Tag: Copilot Studio

Secure Your MCP Server with Service Principal Authentication for Copilot Studio

In my previous post, we explored how to secure an MCP Server using Microsoft Entra ID delegated permissions, where the user’s identity is passed through to the API.

Secure Your MCP Server with Entra ID Authentication for Copilot Studio

But what if your scenario does not require user context?

What if you want:

  • A centralized connection
  • No per-user sign-in prompts
  • A backend service-to-service integration

In this post, we’ll walk through how to secure an MCP Server using application permissions (service principal authentication) and integrate it with Copilot Studio.

Introduction

MCP Servers exposed to Copilot Studio can be secured using different OAuth patterns:

  • Delegated permissions → user context
  • Application permissions → app-only context

This post focuses on the application permission model, where:

  • Copilot Studio uses a service principal (client credentials flow)
  • MCP Server validates app tokens instead of user tokens
  • No user interaction is required at runtime

Why Use Application Permissions?

Delegated access is great when you need user context. But in many enterprise scenarios:

  • Background operations don’t need user identity
  • Shared tools should behave consistently
  • Managing per-user connections becomes overhead

With application permissions:

  • Authentication is centralized
  • No per-user connection creation
  • Better suited for automation and shared agents

Prerequisites

Before starting:

  • Access to Microsoft Entra ID
  • Access to Copilot Studio and Power Platform
  • MCP Server implementation (you can reuse the same repo)
  • Permissions to create app registrations and custom connectors

Architecture Overview

In this setup:

  • MCP Server → Protected API (App roles enabled)
  • Copilot Client → Service principal (client credentials flow)
  • Entra ID → Issues app-only tokens

Flow:

  1. Copilot (via connector) authenticates using service principal
  2. Entra ID issues app-only token
  3. Token is sent to MCP Server
  4. MCP Server validates role-based access

Step 1: Update MCP Server App Registration (Resource API)

Go to your existing MCP Server app registration created from the instructions in my other post.

Create App Roles

Navigate to App roles → Add new role:

  • Display name: Access MCP Server API
  • Allowed member types: Applications
  • Value: api.server.access
  • Description: Allows access to MCP Server as an application

This is the key difference from delegated setup.

Instead of scopes, we have defined app roles for applications. Copy the resource url from the api permissions. E.g: api//xxxxx-xxxx-xxxx-xxx

Step 2: Configure Copilot Client App (Service Principal)

Go to your second app registration (Copilot client).

Add Application Permission

  • API permissions → Add permission
  • My APIs → Select MCP Server app
  • Choose Application permission → api.server.access

Grant Admin Consent

This allows the client app to call MCP Server without a user

Copy the client id, client secret for entering in the security tab while creating the custom connector.

Step 3: Create Custom Connector in Power Platform

Unlike the delegated setup, this time we do not add MCP Server directly from Copilot Studio.

Instead:

  • Go to make.powerapps.com
  • Create a Custom Connector
  • Configure:
    • Security → OAuth 2.0
      1. Enable Service Principal support

This connector uses the service principal credentials. After the entering the above details, click create connector. After the connector is created, copy the redirect URL to enter it in the Copilot studio client app registration

Now we can add the action Invoke server as below

Update the connector. Now Toggle Swagger editor to add x-ms-agentic-protocol: mcp-streamable-1.0 as shown below

What It Does

Declares MCP Server Compatibility with Power Platform Agents

This extension tells Power Platform (and AI agents like Copilot) that your connector:

ComponentMeaning
x-ms-Microsoft-specific extension (not standard OpenAPI)
agentic-protocolIndicates the API supports agentic/AI agent operations
mcp-streamable-1.0Uses Model Context Protocol v1.0 with streaming support

What This Enables

  1. Agentic Discovery – Agents can discover available tools/operations
  2. Streaming Responses – Support for long-running async operations with streaming results
  3. Native MCP Integration – Direct compatibility with MCP clients and servers
  4. Agent Invocation – AI agents can invoke your MCP server endpoints intelligently

