Configure end-user authentication for actions

When creating a Copilot Studio action for an authenticated Copilot Studio project, you can enable end-user authentication, or supply a set of credentials for the agent to use on behalf of the user.

  • Select Agent author authentication if access to the service associated with the action is implicit, or for low-risk use cases. For example, use this authentication setting to find the phone number for the support team in a given zip code. OR when using a weather API to get the current forecast.
  • Select User authentication if you must restrict data access to specific groups or individuals in the user community. For example, use this authentication setting if the agent is meant to retrieve data that only the end user has access to, or to perform work on their behalf.

Creating connections

Users are prompted when they visit any dialog that uses a user action to log in to the experience. They are prompted as soon as the conversation begins, and they authenticate with the agent.

When users review the connections page, they can see the connection they need to configure for the action to complete a given dialog, and other connections your actions may require in the entire experience.

Completing the connection and returning to the conversation with the agent allows your end users to "retry" the action. It then completes with the end user's data access.

About data access and permission management

Copilot Studio does not store any credentials and reprompts end users for access if the token for access expires or is revoked on the service side. Additionally, they can manually access this connection page and refresh or revoke permissions once they are done talking to your agent.

Supported channels

The following table details the channels that currently support end user authentication for actions.

Channel Supported
Azure Bot Service channels Not supported
Custom Website Supported
Demo Website Not supported
Facebook Not supported
Microsoft Teams1 Supported
Mobile App Not supported
Omnichannel for Customer Service2 Supported

1 If you also have the Teams channel enabled, you need to follow the configuration instructions on the Configure single sign-on with Microsoft Entra ID for agents in Microsoft Teams documentation. Failing to configure the Teams single sign-on (SSO) settings as instructed on that page causes your users to always fail authentication when using the Teams channel.

2 Only the live chat channel is supported. For more information, see Configure handoff to Dynamics 365 Customer Service.