Enable user authentication in Copilot Studio Kit

Copilot Studio Kit supports testing custom agents with user authentication when you use Entra ID v2 as the service provider with SSO enabled. In summary, you create and configure the required applications in Azure portal and then create the agent configuration in Copilot Studio Kit.

To enable user authentication in Copilot Studio Kit:

• Create app registration specifically for Copilot Studio Kit authentication purposes.
• Create app registration for Copilot Studio authentication.
• Enable authentication for the Copilot Studio agent.
• Create the agent configuration in Copilot Studio Kit with end user authentication enabled.
• Link the applications so that Copilot Studio Kit can authenticate to Direct Line using Copilot Studio authentication.

Prerequisites

• Install Copilot Studio Kit if you haven't already.
• Have appropriate permissions in your Azure Active Directory tenant to create app registrations.

Recommended naming conventions

We suggest using the following values in the configuration steps that follow:

• Copilot Studio Kit auth app: KitAuthApp
• Copilot Studio auth app: CopilotStudioAuthApp
• Copilot Studio scope: copilot.studio.scope

Create authentication application for Copilot Studio Kit

To create an authentication application for Copilot Studio Kit, follow the steps in Create an app registration in Microsoft Entra ID for your custom canvas. Note the extra steps.

You need to:

1. Create the app registration in Microsoft Entra ID.

   (Recommended) Name the new application KitAuthApp.

   During the registration process, take note of the Directory (tenant) ID and Application (client) ID. You need these values later when creating an agent registration in Copilot Studio Kit and associating the Copilot Studio with the Copilot Studio Kit app. You can always get these IDs from the Overview page for the app registration.

2. Add the redirect URL

   Be sure to point to your Dataverse environment URL; for example, https://<hostname>.crm.dynamics.com

3. As an extra step, go to Certificates & secrets and create a new Client secret.

   (Recommended) Name the secret KitAuthApp secret.

   Store the value of this secret in a secure temporary file. You need it when you configure your agent's authentication later on.

4. From API permissions, select Grant admin consent for <your tenant name>, and then select Yes. If the button isn't available, you might need to ask a tenant administrator to enter it for you.

Create authentication application for Copilot Studio

To create an authentication application for Copilot Studio, follow the steps in Configure user authentication with Microsoft Entra ID.

Take note of the recommended additional steps.

When creating the app registration:

• Name the new application CopilotStudioAuthApp.

• Under Supported account types, select Accounts in any organizational tenant (any Microsoft Entra ID directory - multitenant) and personal Microsoft accounts (for example, Skype, Xbox).

• Take note of the Directory (tenant) ID and Application (client) ID. You need these values later when enabling end user authentication in Copilot Studio. You can always get these IDs from the Overview page for the app registration.

When configuring manual authentication:

• Use client secrets rather than federated credentials. Take note of the Client secret value. Store it in a secure temporary file. You need it later when enabling end user authentication in Copilot Studio.

When defining a custom scope for your agent:

• (Recommended) For Scope name, use copilot.studio.scope.

• Take note of the full scope name under Scopes (format similar to api://xxx/copilot.studio.scope). You need this value later when enabling end user authentication in Copilot Studio.

• Complete these additional steps:

  1. Select Add a client application.
  2. In Client ID, enter the Client ID of the KitAuthApp you created earlier.
  3. Verify that the scope in Authorized scopes is the one you created earlier (copilot.studio.scope). Turn on check that scope.
  4. Select Add application.

Enable end user authentication on your custom agent

To enable end user authentication for your custom agent, follow these steps:

1. In Copilot Studio, under Settings, select Security > Authentication.
2. Select Authenticate manually.
3. Leave on Require users to sign in.
4. Don't change the Redirect URL. Make sure the Service provider is Azure Active Directory v2.
5. For Client ID, enter the Client ID of CopilotStudioAuthApp.
6. For Client secret, enter the Client secret created for CopilotStudioAuthApp.
7. In Token exchange URL, enter the full name of the scope (format similar to api://xxx/copilot.studio.scope) created for CopilotStudioAuthApp.
8. (Optional, required for SharePoint knowledge source) In Scopes, add Files.Read.All.
9. (Optional, required for SharePoint knowledge source) In Scopes, add Sites.Read.All.
10. Select Save, then select Save again in the dialog.
11. Close Settings.
12. Select Publish, then select Publish again in the dialog.

Create agent configuration with end user authentication enabled

To create an agent configuration with end user authentication enabled, follow these steps:

1. Go to Copilot Studio Kit.
2. Select Agents from the navigation.
3. Select New.
4. Enter a Name.
5. From Configuration Type(s), select Test Automation.
6. Fill out the Direct Line Settings. Enable Channel Security and enter the Direct Line secret.
7. For User Authentication, select Entra ID v2.
8. For Client ID, enter the Client ID of KitAuthApp.
9. For Tenant ID, enter the Directory ID of KitAuthApp.
10. For Scope enter the full scope name (format similar to api://xxx/copilot.studio.scope) created for CopilotStudioAuthApp.
11. Select Save & Close.

You're now ready to test your agent with end user authentication enabled.

Related information

• Create an app registration in Microsoft Entra ID for your custom canvas
• Configure user authentication with Microsoft Entra ID
• Set up Microsoft authentication for Copilot Studio Kit testing