With the rise of AI agents and extensibility through MCP (Model Context Protocol), exposing your APIs and tools to agents like Copilot Studio is becoming increasingly common. But the catch – without proper authentication, you’re opening the doors to your enterprise data.
In this post, we’ll walk through how to secure an MCP Server using Microsoft Entra ID and consume it from Copilot Studio using delegated permissions.
MCP servers allow AI agents to invoke tools and APIs in a standardized way. When integrated with platforms like Microsoft Copilot Studio, they unlock powerful automation scenarios.
However, MCP servers are essentially OAuth 2.0 resource servers, and every MCP client (like Copilot Studio) acts as an OAuth client.
Why Securing Your MCP Server is Important
Without proper authentication:
Anyone with access to the endpoint could invoke your tools
Sensitive operations such as internal APIs may be exposed
No identity context → no auditing or governance
Modern MCP implementations rely on OAuth-based authentication, ensuring:
Identity-aware requests
Scoped access tokens
Secure communication between client and server
In enterprise scenarios, Entra IDbecomes the natural choice.
Prerequisites
Before we begin, make sure you have:
Access to a Microsoft Entra ID tenant
Access to Microsoft Copilot Studio
Basic understanding of:
OAuth 2.0 / Delegated permissions
App registrations
MCP server up and running (use the repo above)
Architecture Overview
We will configure:
MCP Server → Protected resource (API)
Copilot Studio → Client application
Entra ID → Identity provider
Flow:
User signs in via Copilot Studio
Copilot gets delegated token
Token is sent to MCP Server
MCP Server validates and processes request
Step 1: Create App Registration for MCP Server (Resource API)
Go to Entra ID → App registrations → New registration
Configure:
Name: MCP-Server-App
Supported account types: Single Tenant
After creation:
Copy the Client Id, Tenant Id from the Overview section.
Expose an API
Go to Expose an API
Set Application ID URI (e.g., api://xxx-xxxx)
Add a scope:
Name: access_as_user
Who can consent: Admins + users
Configure Permissions
Add required Microsoft Graph delegated permissions (if needed) or remove it.
This app represents your secured MCP Server
Step 2: Configure MCP Server with Entra ID
In your MCP server, appsettings.json (from repo):
Configure:
Tenant ID
Client ID (MCP Server app)
Scopes
This allows the server to:
Validate incoming tokens
Optionally call APIs like Microsoft Graph
Many MCP implementations use OAuth flows such as on-behalf-of (OBO)/delegates permissions to call APIs using the user’s identity.
Step 3: Create App Registration for Copilot Studio (Client)
Create another app:
Name: Copilot-MCP-Client
Supported Account Types: Single tenant only
Configure:
API Permissions
Add permission:
My APIs → MCP-Server-App
Select: access_as_user (delegated)
Copy the Client Id, secret and the OAuth endpoints for adding the MCP server in Copilot studio interface.
Grant Admin Consent
This step is not Mandatory, if not provided an admin consent the user will asked for a consent with the permissions for the app while creating the connection to the MCP Server.
Step 4: Add MCP Server in Copilot Studio
Now comes the interesting part.
In Copilot Studio:
Go to Tools
Click + Add a tool > Model Context Protocol
Provide the details from the Copilot Studio Client app registration and MCP endpoint (e.g., /mcp or /)
Copilot Studio will:
Create a custom connector behind the scenes
On the next screen, you will get the link to the redirect url
Now go to the Copilot studio client app registration Authentication section under Manage blade
Add Redirect URI (important for Copilot Studio custom connector)
With this capability, custom connectors can access APIs without storing client secrets, significantly improving security and simplifying management.
In this article, we will explore how to configure Managed Identity authentication for a Power Platform custom connector. The approach works for any API secured with Microsoft Entra ID, and we will use Microsoft Graph as an example API.
Why Managed Identity?
Traditionally, Microsoft Entra Id protected APIs are accessed using:
Delegated user authentication
Service Principal or application user authentication
Both require secret management.
Managed Identity removes this requirement.
Key advantages include:
No client secrets to manage
Reduced security risks
Native trust with Microsoft Entra ID
This approach aligns with modern secretless authentication patterns widely used in Azure services.
Authentication Architecture
When using managed identity authentication with custom connectors, the authentication flow looks like this:
Power Apps / Power è Custom Connector (Managed Identity Authentication) è Microsoft Entra ID (Federated Credential Trust) è Target API (e.g., Microsoft Graph)
Instead of storing credentials, the connector uses federated identity trust to obtain access tokens from Microsoft Entra ID.
