Share via

Set up Microsoft authentication for Copilot Studio Kit testing

This article provides an overview of the agent test framework and step-by-step instructions to set up Microsoft authentication for testing Copilot Studio agents using the Agent Test Runner Power Apps Component Framework (PCF).

Architecture

Microsoft authentication provides a streamlined, browser-to-Agent SDK architecture that's optimized for testing scenarios. This approach enables secure communication between your test environment and Copilot Studio agents without requiring additional authentication infrastructure.

Flow architecture

The following sequence diagram illustrates the authentication and test execution flow.

Diagram illustrating the browser-to-Agent SDK architecture for authentication and testing.

Component architecture

The following diagram illustrates the key components involved in the Microsoft authentication flow for the Agent Test Runner.

Diagram illustrating the key components involved in the test flow including the browser environment, Power Platform services, and authentication services.

Set up Microsoft authentication

The setup process involves configuring Azure Active Directory app registration, obtaining agent identifiers from Copilot Studio, and creating a configuration record in Dataverse.

Azure portal

In Azure portal, create an app registration, add the redirect URL, and configure API permissions.

Note

If you have tenant administration rights, you can configure API permissions. Otherwise, you need to ask a tenant administrator to do it for you.

  1. Create an app registration in Azure portal.

    Be sure to copy both the Application (client) ID and the Directory (tenant) ID. You can get these values from the Overview page.

  2. Configure API permissions in Azure portal:

    1. In your app registration, go to API permissions.

    2. Select Add a permission.

    3. Select the APIs my organization uses tab.

    4. Search for Power Platform API.

      Note

      If you don't see Power Platform API in the list, you need to add the API to your tenant. Follow the instructions at Power Platform API Authentication Step 2.

    5. Select Delegated permissions.

    6. Under CopilotStudio, select CopilotStudio.Copilots.Invoke.

    7. Select Add permissions.

    8. Grant admin consent by selecting Grant admin consent for <your organization>. If the button isn't available, you might need to ask a tenant administrator to do it for you.

  3. Add the redirect URL including configure token settings in Azure portal:

    1. Go to Authentication in your app registration.

    2. Under Platform configurations, select Add a platform.

    3. Select Single-page application.

    4. Enter your Environment URL using the format: https://[your-org].crm.dynamics.com

    5. Select both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows).

    6. Select Configure.

    7. Confirm that the Supported account types is set to Accounts in this organizational directory only.

Copilot Studio and Dataverse

In Copilot Studio, obtain your agent's Environment ID and Agent Identifier to create an Agent Configuration record in Dataverse.

  1. In Copilot Studio:

    1. Verify that you're in the correct environment.

    2. Select the agent you want to test and make sure that it's published.

    3. From Settings, select Advanced > Metadata.

    4. Copy the values for Environment ID and Schema name. The schema name is your Agent Identifier and uses the format cr123_agentname.

  2. Create an Agent Configuration record in Dataverse with the values from the previous steps:

    Field Value Example
    User Authentication Microsoft Authentication
    Client ID Application (client) ID from step 1 under Azure portal. 12345678-1234-1234-1234-123456789012
    Tenant ID Directory (tenant) ID from step 1 under Azure portal. 87654321-4321-4321-4321-210987654321
    Environment ID Environment ID from the previous step. 11111111-2222-3333-4444-555555555555
    Agent Identifier Schema name from the previous step. cr123_testagent

Troubleshooting

This section provides troubleshooting steps for common errors you might encounter.

Authentication errors

Error: "AADSTS50011: The reply URL specified in the request does not match"

  • Cause: Redirect URI mismatch in Azure App registration.

  • Solution:

    1. In Azure portal, go to App registrations and select Manage > Authentication.
    2. Ensure the Redirect URI matches your Environment URL exactly.
    3. Use the format: https://[your-org].crm.dynamics.com

Error: "AADSTS65001: The user or administrator has not consented"

  • Cause: Missing API permissions or admin consent.

