MCP Tool (Custom Connector) Connection getting stale around every hour

(2) Share

Report

Posted on by chadhap

We have an Azure App Service setup as an MCP server. We are trying to connect to the MCP Server as a Tool in Copilot Studio Agent using Entra OAuth2.0 Authentication. We have setup the Tool to use End User Authentication. The connection is working fine in Copilot Studio and on publishing to Teams and Copilot. The problem is the OAuth Connection keeps getting stale every hour. We have setup the Refresh Url to be the same as the Token URL but looks like the Refresh workflow is not working correctly. Here is the below error that keeps popping up every hour and the connection shows up as stale.

Categories:

Model context protocol

I have the same question (0)

All responses (3)

Answers (0)

chadhap 12 on at

Like (0)

Report
Copy link

Link copied!

Hi,

Sorry for the delayed response. We have not been able to resolve this issue still. We have been working with Microsoft Unified Support for the past couple of weeks without any luck too. We have added offline_access to the Scope and recreated connection. Also, we do not have any Conditional Access Policy that are setup for 1-hour reauth. The closest one we have is for every 8-hour reauth. I do not see any logs for the Copilot Studio account in Entra. If we look at my account as we are using OAuth Connection for my account for testing, I see the success ones where I reconnect the stale connection but I do not see any failed or interrupted sign-in logs.

Service Principal option works without connection becoming stale, but that does not serve our business purpose as we want to have the end-user authentication setup for this agent.

Was this reply helpful? Yes No
Suggested answer

Valantis 840 on at

Like (1)

Report
Copy link

Link copied!

Hi @chadhap , Just wanted to check in and see if everything is working now. If you still need any help, feel free to let me know.

Also, if the issue is resolved, it would be great if you could mark the answer as solved so others with the same question can find it easily.

Thanks and have a great day!

Was this reply helpful? Yes No
Suggested answer

Valantis 840 on at

Like (1)

Report
Copy link

Link copied!
Hi @chadhap,

Your Entra OAuth2 connection goes stale every hour because access tokens expire after 1 hour by default, and your tool probably isn't getting a refresh token.

Try this:

Add offline_access to your OAuth scopes (space-separated) and recreate the connection. Without this, Entra won't issue a refresh token.

Check Entra Conditional Access for Sign-in frequency policies. If there's a 1-hour reauth policy on the app or user, that's forcing the reauthentication.

Look at Entra sign-in and Conditional Access logs for Copilot Studio to see exactly what's blocking token refresh.

If you need zero reauth prompts, switch from end-user authentication to a service principal or app-only credential model. Copilot Studio will always prompt users when tokens expire with end-user auth.

Let me know if that worked out for you.

Was this reply helpful? Yes No