Step 1: Register an Application in Microsoft Entra ID
First, create an App Registration in Microsoft Entra ID.
Navigate to:
Azure Portal → Microsoft Entra ID → App registrations → New registration
Supported account types: Single tenant
After creating the app, note the following values:
Application (Client) ID
Tenant ID
Managed identity authentication currently supports single-tenant applications.
Step 2: Configure API Permissions
Add the required permissions depending on the API you are accessing.
Since we are using Microsoft Graph as an example, we have left it with the default delegated permission:
User.Read
Grant Admin Consent if required depending on the permissions you have added.
Step 3: Create a Custom Connector
Navigate to the Power Apps or Power Automate Maker Portal.
Create a new connector:
Custom Connectors → New Custom Connector → Create from Blank
Provide a connector name such as:
Managed Identity API Connector
In the General tab configure the API host.
Example for Microsoft Graph:
Host: graph.microsoft.com
Base URL: /
If you are connecting to another API, replace these values with that API’s endpoint.
Step 4: Configure Managed Identity Authentication
In the Security tab.
Authentication Type: OAuth 2.0
Identity Provider: Azure Active Directory
Provide:
Client ID → Application ID of your App Registration
You can define additional actions depending on the API endpoints you want to expose.
For other APIs, configure the corresponding endpoints.
Step 7: Create the Connection
Navigate to the Test tab and create a new connection.
Unlike service principal authentication, you do not need to provide client secrets.
Power Platform will automatically authenticate using the managed identity configuration.
Step 8: Use the Connector
The connector can now be used from:
Power Apps
Power Automate
Benefits of Managed Identity for Custom Connectors
Using managed identity authentication provides several advantages:
Improved Security
No client secrets or certificates are stored in Power Platform.
Reduced Operational Overhead
No secret rotation or credential management.
Current Limitations
This capability is currently in preview
Summary:
Managed Identity authentication for Power Platform custom connectors enables secure, secretless access to APIs. Although we used Microsoft Graph as the example, the same pattern can be applied to any API secured with Microsoft Entra ID.
This approach simplifies security management and provides a cleaner architecture for enterprise Power Platform integrations.
In this section of the blog series, we’ll walk through the steps to create a Microsoft Graph subscription for Teams presence updates based on the Custom connector created on the previous post and configure a Power Automate flow to receive and process these updates through Azure Event Hub.
Step 1: Creating a Microsoft Graph Subscription for Teams Presence
Using the custom connector built in Part 1 of this blog series, initiate the Microsoft Graph subscription by calling the Create Subscription action
When creating a Microsoft Graph subscription for Teams presence updates, make sure to update the following fields in your request payload:
notificationUrl URL where Microsoft Graph will send presence update notifications. This should point to your Azure Event Hub endpoint configured to receive events.
lifecycleNotificationUrl URL to handle lifecycle events such as validation and subscription expiration. This should point to an endpoint capable of processing these system-level callbacks (optional but recommended).
resource This defines the target of the subscription. Format: /communications/presences/{userId}
Replace {userId} with the Object ID (GUID) of the Azure AD user whose presence updates you want to track.
expirationDateTime Timestamp defining when the subscription expires.
For presence, the maximum allowed duration is 1 hour.
Use ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ
Tip: After the subscription is successfully created, make sure to note down the Subscription ID, as it is required to renew the presence subscription— which must be refreshed every hour. This renewal process can be automated using a scheduled Power Automate flow.
Step 2: Receiving Notifications via Azure Event Hub
Azure Event Hub serves as a high-throughput ingestion pipeline for Microsoft Graph notifications. After the subscription is created, presence change events are pushed into the specified Event Hub.
Each event includes metadata such as the subscription ID, resource details containing user information, and a timestamp—enabling you to respond effectively to presence status changes in real time.
As seen in the payload above, user availability or activity changes in Microsoft Teams are not directly visible—this data is encrypted. To access it, you’ll need to configure certificate-based encryption and decrypt the payload accordingly. We’ll cover this process in detail in the next blog post.
Step 3: Creating a Power Automate Flow to Process Presence Updates
Now that presence updates are routed into Azure Event Hub, we’ll use Power Automate to process these updates.
Steps to Configure:
Trigger:
Use the “When events are available in Event Hub” trigger (premium connector).
Create a New connection using the Authentication type Microsoft Entra ID Integrated
After the Connection is created, you would be able to select the Event hub from the dropdown to complete the trigger configuration.
Parse Event Data:
Use a Parse JSON action to extract userId, subscriptionId, and changeType from the incoming event schema.
