Power Platform Community Forum Thread Details

I'm trying to connect Copilot Studio to a custom MCP Server hosted on Azure Functions using Dynamic OAuth mode. The DCR (Dynamic Client Registration) endpoints I implemented work perfectly when tested from command line, but Copilot Studio gets a 403 Forbidden error. I've exhausted my troubleshooting options and need help identifying what's different about Copilot Studio's requests.

Setup Summary:
Constraints (org policy):

❌ No client secrets allowed
❌ Cannot use "Allow requests from any application" in Easy Auth
❌ API keys not supported

What I configured:

Component	Configuration
App Registration	Single-tenant, exposed scopes, redirect URI from Copilot Studio added
Easy Auth	Microsoft provider, allowedApplications with Power Platform client IDs
Excluded Paths	/.well-known/, /register, /register/
IP Restrictions	CopilotActions, PowerPlatformInfra, PowerPlatformPlex, AzureConnectors service tags allowed
Custom DCR Endpoints	Implemented RFC 7591/8414/9728 since Entra ID doesn't support DCR natively

Copilot Studio Settings:

Auth Type: OAuth 2.0 → Dynamic
Authorization/Token URLs pointing to Entra ID

The Problem:
Error: GetDynamicClientRegistrationResultAsync failed. Status Code: Forbidden

What works (tested via curl/PowerShell):

✅ GET /.well-known/oauth-protected-resource → 200 OK
✅ GET /.well-known/oauth-authorization-server → 200 OK
✅ POST /register → 201 Created (returns client_id/secret)

What fails:

Copilot Studio gets 403 when attempting the same DCR flow.

Questions:

What client IDs / source IPs does Copilot Studio use for DCR requests in Dynamic OAuth mode?
Are there additional service tags needed beyond CopilotActions, PowerPlatformInfra, PowerPlatformPlex?
Does Copilot Studio send headers that might bypass Easy Auth's excluded paths?
Has anyone successfully used Dynamic OAuth with Azure Functions + IP restrictions + Easy Auth allowedApplications?

Any insights appreciated!

Categories:

Model context protocol

Autonomous agents