Securing Your Copilot Studio Agent for Authenticated Web Access

When you build a Copilot Studio agent intended for internal use, you usually want only authenticated users from your organization to be able to chat with it. Publishing the agent on a public website without any protection would expose its capabilities to anyone who stumbles on the page. Fortunately, you can add Microsoft Authentication to the agent and pair it with an Azure App Registration to enforce access control. The best part: if your users are already signed in to Microsoft 365, they won’t be asked for credentials again — single sign-on (SSO) works out of the box.

This article walks you through a complete example: an internal "Employee FAQ Copilot" that draws knowledge from SharePoint PDF documents. You will set up authentication, register an application in Azure, configure the official Copilot Studio web chat client, test it locally, and finally host it on Azure Blob Storage with static website support. Along the way, you’ll learn common pitfalls and how to avoid them.

Example Scenario: Employee FAQ Copilot

Your company wants to publish an agent that answers questions about internal policies, benefits, and IT guidelines. The agent is built in Copilot Studio and uses a SharePoint library containing PDF files (policy documents, FAQ sheets, etc.) as its knowledge source. Access must be restricted to employees who have been shared the agent in Copilot Studio. If an employee is already authenticated with Microsoft 365 (e.g., they are logged into Outlook or Teams), the web chat should not ask them for a password again.

We will use the following custom identifiers for our resources:

Yours will differ, but the structure stays the same.

Step 1: Create or Select Your Agent in Copilot Studio

Open Copilot Studio and either create a new agent or pick an existing one. For the Employee FAQ Copilot:

• Give it a name like Employee FAQ.
• Add a SharePoint knowledge source that points to a document library with your PDF files.
• Turn off Use general knowledge under the Generative AI settings so the agent answers only from your content.
• Test the agent inside Copilot Studio to confirm it returns correct answers.

Step 2: Enable Microsoft Authentication for the Agent

Go to the Settings page of your agent and open the Authentication tab. Select Authenticate with Microsoft (the middle option). This tells Copilot Studio to use the caller’s Microsoft 365 identity when the agent is invoked from a custom website.

Save the change and publish the agent.

Step 3: Register an Application in Azure

The web chat client needs an Azure App Registration to acquire tokens and call the agent on behalf of the signed-in user.

1. Go to portal.azure.com and open App registrations.
2. Click New registration.
   • Name: Employee-FAQ-Auth (or any meaningful name)
   • Supported account types: Accounts in this organizational directory only (single tenant)
   • Redirect URI: leave blank for now.
3. Click Register.

After deployment, note the Application (client) ID and Directory (tenant) ID from the Overview page. You will need them later.

Step 4: Grant the App Permission to Invoke Copilot Studio Agents

The app registration must have the CopilotStudio.Copilots.Invoke delegated permission.

1. In the app registration, go to API permissions → Add a permission.
2. Under APIs my organization uses, search for Power Platform API. If it doesn’t appear, ask your tenant admin to run a PowerShell script to enable the API (see Microsoft Learn guidance).
3. Choose Delegated permissions, then check CopilotStudio.Copilots.Invoke.
4. Click Add permissions.
5. Click Grant admin consent for your tenant (requires a Global Administrator or Privileged Role Administrator).

Now your app has the right to invoke any Copilot Studio agent on behalf of a signed-in user.

Step 5: Add a Redirect URI for Local Testing

Go to the Authentication blade of your app registration. Under Platform configurations, click Add a platform → Single-page application (SPA).

• Redirect URI: http://localhost:5500 (the default Live Server address)
• Check both Access tokens and ID tokens under Implicit grant and hybrid flows.

Click Configure. Later you will add a second URI for production hosting.

Step 6: Download and Configure the Web Chat Client

Microsoft provides a sample web chat client on the Agents GitHub repository. The Node.js version works well for static hosting.

1. Download the contents of the web folder (or clone the repo).
2. Place the files in a local folder and rename settings.template.js to settings.js.
3. Open settings.js in a code editor.

