Unanswered

Configuring Manual Auth for retrieving Dataverse information in a public web agent scenario

(1) Share

Report

Posted on by RodrigoCardosoDaSilva

Hi everyone,

I am currently developing a Copilot Studio agent that will be deployed on a public website. The requirement is to allow anonymous users (unauthenticated) to interact with the bot. However, the agent needs to query and retrieve data from a Dataverse table to provide specific answers.

The Issue:
By default, when a bot is set to "No Authentication," it operates under the user's context (which is null in this case). To access Dataverse, I need the bot to authenticate as a specific identity - specifically, an Azure App Registration (Service Principal) - to fetch the data without prompting the end-user for any credentials.

Current Approach:
I am exploring the "Manual (for any channel)" authentication setting in Copilot Studio. I want to use the Client ID, Client Secret, and Token URL from my Azure App Registration to establish a Service-to-Service (S2S) connection.

Questions:

Compatibility: Can I use the "Manual" authentication configuration to handle backend S2S calls while keeping the frontend experience completely anonymous for the web user?
Configuration Details: In the "Manual" auth settings, what are the specific scopes required for Dataverse when using the Client Credentials flow?
Application User: Beyond the Azure side, are there specific roles that must be assigned to the Application User in the Power Platform Environment to ensure the bot can successfully "impersonate" this service identity?
Best Practices: Is it better to handle this via a Power Automate flow configured with a Service Principal connection, or is it possible to achieve this natively within Copilot Studio topics using the Dataverse knowledge source and the Manual Auth token?

Also, I want to avoid a scenario where the bot triggers a sign-in card for a public user. Any insights on the correct "App Registration + Copilot Studio Auth" handshake for this specific architecture would be very helpful!

If someone has achieved the proper configuration for this scenario, I'd ask to please share the steps or documentation.

Categories:

Bot extensibility

Publish & channel management

I have the same question (0)

All responses (2)

Answers (0)

Sort by

Sajeda_Sultana 79 on at

Like (1)

Report
Copy link

Link copied!
Hi @RodrigoCardosoDaSilva,

In a public web agent scenario, I’d avoid Manual Auth and instead use the Dataverse Web API with a service principal (Application User) on the back end.
Pattern I’ve used successfully:

Keep the web copilot public (no sign‑in for end users).

Have the copilot call your own API (or Power Automate flow).

That API uses the Dataverse Web API with client credentials (service principal) and a restricted security role to read only the needed tables.

I’ve solved a very similar requirement for showing Dataverse data in multiple mobile applications, and this pattern works well to keep users anonymous while still securely surfacing Dataverse data.

✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

🏷️ For follow-ups @Sajeda_Sultana

Was this reply helpful? Yes No
Vish WR 1,021 on at

Like (0)

Report
Copy link

Link copied!
Instead of using Copilot Studio's authentication settings, I would suggest having a cloud flow in Power Automate that connects to Dataverse. You have two solid options depending on your setup:

Option 1: Standard Connection (Simpler) If you're okay using your own user account or a service account that already has access, use a regular Dataverse connection. It's straightforward – Power Automate handles the auth, and your bot just calls the flow. Your anonymous users never see anything on their end.

Option 2: Service Principal Connection (More Secure) If you want proper S2S with your App Registration, set up the connection using your service principal credentials. Power Automate manages all the token stuff automatically – you don't have to think about it. This is probably the "right" way if you're worried about security and scalability.

Create a cloud flow in Power Automate

Add your Dataverse connector (pick standard or SPN based on what makes sense for you)

Build your query to get the data your bot needs

In Copilot Studio, just add an "Invoke Power Automate flow" action

Pass in whatever parameters your query needs, and grab the results

Use that data in your bot responses

Reference : (not a promotion for their blog or YouTube) purely sharing the reference

How to use a Service Principal in Power Automate for a Dataverse connection

https://community.dynamics.com/blogs/post/?postid=33a9437c-09c9-4ac8-ba56-2d8223f82adf

How to Trigger a Power Automate Flow in Copilot Studio

https://www.youtube.com/watch?v=H-E2kpd5L3M

https://community.powerplatform.com/forums/thread/details/?threadid=2f2ea7af-e722-f111-8341-0022482aa60e

Vishnu WR

LinkedIn - My Tech Space

Please ✅ Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like ♥

Was this reply helpful? Yes No