You can get the payload which is in Base64 format by using the expression base64ToString(triggerOutputs()?[‘body/ContentData’])
Act on Status Change:
Act of the notification by making a another query to the presence endpoint or subscription to rich notications by using certificate which we will discuss in our next blog post
Note: Once the Power Automate flow is configured to receive events from the Event Hub, the Data Explorer in the Azure Portal will no longer display events, as the Event Hub allows only one active consumer per consumer group. There would be an Error message like: At least one receiver for the endpoint is created with epoch of ‘638819602939505217’, and so non-epoch receiver is not allowed.
What’s Next?
In the next part, we will explore how to receive rich presence notifications from Microsoft Teams users, including availability and activity details. Specifically, we will cover:
How to configure certificate-based encryption to enable rich notifications
How to retrieve availability information from the encrypted payload
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I publish them.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I publish them.
In today’s data-driven world, businesses rely on integration between their data sources and analysis platforms to derive insights and make informed decisions. One such powerful combination is leveraging Snowflake, a leading cloud-based data warehousing platform, alongside Microsoft Power Platform. In this blog series, we’ll delve into the options of integrating Snowflake data sources into Power Platform, exploring both custom and out-of-the-box connector options. In Part 1, our focus will be on setting up and configuring Snowflake, followed by creating a custom connector that leverages Snowflake’s SQL REST API. This connector facilitates the connection between Snowflake and the Power Platform services such Power Apps and Power Automate.
Pre-requisites:
Snowflake account with Account Admin access: Snowflake offers a 30-day trial, granting full access to explore its capabilities. You can select either Azure/AWS/GCP
Entra ID access (Global Admin or Privileged Administrator Role) to create App registration and grant Admin consent: Ensure you have Entra ID access to enable the creation of App registrations and to grant Admin consent for necessary permissions.
Power Platform Administrator Role: To make adjustments to allow custom connector endpoints for Snowflake identifier URL, especially in cases where endpoints are blocked by the tenant scoped DLP policy.
Maker or System Administrator access in a Power Platform Environment: Access privileges should include Maker or System Administrator rights within your Power Platform environment to register custom connector.
Power Apps premium license: A Power Apps premium license is required to use a custom connectors in a Power Apps or a Cloud flow.
This blog post is divided into the following sections:
Creation of Entra ID Apps.
Setup Snowflake Environment.
Creation of a custom connector & DLP Policy Update.
Creation of Entra ID Apps:
There are two app registrations required to facilitate the API access through Microsoft Entra ID, where one would represent the Snowflake OAuth resource and the other would represent the OAuth client application which would be in this case the custom connector
Section 1 – Registering an Application in Microsoft Entra ID for Snowflake OAuth resource:
In the Entra ID portal, navigate to App registrations and click + New registration. Enter a name, such as Snowflake OAuth resource, and proceed by clicking the Register button, leaving all settings as default.
Under the Manage section in the side menu, select Expose an API. Set the Application ID URI with the default value and remember to copy this value for future use. This will be known as external_oauth_audience_list in the section Setup and configuration in Snowflake
Click on the Add a scope button to access the panel. The Snowflake Role Public is added as an OAuth scope for OAuth flows where the Snowflake OAuth client acts on behalf of a user from the custom connector. If there is a custom Snowflake role, it should be added as a scope instead of ‘Public’:
Enter a new Scope name as session:scope:PUBLIC
Set Admin consent display name to Account Admin
Provide Admin consent description as “Can Administer the Snowflake account”
Ensure the Enabled scope state is selected.
Complete the process by selecting the Add scope button to create the scope.
Section 2 – Registering an Application in Microsoft Entra ID for Snowflake OAuth client:
In the Entra ID portal, navigate to App registrations and click + New registration. Enter a name, such as Snowflake OAuth client, and proceed by clicking the Register button, leaving all settings as default.
Retrieve the Client ID, Tenant Id from the Overview section of the Entra ID app and generate a secret through the Certificates & secrets under the Manage blade. Once the secret is successfully created, copy its value for use in configuring the custom connector OAuth Authentication.
In the API permissions section under the Manage blade, click + Add a permission and search for Snowflake OAuth resource, the application created previously.
Select the Delegated permission session:scope:PUBLIC defined in the previous section as shown below, and grant Admin consent.
Everything is configured in Entra ID. Now, let’s move on to Snowflake to set up the necessary components for this integration to function.
Let’s head in to the Snowflake instance as an Account Admin. Here, you’ll create a
Create Database with sample data & grant roles
Set up security integration
Create a user in Snowflake synchronized with the Entra ID user
Log in to the Snowflake instance to copy the Identifier URL as shown below. This URL will be used in the custom connector to access the Snowflake REST API.
