Copilot Studio

Custom MCP in Copilot Studio: Published agent users unable to create OAuth connection

(0) Share

Report

Posted on by CU08050735-0

We are testing a custom MCP integration with Microsoft Copilot Studio.

As the maker, we are able to:

create the connection successfully
complete OAuth authentication
use the MCP tools inside Copilot Studio

However, after publishing the agent, end users are unable to create their own connection properly.

When the published agent prompts users to create or pick a connection, the dialog appears blank and no connection options are shown. As a result, end users cannot authenticate with their own account even though the agent is configured for end-user credentials.

Questions:

Are custom MCP servers officially supported for published Copilot Studio agents using end-user credentials?
Is the blank “Create or pick a connection” dialog a known issue?
Are there additional requirements for enabling end users to create their own OAuth connections for MCP servers?

Would appreciate any guidance on whether this scenario is currently supported or if there are recommended workarounds.

Categories:

Model context protocol

I have the same question (0)

All responses (3)

Answers (0)

Sort by

Suggested answer

Beyond The Platforms 219 on at

Like (0)

Report
Copy link

Link copied!

This behavior is expected and is due to a current platform limitation, not a misconfiguration.

Custom MCP Servers in Copilot Studio are still in preview. While OAuth authentication works correctly for makers during design and testing, end-user OAuth connections for Custom MCP Servers are not fully supported yet in published agents.

What happens in this scenario is:

- The maker can successfully create and use the OAuth connection.

- After publishing, Copilot Studio attempts to prompt end users to “Create or pick a connection”.

- Because end-user OAuth connections for Custom MCP Servers are not currently supported, the connection picker dialog appears empty and the user cannot authenticate.

This is not related to Dataverse permissions, environment roles, or missing configuration. Re-publishing the agent or changing security settings does not resolve the issue.

Recommended workarounds at this time:

- Use a maker-managed OAuth connection (application/service credentials) so the agent runs with a single shared connection.

- If per-user OAuth is required, expose the API via a Custom Connector instead of a Custom MCP Server, as Custom Connectors fully support end-user OAuth connections in published agents.

Microsoft has indicated that MCP support is evolving, and broader end-user authentication scenarios are expected in future updates, but today this is a known limitation of Custom MCP Servers.

Hope this helps!
Paolo

✅ Did this solve your issue? → Accept as Solution
👍 Partially helpful? → Click "Yes" on "Was this reply helpful?" or drop a Like!

Want more tips on Power Platform & AI? Follow me here:

🔗 LinkedIn: https://www.linkedin.com/in/paoloasnaghi/
▶️ YouTube: https://www.youtube.com/@BeyondThePlatforms
📸 Instagram: https://www.instagram.com/beyond_the_platforms/
🌐 Website: https://www.beyondtheplatforms.com/

Was this reply helpful? Yes No
Suggested answer

Sajeda_Sultana 166 on at

Like (0)

Report
Copy link

Link copied!

Hi @CU08050735-0,

This looks like a current limitation with Custom MCP in Copilot Studio.

Right now, makers can authenticate successfully during development, but published agents do not yet fully support end-user OAuth connection creation for custom MCP servers. That’s why the “Create or pick a connection” dialog appears blank for end users.

For the current setup, the recommended approach is to use a maker-owned connection or a service principal–based connection instead of end-user OAuth.

These Microsoft docs may help:

Create and manage connections in Copilot Studio: https://learn.microsoft.com/microsoft-copilot-studio/authoring-connections

(Explains agent-owned vs user-owned connections.)

App registration, agent identities, and authentication: https://learn.microsoft.com/microsoft-copilot-studio/requirements-certificates-configuration-values

(Covers Entra ID app registrations and service principal authentication for agents.)

✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

🏷️ For follow-ups @Sajeda_Sultana

Was this reply helpful? Yes No
Nivedipa-MSFT Microsoft Employee on at

Like (0)

Report
Copy link

Link copied!
Hello CU08050735-0,
This is a known limitation. Custom MCP connectors with end-user OAuth in published Copilot Studio agents are still not fully polished yet, and a blank "Create or pick a connection" dialog usually means the connector isn't available to the end user in their environment.

Fix checklist

Share the custom connector with end users (Power Apps → Custom connectors → Share → Can use).

Package the agent and connector in the same Solution and deploy them to the consumer environment.

Confirm auth mode = "End user" on the MCP tool, then republish.

OAuth app registration:

Redirect URI https://global.consent.azure-apim.net/redirect

Multi-tenant if users are in another tenant

Admin consent granted if needed

Test it independently — have the user create the connection manually at Power Apps → Connections → + New. If that fails, the agent will too.

Check tenant consent policy (Power Platform admin center) — some tenants block third-party connector consent for end users.

Workaround

If it's blocked, switch the MCP tool to maker-provided credentials (single shared connection) — only if per-user identity isn't required.

If you found the information above helpful, I would appreciate it if you could share your feedback.
Your feedback is important to us. Please rate us:

🤩 Excellent 🙂 Good 😐 Average 🙁 Needs Improvement 😠 Poor

Was this reply helpful? Yes No