Step 4: Create Connection Using Service Principal

After updating the connector:

  • Create a new connection from the Test Tab in custom connector creation interface
  • Provide the below from your Copilot studio client app registration:
    • Client ID
    • Client Secret
    • Tenant ID

This creates a shared connection

Key difference:

  • No user login prompt
  • Connection is tied to service principal, not individuals

Step 5: Add MCP Server to Copilot Studio

Now go to Copilot Studio:

  • Open your agent
  • Add Tool → Browse existing MCP Servers
  • Select your MCP connector and the connection as below

Important configuration in Copilot studio after the tool/MCP server is added:

  • Credentials to use: Maker provided
  • Save

This ensures:

  • The agent always uses the same connection
  • No per-user authentication required

Step 6: Test the MCP Agent

Now test your agent:

  • Invoke MCP tool
  • Verify response

You should see:

  • No login prompts
  • Consistent responses
  • Backend authentication working

Delegated vs Application Permissions

FeatureDelegatedApplication
IdentityUserApp
Token TypeUser tokenApp token
ConsentUser/AdminAdmin only
ConnectionPer userShared
Use CaseUser-specific dataBackground/shared APIs

Summary

In this post, we covered:

  • Securing MCP Server using application permissions
  • Creating app roles for application access
  • Assigning application permissions to client app
  • Creating custom connector in Power Platform
  • Using service principal connection
  • Adding MCP server to Copilot Studio via existing connector
  • Configuring maker-provided authentication

Why This Matters

Using application permissions is critical when:

  • You want centralized authentication
  • Your MCP tools don’t require user context
  • You want to avoid connection sprawl
  • You need consistent behavior across all users

This model is especially useful for:

  • Enterprise APIs
  • Shared automation tools
  • Backend integrations

Final Thoughts

Both delegated and application permission models have their place.

  • Use delegated when user identity matters
  • Use application permissions when it doesn’t

By implementing service principal authentication for your MCP Server, you enable:

  • Scalable architecture
  • Simplified connection management
  • Secure, app-driven integrations with Copilot Studio

Secure Your MCP Server with Entra ID Authentication for Copilot Studio

With the rise of AI agents and extensibility through MCP (Model Context Protocol), exposing your APIs and tools to agents like Copilot Studio is becoming increasingly common. But the catch – without proper authentication, you’re opening the doors to your enterprise data.

In this post, we’ll walk through how to secure an MCP Server using Microsoft Entra ID and consume it from Copilot Studio using delegated permissions.

We’ll be using this sample repo as a reference implementation: MCP-Server-Entra-Id-Auth

Introduction

MCP servers allow AI agents to invoke tools and APIs in a standardized way. When integrated with platforms like Microsoft Copilot Studio, they unlock powerful automation scenarios.

However, MCP servers are essentially OAuth 2.0 resource servers, and every MCP client (like Copilot Studio) acts as an OAuth client.

Why Securing Your MCP Server is Important

Without proper authentication:

  • Anyone with access to the endpoint could invoke your tools
  • Sensitive operations such as internal APIs may be exposed
  • No identity context → no auditing or governance

Modern MCP implementations rely on OAuth-based authentication, ensuring:

  • Identity-aware requests
  • Scoped access tokens
  • Secure communication between client and server

In enterprise scenarios, Entra IDbecomes the natural choice.

