Configure single sign-on with Microsoft Entra ID

Important

Power Virtual Agents capabilities and features are now part of Microsoft Copilot Studio following significant investments in generative AI and enhanced integrations across Microsoft Copilot.

Some articles and screenshots may refer to Power Virtual Agents while we update documentation and training content.

Microsoft Copilot Studio supports single sign-on (SSO). SSO allows copilots on your website to sign customers in if they're already signed in to the page or app where the copilot is deployed.

Prerequisites

For example, the copilot is hosted on the corporate intranet or in an app that the user is already signed in to.

There are four main steps to configuring SSO for Microsoft Copilot Studio:

  1. Create an app registration in Microsoft Entra ID for your custom canvas.

  2. Define a custom scope for your copilot.

  3. Configure authentication in Microsoft Copilot Studio to enable SSO.

  4. Configure your custom canvas HTML code to enable SSO.

Important

SSO is currently not supported when a copilot has been either:

Supported channels

The following table details the channels that currently support SSO. You can suggest support for extra channels at the Microsoft Copilot Studio ideas forum.

Channel Supported
Azure Bot Service channels Not supported
Custom Website Supported
Demo Website Not supported
Facebook Not supported
Microsoft Teams1 Supported
Mobile App Not supported
Omnichannel for Customer Service2 Supported

1 If you also have the Teams channel enabled, you need to follow the configuration instructions on the Configure SSO for Teams channel documentation. Failing to configure the Teams SSO settings as instructed on that page causes your users to always fail authentication when using the Teams channel.

2 Only the live chat channel is supported. For more information, see Configure hand-off to Dynamics 365 Customer Service.

Create app registrations for your custom website

To enable SSO, you need to create two separate app registrations:

  • An authentication app registration, which enables Microsoft Entra ID user authentication for your copilot
  • A canvas app registration, which enables SSO for your custom web page

We don't recommend reusing the same app registration for both your copilot and your custom website for security reasons.

  1. Follow the instructions in Configure user authentication with Microsoft Entra ID to create an authentication app registration.
  2. Follow the same instructions again to create a second app registration, which serves as your canvas app registration.
  3. Return to this article.

Configure your canvas app registration

  1. After you create your canvas app registration, go to Authentication, and then select Add a platform.

  2. Under Platform configurations, select Add a platform, and then select Web.

  3. Under Redirect URIs, enter the URL for your web page; for example, http://contoso.com/index.html.

    Screenshot of the Configure Web page.

  4. In the Implicit grant and hybrid flows section, turn on both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows).

  5. Select Configure.

Find your copilot's token endpoint URL

  1. In Microsoft Copilot Studio, go to Settings, and then select Channels.

  2. Select Mobile app.

  3. Under Token Endpoint, select Copy.

    Screenshot of copying the token endpoint URL in Microsoft Copilot Studio.

Configure SSO in your web page

Use the code provided in the Microsoft Copilot Studio GitHub repo to create a web page for the redirect URL. Copy the code from the GitHub repo and modify it using the instructions below.

  1. Go to the Overview page in Azure portal and copy the Application (client) ID and Directory (tenant) ID from your canvas app registration.

    Screenshot of the App registration Overview page in Azure portal, with Overview, Application ID, and Directory ID highlighted.

  2. To configure the Microsoft Authentication Library (MSAL):

    • Assign clientId to your Application (client) ID.
    • Assign authority to https://login.microsoftonline.com/ and add your Directory (tenant) ID to the end.

    For example:

    var clientApplication;
        (function (){
        var msalConfig = {
            auth: {
                clientId: '692e92c7-xxxx-4060-76d3-b381798f4d9c',
                authority: 'https://login.microsoftonline.com/7ef988bf-xxxx-51af-01ab-2d7fd011db47'     
            },
    
  3. Set the theURL variable to the token endpoint URL you copied earlier. For example:

    (async function main() {
    
        var theURL = "https://1c0.0.environment.api.powerplatform.com/powervirtualagents/bots/5a099fd/directline/token?api-version=2022-03-01-preview"
    
  4. Edit the value of userId to include a custom prefix. For example:

    var userId = clientApplication.account?.accountIdentifier != null ? 
            ("My-custom-prefix" + clientApplication.account.accountIdentifier).substr(0, 64) 
            : (Math.random().toString() + Date.now().toString()).substr(0,64);
    
  5. Save your changes.

Test your copilot using your web page

  1. Open your web page in your browser.

  2. Select Login.

    Screenshot of logging in using validation code

    Note

    If your browser blocks popups or you are using an incognito or private browsing window, you're prompted to log in. Otherwise, the log in completes using a validation code.

    A new browser tab opens.

  3. Switch to the new tab and copy the validation code.

  4. Switch back to the tab with your copilot, and paste the validation code into the copilot conversation.