  • Solution:

    1. In Azure portal, go to App registrations and select Manage > API permissions.
    2. Ensure CopilotStudio.Copilots.Invoke permission is added.
    3. Select Grant admin consent.

Sign-in popup appears every time

  • Cause: Account not being cached or browser settings preventing token storage.

  • Solution:

    1. Ensure your browser allows popup windows for your Dynamics domain.
    2. Verify that your browser is in incognito or private mode.
    3. Verify that your browser isn't blocking third-party cookies.
    4. Clear the browser cache and try again.
    5. Check if organization policies are forcing re-authentication.

Error: "InteractionRequiredAuthError" in browser console

  • Cause: Normal behavior when silent authentication fails and interactive sign-in is triggered.

  • Expected behavior:

    • This error occurs when silent authentication fails.
    • The system automatically displays the sign-in popup.

  • Action Required: None.

Agent SDK errors

Error: "404 Not Found - Agent not found"

  • Cause: Incorrect Agent Identifier or Environment ID.

  • Solution:

    1. Verify the Agent Identifier (Schema name) in Copilot Studio under Settings > Advanced > Metadata.
    2. Ensure the Environment ID matches the environment where the agent is published.
    3. Confirm the agent is published and accessible.

Error: "401 Unauthorized"

  • Cause: Authentication token issues.

  • Solution:

    1. Check if user has access to the Copilot Studio environment.
    2. Verify Azure app registration permissions.
    3. Clear the browser cache and retry authentication.

Error: "403 Forbidden"

  • Cause: Insufficient permissions to access agent.

  • Solution:

    1. Ensure user has appropriate security roles in Dataverse.
    2. Check if the agent allows the user's security role.
    3. Verify environment permissions.

Agent Test Runner control errors

Error: "Failed to initialize authentication service"

  • Cause: Invalid configuration in Agent Configuration record.

  • Solution:

    1. Verify all four configuration values are correct:
      • Client ID
      • Tenant ID
      • Environment ID
      • Agent Identifier
    2. Check for extra spaces or invalid characters.

Error: "External service call blocked"

  • Cause: Missing external-service-usage.

  • Solution:

    • For end users in model-driven apps:
      • This error typically indicates a deployment or configuration issue.
      • Contact your system administrator or developer.
      • No user action can resolve this issue, as it requires admin or developer intervention.
    • For system administrators:
      • Check if organizational security policies block external calls.
      • Ensure firewall and proxy settings allow connections to required Microsoft domains.

Network and CORS errors

Error: "CORS policy: No 'Access-Control-Allow-Origin' header"

  • Cause: Cross-origin request blocked.

  • Solution:

    1. Ensure redirect URI in Azure matches exact domain.
    2. Use HTTPS for all URLs.
    3. Verify that there are no mixed content (HTTP/HTTPS) issues.

Error: "Failed to fetch"

  • Cause: Network connectivity or firewall issues.

  • Solution:

    1. Check network connectivity to:
      • login.microsoftonline.com
      • api.powerplatform.com
    2. Verify firewall allows outbound HTTPS traffic.
    3. Check proxy settings if applicable.

Test execution errors

Error: "Test execution timeout"

  • Cause: Agent takes too long to respond.

  • Solution:

    1. Check agent performance in Copilot Studio.
    2. Verify agent is published and functioning.

Error: "Failed to create conversation"

  • Cause: Agent SDK initialization failed.

  • Solution:

    1. Verify agent is published.
    2. Check agent configuration in Copilot Studio.
    3. Ensure agent supports the test scenario.

Debugging tips

  1. Enable browser developer tools:

    • Press F12 to open developer tools.
    • Check the Console tab for JavaScript errors.
    • Check the Network tab for failed requests.

  2. Check authentication flow:

    • Monitor the Network tab during sign-in.
    • Look for 200 responses from login.microsoftonline.com.
    • Verify token acquisition in Console logs.

  3. Validate configuration:

    • Check all GUIDs and identifiers.
    • Ensure there are no extra spaces or special characters.
    • Verify environment and agent accessibility.

  4. Test in isolation:

    • Try the agent directly in Copilot Studio.
  • Last updated on