You need to fill in four values:

• appClientId – from the app registration "Application (client) ID"
• tenantId – from the app registration "Directory (tenant) ID"
• environmentId – from Copilot Studio: go to your agent's Settings → Advanced → Metadata and copy the Environment ID
• agentIdentifier – from the same metadata page, copy the Schema name (often called agentIdentifier or schemaName)

Your settings.js should look something like this (with your real GUIDs):

export const settings = {
appClientId: '11111111-1111-1111-1111-111111111111',
tenantId: '22222222-2222-2222-2222-222222222222',
environmentId: '33333333-3333-3333-3333-333333333333',
agentIdentifier: 'employeeFaqAgent_abc123',
...
};

Do not change any other properties in the file (they control the chat interface, styling, etc.).

Step 7: Test Locally with Live Server

Install the Live Server extension in Visual Studio Code. Right-click index.html and choose Open with Live Server. A browser opens at http://127.0.0.1:5500. You may see an error about redirect URI mismatch — that’s expected because the address is 127.0.0.1, not localhost.

Change the URL to http://localhost:5500 (the exact value you registered). You should now see the chat widget. If you are already signed into M365, the agent will load without any login prompt. If not, it will ask you to sign in.

Send a test query to verify the agent responds correctly and only for users who have been shared the agent in Copilot Studio.

Step 8: Host on Azure Blob Storage with Static Website

For a production-like demo (not a full production deployment), you can host the web chat client on Azure Blob Storage with static website enabled.

1. Create an Azure Storage account (standard performance, locally redundant storage).
2. In the storage account, go to Static website and enable it.
   • Index document name: index.html
   • Error document path: 404.html
   • Copy the Primary endpoint URL (e.g., https://mystorage.z5.web.core.windows.net).
3. Create a container named $web (this is automatically created when you enable static website).
4. Upload all files from your local web chat folder into the $web container. Ensure index.html is at the root.

After uploading, navigate to the primary endpoint. The chat UI will appear, but authentication will fail because the redirect URI doesn’t match yet.

Step 9: Add the Production Redirect URI in Azure

Go back to your app registration in Azure → Authentication. Under the SPA platform, add a second redirect URI: the full URL of your static website (e.g., https://mystorage.z5.web.core.windows.net). Save.

Now test again. If you visit the endpoint and you are signed into M365, the agent should load without prompting for credentials. Users who are not shared will see an error.

Common Mistakes and Troubleshooting

Authentication error "AADSTS50011: The reply URL specified in the request does not match..." This means the redirect URI in your app registration doesn’t match the exact URL from which the web chat is served. Check that:

• The protocol (http vs https) and port are correct.
• The trailing slash is not included (unless you added it).
• You have added both local and production URLs if testing from different origins.

Agent does not respond and shows "Unauthorized" or "Access denied" The user has not been shared the agent in Copilot Studio. Add their account under Publish → Share. Also verify that admin consent has been granted for the CopilotStudio.Copilots.Invoke permission.

Single sign-on doesn’t work; users are always prompted to sign in SSO works when the user’s session is in the same browser context where they already authenticated with Microsoft 365 (e.g., logged into Office.com). In incognito mode or after clearing cookies, a prompt is normal.

Power Platform API not found in Azure Your tenant may not have the API enabled. Run the PowerShell script documented in the Microsoft Learn article or contact your admin.

Final Recommendation

Using Microsoft Authentication with Copilot Studio is the most straightforward way to gate access to your custom agent on a website. The combination of Azure App Registration, delegated permissions, and the official web chat client gives you a solution that works out of the box with SSO.

For any serious deployment, avoid relying on simple Blob Storage with static website. Instead, use Azure Static Web Apps or Azure App Service with Easy Auth to secure the page itself and gain better control over custom domains, SSL, and CI/CD. The configuration steps for the authentication part remain the same.

Take the time to test thoroughly with a shared user account and a non-shared account to confirm that the gate is working exactly as expected.

References

• Original article: Copilot Studio: Publish To Website With Single Sign-On by Matthew Devaney
• Microsoft Learn: Enable the Power Platform API
• Microsoft Learn: About Copilot Studio authentication
• GitHub: Copilot Studio web chat client sample