer tenant:

  1. Open a command prompt.

  2. Enter: az login or az login --allow-no-subscription

  3. Enter your global administrator credentials for the customer tenant.

  4. Enter: az ad sp create --id 40d36082-d340-492f-a5af-e42ef68f4b2b

Retry the customer consent steps above.

Access token requirements for Microsoft Entra

Access tokens generated by Microsoft Entra must meet the following requirements:

  • Must be in JSON web token (JWT) format conforming to RFC 7519.
  • The issuer (iss) claim must uniquely identify the partner. It can also identify the Microsoft customer.
  • JWT metadata must be available at /.well-known/openid-configuration
  • The public portion of the signing keys must be available on the internet at /.well-known/jwks.json or specified in the openid-configuration via the jwks_uri property.
  • Last updated on