Create a SQL Worksheet as shown below and execute the following script to set up the Snowflake environment by creating a warehouse, database, and table named ‘rockers_table’. Sample data is inserted into the table, and permissions are granted to the ‘public’ role for accessing and updating the table:
-- Switch to the 'accountadmin' role
use role accountadmin;
-- Create the HOL_WH warehouse with size 'X-SMALL'
CREATE OR REPLACE WAREHOUSE HOL_WH WITH WAREHOUSE_SIZE='X-SMALL';
-- Create the HOL_DB database
CREATE OR REPLACE DATABASE HOL_DB;
-- Grant usage on the warehouse HOL_WH to the role 'public'
GRANT USAGE ON WAREHOUSE hol_wh TO ROLE public;
-- Grant usage on the database HOL_DB to the role 'public'
grant usage on database hol_db to role public;
-- Grant usage on the schema HOL_DB.PUBLIC to the role 'public'
grant usage on schema hol_db.public to role public;
use role accountadmin;
-- Switch to the HOL_DB database
use database HOL_DB;
use warehouse HOL_WH;
-- Create the 'rockers_table' table
CREATE TABLE rockers_table (
id INT,
name VARCHAR(50),
age INT
);
-- Insert data into the 'rockers_table' table
INSERT INTO rockers_table (id, name, age)
VALUES (1, 'Jimi Hendrix', 27),
(2, 'Janis Joplin', 27),
(3, 'Elvis Presley', 42),
(4, 'Freddie Mercury', 45),
(5, 'Whitney Houston', 48),
(6, 'Michael Jackson', 50),
(10, 'John Lennon', 40);
-- Grant select and update permissions on the 'rockers_table' table to the role 'public'
grant select, update on table hol_db.public.rockers_table to role public;
Set up security integration:
Let’s proceed to create the Security integration, which is a Snowflake object that establishes an interface between Snowflake and Entra ID. This integration is a prerequisite for enabling Entra OAuth authentication in the custom connector. Execute the following script:
Replace the tenantid in ‘external_oauth_issuer’ and ‘external_oauth_jws_keys_url’, and the Application ID URI in ‘external_oauth_audience_list’. These values should be copied from sections 1 and 2 of the Entra ID app creation process written above.
Create a user in Snowflake synchronized with the Entra ID user:
We’ll create a user in Snowflake that mirrors the Entra ID user upn as created in the security integration. In the User & Roles section under Admin, click + User. The login name should be the UPN (User Principal Name) from Entra ID/AD. Once the required details are entered, proceed to click on Create User.
Creation of a custom connector & DLP Policy Update:
The custom connector serves as a wrapper around the Snowflake REST API, facilitating communication between Power Apps or Power Automate and the API. To create this connector, navigate to Custom connectors in the Power Apps/Power Automate maker portal, then click on + New custom connector and select Create from blank. Enter the connector name, and on the subsequent screen, enter the Snowflake Identifier URL in the Host field and some description about the connector.
Now click Security on the right bottom corner or from the Tab to enter the Entra ID application information copied from the App registration Snowflake OAuth Client for the OAuth 2.0 authentication type. Under the section OAuth 2.0
Change the Identity provider to Azure Active Directory
Enter the Client id & Client secret copied from the Section 2 of the Entra ID app registration Snowflake OAuth Client
Enter the Resource URL as api://applicationIDURI copied from the Section 1 of the Entra ID app registration Snowflake OAuth Resource
Enter the Scope as session:scope:PUBLIC based on the permissions you have added. Leave a space between each permission if there are multiple permissions
The connector is now prepared to add actions based on the Snowflake REST API endpoints. Snowflake’s REST API offers functionalities such as submitting SQL statements, checking execution statuses, cancelling executions, and fetching query results concurrently. This blog post will primarily concentrate on integrating with the API to submit SQL statements. For more guidelines, it’s recommended to look at the Snowflake REST API documentation for best practices.
Let’s proceed to add an action for submitting a SQL statement. Navigate to Definitions and select + New action. Once you’ve filled in the Summary, Description, and Operation ID (e.g., GETSFData), click on + Import from sample under the Request section, and input the following details:
{
"statement": "select name, age from rockers_table;",
"timeout": 60,
"database": "HOL_DB",
"schema": "PUBLIC",
"warehouse": "HOL_WH",
"role": "PUBLIC"
}
Click Import & Update connector then proceed to click the Test tab and create a New connection. In the event of encountering DLP error message indicating that connection creation has been blocked by Data Loss Prevention (DLP) policy. Add the Snowflake Identifier URL as a connector pattern allowed in the Business/Non Business category of the DLP policy.
