Share via


Configure user authentication for actions

When creating a Copilot Studio action for an authenticated Copilot Studio project, you can enable user authentication, or supply a set of credentials for the agent to use on behalf of the user.

  • Select Agent author authentication if access to the service associated with the action is implicit, or for low-risk use cases. For example, use this authentication setting to find the phone number for the support team for a given postal code. Another use case could be using a weather API to get the current forecast.
  • Select User authentication if you must restrict data access to specific groups or individuals in the user community. For example, use this authentication setting if the agent is meant to retrieve data that only the user has access to, or to perform work on their behalf.

Creating connections

Users are prompted when they visit any dialog that uses a user action to sign in to the experience. They're prompted as soon as the conversation begins, and they authenticate with the agent.

When users review the connections page, they can see the connection they need to configure for the action to complete a given dialog, and other connections your actions might require in the entire experience.

Completing the connection and returning to the conversation with the agent allows your customers to "retry" the action. It then completes with the customer's data access.

Data access and permission management

Copilot Studio doesn't store any credentials. Agents prompt users for their credentials whenever access tokens expire or are revoked on the service side. Additionally, users can manually access the connection page and refresh or revoke permissions once they're done talking to your agent.

Supported channels

The following table details the channels that currently support user authentication for actions.

Channel Supported
Azure Bot Service channels Not supported
Custom Website Supported
Demo Website Not supported
Facebook Not supported
Microsoft Teams1 Supported
Mobile App Not supported
Omnichannel for Customer Service2 Supported
SharePoint1 Supported

1 If you also have the Teams channel enabled, you need to follow the configuration instructions on the Configure single sign-on with Microsoft Entra ID for agents in Teams documentation. Failing to configure the Teams single sign-on (SSO) settings as instructed on that page causes your users to always fail authentication when using the Teams channel.

2 Only the live chat channel is supported. For more information, see Configure handoff to Dynamics 365 Customer Service.