web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
Your Invited to Keeping It Real with the Power Platform
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Copilot Studio Replace...
Copilot Studio
Suggested Answer

Copilot Studio Replace Azure App Registration with User Based Authentication in HTTP Flow

(2) ShareShare
ReportReport
Posted on by D365FO Junior-Dev 119
Hi everyone,

I have created an agent in Copilot Studio as shown in the image I am using a flow as a tool in the Agent and the flow includes an HTTP action connector to perform CRUD operations on the Dynamics 365 F&O API, both Copilot Studio and Dynamics 365 are in the same tenant.
Currently the HTTP action uses a Client ID and App Registration (Azure AD) for authentication allowing access to retrieve and manipulate data from Dynamics 365.
I would like to change this approach instead of using the Azure App Registration for authentication I want to use the logged-in user's credentials when they interact with the agent. My goal is to strengthen security since many users in our organization have access to tenant resources (including Copilot Studio and flows). If someone has the API credentials they could potentially use them outside the intended scope.
I would appreciate your suggestions and recommendations on how to implement user based authentication for this scenario.

 
 
 
 
Categories:
Building Copilot Studio chatbots in Microsoft Teams
Bot administration
Calling actions from Copilot Studio
I have the same question (0)
  • Suggested answer
    Valantis Profile Picture
    Valantis 3,406 on at
     
    Good goal and Microsoft docs confirm this is achievable. Two approaches depending on how much you want to change.
     
    Approach 1 - Use the Dynamics 365 connector instead of HTTP (recommended)
     
    Instead of the HTTP action with AD OAuth app credentials, replace it with the built-in Dynamics 365 connector in Power Automate. The Dynamics 365 connector supports user-delegated connections. When the flow runs as a tool in a Copilot Studio agent that has user authentication enabled, the flow runs under the user's credentials, not the author's.
    From Microsoft docs: "In a supported authenticated agent, cloud flows can be configured to use user credentials when they're run as part of a generative orchestration plan or called from a topic."
     
    Steps:
    1. In Copilot Studio: Settings > Security > Authentication. Set to "Authenticate with Microsoft" (if Teams only) or "Authenticate manually" with Entra ID V2 and Require users to sign in enabled.
    2. In the flow: replace the HTTP action with Perform an unbound action or List rows / Create record from the Dataverse or Dynamics 365 connector.
    3. In the flow tool settings in Copilot Studio: set authentication to User authentication instead of Agent author authentication. Users will be prompted to consent to the connection on first use.
    Approach 2 - Keep HTTP action, pass user token from Copilot Studio
    If you must keep the HTTP action (for example to call F&O OData endpoints not covered by standard connectors):
    1. Enable user authentication in Copilot Studio as above.
    2. The User.AccessToken variable becomes available in your agent topics once the user is signed in.
    3. Pass User.AccessToken as an input parameter to the flow.
    4. In the HTTP action, change Authentication type to Raw and set the Authorization header to Bearer {the token input parameter}.
     
    This passes the signed-in user's delegated token directly to the D365 F&O API. The API call executes under that user's identity and D365 security roles apply.
     
    Note: the docs warn not to use User.AccessToken in flows you do not trust, and to scope it carefully. Token expiry also means the flow will fail on longer sessions unless re-auth is triggered.
     
    For Teams deployment specifically, set up SSO (single sign-on) so users are not prompted to sign in manually. The docs confirm Teams SSO with OBO flow means users sign in once and the token passes through without a separate consent prompt.
     
     

     

    Best regards,

    Valantis

     

    ✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

    ❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

    🏷️ For follow-ups  @Valantis.

    📝 https://valantisond365.com/

    💼 LinkedIn

    ▶️ YouTube

  • Suggested answer
    11manish Profile Picture
    11manish 1,366 on at
    You cannot get user-level security with shared App Registration credentials.
     
    To fix this:
    • Move to OAuth delegated authentication (user-based) via Entra ID
    • Prefer Custom Connector or HTTP with Azure AD using user context

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Your Invited to Keeping It Real with the Power Platform

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 618

#2
Haque Profile Picture

Haque 147

#3
Vish WR Profile Picture

Vish WR 140

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt
Welcome to the Copilot Studio forum!

Product updates

Microsoft Power Platform Community release plans