VOILA, everything is set up. You can now test the action to execute a SQL statement to retrieve data from the rockers_table as shown below:
The request body for updating an existing item is
{
"statement": "UPDATE rockers_table SET Name = 'Mohamed Ashiq' WHERE ID = '1';",
"timeout": 60,
"database": "HOL_DB",
"schema": "PUBLIC",
"warehouse": "HOL_WH",
"role": "PUBLIC"
}
Summary:
In the next part of the blog series, we’ll explore how to manipulate the response from the connector action. This involves adding C# code in the custom connector to facilitate the display in Power Apps gallery control without using a Power Automate flow. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I publish them.
Capabilities like text-to-speech (TTS) and audio playback can take your applications to new heights of user engagement and accessibility. In this blog post, we’ll look at integrating text-to-speech and audio playback functionalities into Power Apps using Power Automate and Azure Speech Services. Whether you’re looking to provide dynamic narration, streamline communication, or enhance accessibility, this post will walk you through the steps to integrate TTS capabilities into your Power Apps projects.
Prerequisites:
Before you begin, ensure that you have the following prerequisites in place:
Maker role in Power Platform environment
Premium License – HTTP Connector
Azure Subscription Access
Azure Speech services – Text to speech
Creating Speech Services in Azure for Text to Speech:
Azure provides Speech Services that enable developers to integrate advanced speech capabilities into their applications, including Text to Speech (TTS). With Azure Speech Services, you can convert text into speech in various languages and voices.
Step 1: Create the resource Speech services in the Azure Portal
Step 2: Copy the Key from the Keys and Endpoint section within the Resource Management blade. This Key is used for authentication when making requests to the Speech service APIs, enabling text-to-speech conversion in the Power Automate flow through the HTTP connector.
Step 3: Go to the Speech Studio to choose a voice from the gallery provided in Text to Speech section. Alternatively, you can create a custom voice using your own audio recordings. The Speech Studio can also be accessed from the Overview section of the Speech service in the Azure portal.
Power Automate Flow to convert the text to speech:
The Power Automate serves as a tool in orchestrating the integration between Power Apps and Azure Speech Services, enabling communication between the components. Create an Instant Power Automate flow with the trigger “PowerApps (V2)” either from the Power Automate portal or directly from the Power Apps maker interface. Add a text input varTextInput as shown below to send the text from the Power Apps
The next step involves converting the text to speech/audio utilizing the Text to Speech REST API through the HTTP connector action. Add the HTTP action with request details as below
Method: POST
URI: Depending on the region where you’ve created the Azure Speech resource, select the corresponding Rest API endpoint from the list in the Microsoft documentation. For instance, if the Speech Service resource is created in West Europe, the URL will be:
In the request body, add the varTextInput included to the Power Apps trigger. I have added the voice en-US-JennyNeural, you can select it from the voice gallery as discussed above.
Next, add a Compose action to convert the audio generated from the HTTP action into base64 format. This will serve as the text output passed in the Respond to a PowerApp or flow action, as shown below:
Let’s develop the app for the text narration feature, where users can input text to be converted into audio using the Power Automate flow created earlier. On the Canvas, add a Text Input control for entering the desired text, an Audio control to play the audio generated from the Azure text-to-speech service, and a button to trigger the Power Automate flow. Make sure the flow is added to the Power Apps. Add the following code to the OnSelect property of the button
// Reset the Audio1 control to its default state, clearing any previous audio. Reset(Audio1);
// Run the TexttoSpeechFlow Power Automate flow, passing the text from TextInput1 as input. // Store the result (converted audio) in the varconvertedAudio variable. Set(varconvertedAudio, TexttoSpeechFlow.Run(TextInput1.Text));
// Set the playAudioContent variable to false, ensuring that any previous audio playback is stopped. Set(playAudioContent, false);
// Set the playAudioContent variable to true, triggering playback of the newly converted audio. Set(playAudioContent, true);
The variable playAudioContent will be used in Audio control Star property to play the audio automatically
The Media property of the Audio control should have the following formula, depending on the output variable added in the ‘Respond to PowerApps or flow’ action of the Power Automate flow
The x-wav is the format of the generated audio from the Text to Speech REST API in the Power Automate flow which can be validated from the output of the HTTP action HTTP-TexttoSpeech
You are now ready to test your app.
Summary:
By combining the power of Power Automate and Azure Speech Services developers can quickly integrate text-to-speech and audio playback functionalities into their Power Apps. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I publish them.
Mohamed Ashiq Faleel 