web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
You're Invited to Keeping It Real with the Power Platform
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Direct‑to‑Engine block...
Copilot Studio
Suggested Answer

Direct‑to‑Engine blocked by tenant permissions – alternatives and PME option

(1) ShareShare
ReportReport
Posted on by RaghuBose Microsoft Employee
I need to use Direct‑to‑Engine (Agents SDK / Power Platform API) for backend integration. This requires acquiring an Entra ID token with the scope: CopilotStudio.Copilots.Invoke.

Our Copilot Studio environment is hosted in the CORP tenant. Admin consent for CopilotStudio.Copilots.Invoke is not allowed in CORP.

What are the recommended alternatives when Direct‑to‑Engine is blocked due to tenant‑level permission restrictions?

Is it recommended to create or migrate the MCS environment into the PME tenant?

Are there any known limitations, governance constraints, or licensing requirements when creating Copilot Studio environments in PME?
​​​​​​​
Categories:
General topics
I have the same question (0)
  • Suggested answer
    Valantis Profile Picture
    Valantis 4,793 on at
     
    When admin consent for CopilotStudio.Copilots.Invoke is blocked at the tenant level, there are confirmed alternatives for backend integration.

    Alternative 1: Direct Line channel (no CopilotStudio.Copilots.Invoke required)
    Instead of the Agents SDK / Direct-to-Engine approach, use the Direct Line channel. You get a Direct Line secret from Copilot Studio (Channels > Direct Line), then call the Bot Framework Direct Line REST API from your backend using that secret. No Entra admin consent is required for the backend-to-agent communication. The tradeoff is that you lose the user identity propagation that the Agents SDK provides — messages come in under the Direct Line bot identity rather than the end user's identity.

    Alternative 2: Iframe embed (for portal scenarios)
    If the use case allows rendering the agent in a browser context, the iframe embed approach doesn't require CopilotStudio.Copilots.Invoke at all. The token exchange for authentication happens on the client side.
    Alternative 3: Power Automate intermediary
    For server-side integrations, a Power Automate flow can invoke agent flows or run topics via the Copilot Studio API without requiring the user-delegated CopilotStudio.Copilots.Invoke scope.
    On the PME tenant question — can you clarify what PME refers to in your context? The answer on whether creating a Copilot Studio environment in a PME tenant is advisable depends on what governance, licensing, and data residency constraints apply there. Once you clarify I can give a direct answer on that part.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
You're Invited to Keeping It Real with the Power Platform

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 704

#2
Vish WR Profile Picture

Vish WR 249

#3
Haque Profile Picture

Haque 244

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt

Product updates

Microsoft Power Platform Community release plans