Configure single sign-on with Microsoft Entra ID

Copilot Studio supports single sign-on (SSO). SSO allows agents on your website to sign customers in if they're already signed in to the page or app where the agent is deployed.

For example, the agent is hosted on the corporate intranet or in an app that the user is already signed in to.

There are four main steps to configuring SSO for Copilot Studio:

  1. Create an app registration in Microsoft Entra ID for your custom canvas.

  2. Define a custom scope for your agent.

  3. Configure authentication in Copilot Studio to enable SSO.

  4. Configure your custom canvas HTML code to enable SSO.

Prerequisites

Note

To configure SSO using other OAuth 2.0 providers, see Configure single sign-on with generic OAuth providers.

Supported channels

The following table details the channels that currently support SSO. You can suggest support for extra channels at the Copilot Studio ideas forum.

Channel Supported
Azure Bot Service channels Not supported
Custom Website Supported
Demo Website Not supported
Facebook Not supported
Microsoft Teams1 Supported
Mobile App Not supported
Omnichannel for Customer Service2 Supported

1 If you also have the Teams channel enabled, you need to follow the configuration instructions on the Configure single sign-on with Microsoft Entra ID for agents in Microsoft Teams documentation. Failing to configure the Teams SSO settings as instructed on that page causes your users to always fail authentication when using the Teams channel.

2 Only the live chat channel is supported. For more information, see Configure handoff to Dynamics 365 Customer Service.

Important

SSO is currently not supported when an agent has been either:

However, SSO is supported for an agent that has been published to a SharePoint website as an SPFx component.

Create app registrations for your custom website

To enable SSO, you need to create two separate app registrations:

  • An authentication app registration, which enables Microsoft Entra ID user authentication for your agent
  • A canvas app registration, which enables SSO for your custom web page

We don't recommend reusing the same app registration for both your agent and your custom website for security reasons.

  1. Follow the instructions in Configure user authentication with Microsoft Entra ID to create an authentication app registration.

  2. Follow the instructions to create an authentication app registration again, to create a second app registration, which serves as your canvas app registration.

  3. Add the canvas app registration ID to the authentication app registration.

Add token exchange URL

To update the Microsoft Entra ID authentication settings in Copilot Studio, you need to add the token exchange URL to allow your app and Copilot Studio to share information.

  1. In the Azure portal on your authentication app registration blade, go to Expose an API.

  2. Under Scopes, select the Copy to clipboard icon.

  3. In Copilot Studio, in the navigation menu under Settings, select Security, and then select the Authentication tile.

  4. For Token exchange URL (required for SSO), paste the scope you copied earlier.

  5. Select Save.

Configure your canvas app registration

  1. After you create your canvas app registration, go to Authentication, and then select Add a platform.

  2. Under Platform configurations, select Add a platform, and then select Web.

  3. Under Redirect URIs, enter the URL for your web page; for example, http://contoso.com/index.html.

    Screenshot of the Configure Web page.

  4. In the Implicit grant and hybrid flows section, turn on both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows).

  5. Select Configure.

Find your agent's token endpoint URL

  1. In Copilot Studio, open your agent and then select Channels.

  2. Select Mobile app.

  3. Under Token Endpoint, select Copy.

    Screenshot of copying the token endpoint URL in Copilot Studio.

Configure SSO in your web page

Use the code provided in the Copilot Studio GitHub repo to create a web page for the redirect URL. Copy the code from the GitHub repo and modify it using the following instructions.

Note

The code in the GitHub repo requires that the user select a login button or login from a different site. To enable automatic login, add the following code to the beginning of aysnc function main():

    (async function main() {
        if (clientApplication.getAccount() == null) {
           await clientApplication.loginPopup(requestObj).then(onSignin).catch(function (error) {console.log(error) });
        }
        // Add your BOT ID below 
        var theURL =
  1. Go to the Overview page in Azure portal and copy the Application (client) ID and Directory (tenant) ID from your canvas app registration.

    Screenshot of the App registration Overview page in Azure portal, with Overview, Application ID, and Directory ID highlighted.

  2. To configure the Microsoft Authentication Library (MSAL):

    • Assign clientId to your Application (client) ID.
    • Assign authority to https://login.microsoftonline.com/ and add your Directory (tenant) ID to the end.

    For example:

    var clientApplication;
        (function (){
        var msalConfig = {
            auth: {
                clientId: '00001111-aaaa-2222-bbbb-3333cccc4444',
                authority: 'https://login.microsoftonline.com/7ef988bf-xxxx-51af-01ab-2d7fd011db47'     
            },
    
  3. Set the theURL variable to the token endpoint URL you copied earlier. For example:

    (async function main() {
    
        var theURL = "https://<token endpoint URL>"
    
  4. Edit the value of userId to include a custom prefix. For example:

    var userId = clientApplication.account?.accountIdentifier != null ? 
            ("My-custom-prefix" + clientApplication.account.accountIdentifier).substr(0, 64) 
            : (Math.random().toString() + Date.now().toString()).substr(0,64);
    
  5. Save your changes.

Test your agent using your web page

  1. Open your web page in your browser.

  2. Select Login.

    Screenshot of logging in using validation code

    Note

    If your browser blocks popups or you are using an incognito or private browsing window, you're prompted to log in. Otherwise, the log in completes using a validation code.

    A new browser tab opens.

  3. Switch to the new tab and copy the validation code.

  4. Switch back to the tab with your agent, and paste the validation code into the agent conversation.