Prerequisites

Before we begin, make sure you have:

  • Access to a Microsoft Entra ID tenant
  • Access to Microsoft Copilot Studio
  • Basic understanding of:
    • OAuth 2.0 / Delegated permissions
    • App registrations
  • MCP server up and running (use the repo above)

Architecture Overview

We will configure:

  • MCP Server → Protected resource (API)
  • Copilot Studio → Client application
  • Entra ID → Identity provider

Flow:

  1. User signs in via Copilot Studio
  2. Copilot gets delegated token
  3. Token is sent to MCP Server
  4. MCP Server validates and processes request

Step 1: Create App Registration for MCP Server (Resource API)

Go to Entra ID → App registrations → New registration

Configure:

  • Name: MCP-Server-App
  • Supported account types: Single Tenant

    After creation:

    1. Copy the Client Id, Tenant Id from the Overview section.

    Expose an API

    1. Go to Expose an API
    2. Set Application ID URI (e.g., api://xxx-xxxx)
    3. Add a scope:
      • Name: access_as_user
      • Who can consent: Admins + users

      Configure Permissions

      • Add required Microsoft Graph delegated permissions (if needed) or remove it.

      This app represents your secured MCP Server

      Step 2: Configure MCP Server with Entra ID

      In your MCP server, appsettings.json (from repo):

      Configure:

      • Tenant ID
      • Client ID (MCP Server app)
      • Scopes

      This allows the server to:

      • Validate incoming tokens
      • Optionally call APIs like Microsoft Graph

      Many MCP implementations use OAuth flows such as on-behalf-of (OBO)/delegates permissions to call APIs using the user’s identity.

      Step 3: Create App Registration for Copilot Studio (Client)

      Create another app:

      • Name: Copilot-MCP-Client
      • Supported Account Types: Single tenant only

      Configure:

      API Permissions

      Add permission:

      • My APIs → MCP-Server-App
      • Select: access_as_user (delegated)

          Copy the Client Id, secret and the OAuth endpoints for adding the MCP server in Copilot studio interface.

          Grant Admin Consent

          This step is not Mandatory, if not provided an admin consent the user will asked for a consent with the permissions for the app while creating the connection to the MCP Server.

          Step 4: Add MCP Server in Copilot Studio

          Now comes the interesting part.

          In Copilot Studio:

          1. Go to Tools
          2. Click + Add a tool > Model Context Protocol
          3. Provide the details from the Copilot Studio Client app registration and MCP endpoint (e.g., /mcp or /)

          Copilot Studio will:

          • Create a custom connector behind the scenes

          On the next screen, you will get the link to the redirect url

          Now go to the Copilot studio client app registration Authentication section under Manage blade

          • Add Redirect URI (important for Copilot Studio custom connector)
            • Example:

          https://global.consent.azure-apim.net/redirect/xxxx

          Step 5: Create the Connection

          Once the MCP server is added:

          1. Create new connection
          2. Copilot Studio prompts for authentication
          3. Sign in using Entra ID
          4. Consent to permissions

          This creates a connection instance tied to the user

          Now every MCP call:

          • Uses delegated access
          • Runs under the signed-in user context

          Step 6: Test in Copilot Agent

          • Add MCP tool to your agent
          • Invoke a tool (e.g., get users, groups, etc.) with a prompt
          • Verify:
            • Authentication prompt
            • Successful execution
            • User-context data

          Delegated Permissions – Why It Matters

          This setup uses delegated permissions, meaning:

          • The MCP server acts on behalf of the user
          • Access is limited to what the user is allowed to do
          • No over-permissioning (unlike app-only access)

          This is critical for:

          • Enterprise governance
          • Least privilege access
          • Auditability

          Summary:

          In this post, we covered:

          • Why MCP servers must be secured
          • How OAuth + Entra ID fits into MCP architecture
          • Creating two app registrations:
            • MCP Server (resource)
            • Copilot Studio (client)
          • Adding MCP server in Copilot Studio
          • Automatic custom connector creation
          • Using delegated permissions for secure access

          Final Thoughts

          As MCP adoption grows, security is not optional – it’s a design requirement.

          By integrating Microsoft Entra ID with your MCP server:

          • You get enterprise-grade authentication
          • Seamless integration with Copilot Studio
          • Identity-aware AI agents

          And most importantly, you stay in control of your data.