web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
Your Invited to Keeping It Real with the Power Platform
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / MCP Tool (Custom Conne...
Copilot Studio
Suggested Answer

MCP Tool (Custom Connector) Connection getting stale around every hour

(3) ShareShare
ReportReport
Posted on by chadhap 16
We have an Azure App Service setup as an MCP server. We are trying to connect to the MCP Server as a Tool in Copilot Studio Agent using Entra OAuth2.0 Authentication. We have setup the Tool to use End User Authentication. The connection is working fine in Copilot Studio and on publishing to Teams and Copilot.  The problem is the OAuth Connection keeps getting stale every hour. We have setup the Refresh Url to be the same as the Token URL but looks like the Refresh workflow is not working correctly. Here is the below error that keeps popping up every hour and the connection shows up as stale.
 
 
Categories:
Model context protocol
I have the same question (0)
  • Suggested answer
    Valantis Profile Picture
    Valantis 3,406 on at
     

    Your Entra OAuth2 connection goes stale every hour because access tokens expire after 1 hour by default, and your tool probably isn't getting a refresh token.

     

    Try this:


    1. Add offline_access to your OAuth scopes (space-separated) and recreate the connection. Without this, Entra won't issue a refresh token.

    2. Check Entra Conditional Access for Sign-in frequency policies. If there's a 1-hour reauth policy on the app or user, that's forcing the reauthentication.

    3. Look at Entra sign-in and Conditional Access logs for Copilot Studio to see exactly what's blocking token refresh.

    4. If you need zero reauth prompts, switch from end-user authentication to a service principal or app-only credential model. Copilot Studio will always prompt users when tokens expire with end-user auth.

     

    Let me know if that worked out for you.

  • Suggested answer
    Valantis Profile Picture
    Valantis 3,406 on at

    Hi @chadhap , Just wanted to check in and see if everything is working now. If you still need any help, feel free to let me know.

    Also, if the issue is resolved, it would be great if you could mark the answer as solved so others with the same question can find it easily.

     

    Thanks and have a great day!

  • chadhap Profile Picture
    chadhap 16 on at
    Hi,
     
    Sorry for the delayed response. We have not been able to resolve this issue still. We have been working with Microsoft Unified Support for the past couple of weeks without any luck too. We have added offline_access to the Scope and recreated connection. Also, we do not have any Conditional Access Policy that are setup for 1-hour reauth. The closest one we have is for every 8-hour reauth. I do not see any logs for the Copilot Studio account in Entra. If we look at my account as we are using OAuth Connection for my account for testing, I see the success ones where I reconnect the stale connection but I do not see any failed or interrupted sign-in logs. 
     
    Service Principal option works without connection becoming stale, but that does not serve our business purpose as we want to have the end-user authentication setup for this agent.
     
  • jDeveloper Profile Picture
    jDeveloper 3 on at

    Hi,

     

    Just checking in to see if there is any update on this issue. We are experiencing the same behavior with MCP tools in Copilot Studio using OAuth 2.0 end‑user authentication: the connection works initially but becomes stale after the access token expires, even with offline_access configured and no restrictive Conditional Access policies in place.

     

    Is this a known product issue, and is there any recommended workaround or roadmap for proper refresh token handling for MCP tools?

     

    Thanks!

  • AE-26020945-0 Profile Picture
    AE-26020945-0 4 on at
    Is it possible to make this a high prio case? 
    We have exactly the same issue as described above. 
    Has anyone find a solution on this? 
  • CU24031433-0 Profile Picture
    CU24031433-0 4 on at
    Hello, we have currently hit the same roadblock. Did you manage to solve it in any way? 
  • SW-27031042-0 Profile Picture
    SW-27031042-0 2 on at
    Just stumbled on the same issue too. This is a showstopper before being able to publish an agent to the business. The process for "re-connecting" is anything else than intuitive i M365 Copilot.
  • CU17041014-0 Profile Picture
    CU17041014-0 2 Microsoft Employee on at
    We're experiencing the exact same problem. Here's our setup in detail:                                                                                
                                                                                                                                                           
    Architecture:                                                                                                                                          
      - Copilot Studio agent using Claude Sonnet 4.6 as the reasoning model                                                                                    
      - Two MCP servers deployed as Azure Container Apps (one for profile generation, one for PowerPoint rendering + SharePoint write)                         
      - The PowerPoint renderer MCP uses OAuth 2.0 (Manual configuration) with On-Behalf-Of (OBO) flow to write files to SharePoint via Microsoft Graph API

    OAuth configuration in Copilot Studio (MCP tool):                                                                                                        
      - Authentication: OAuth 2.0, Manual                                                                                                                      
      - Client ID: <our app registration client ID>                                                                                                            
      - Client Secret: <valid secret>                                                                                                                          
      - Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize                                                                 
      - Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token                                                                             
      - Refresh URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token (same as Token URL, as per Microsoft docs)
      - Scopes: api://<client-id>/access_as_user offline_access                                                                                         

    Azure AD App Registration:                                                                                                                               
      - Custom scope exposed: api://<client-id>/access_as_user                                                                                                 
      - Delegated permissions: Sites.ReadWrite.All, User.Read                                                                                                  
      - Application permissions: Sites.Read.All, Sites.ReadWrite.All                                                                                         
      - Admin consent granted for all                                                                                                                          
      - Redirect URI from Copilot Studio is registered under Authentication → Web                                                                              

    What works:                                                                                                                                              
      - Initial OAuth connection succeeds — user is prompted to sign in, consent is granted                                                                  
      - The MCP server receives the user's token in the Authorization header                                                                                   
      - OBO token exchange succeeds and files are written to SharePoint with per-user permissions                                                            
      - Everything works correctly for the first ~60 minutes                                                                                                   
                                                                                                                                                               
    What breaks after ~1 hour:                                                                                                                               
      - The connection shows as "stale" in Copilot Studio                                                                                                      
      - The MCP tool calls fail with token refresh errors                                                                                                      
      - Users must manually re-authenticate by going back to the tool configuration and creating a new connection                                            
      - Error observed: OAuth 2 access token refresh failed: invalid_grant                                                                                     

    What we've verified:                                                                                                                                     
      - offline_access is included in the scopes (this should trigger issuance of a refresh token)                                                             
      - The Refresh URL is correctly set to the /oauth2/v2.0/token endpoint                                                                                    
      - The app registration is configured as a confidential client (not public)                                                                             
      - The client secret is valid and not expired                                                                                                             
                                                                                                                                               
    Our conclusion:
    It appears Copilot Studio is either not storing the refresh token returned by Azure AD, or not invoking the refresh flow when the access token expires.  The 1-hour expiry aligns exactly with the default Azure AD access token lifetime, confirming the refresh is simply not happening.                        

    Any guidance would be appreciated.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Your Invited to Keeping It Real with the Power Platform

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 618

#2
Haque Profile Picture

Haque 147

#3
Vish WR Profile Picture

Vish WR 140

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt
Welcome to the Copilot Studio forum!

Product updates

Microsoft Power Platform Community release plans