Copilot Studio Chatbot + Internal Website (Graph Connector) — Authentication Setup Help Needed

(0) Share

Report

Posted on by Community member

Hi Microsoft Community,

I’m working on embedding a Copilot Studio chatbot on our internal WordPress-based website, and the chatbot is configured to use a Graph connector as the only knowledge source, which points to same internal site behind a firewall (not using SharePoint).

We want the chatbot to run securely and seamlessly inside the internal website, without prompting users to log in if possible.

Authentication Methods Tried:

1. No Authentication

Issue: Error when testing in Copilot Studio and also when embedding on our site
Error Message: Authentication is not configured for this bot Error Code: AuthenticationNotConfigured

2. Authentication with Microsoft

Works perfectly on the Copilot Studio test panel
Issue: When embedding using Direct Line on our internal website (using the official JS method), we get:
Error code: IntegratedAuthenticationNotSupportedInChannel
Token Endpoint for Direct Line is disappeared on this method

3. Authentication Manually

Issue: Requires user sign-in manually.
Since our internal site is already protected behind a firewall, is there a way to bypass login or use single sign-on silently?

I just want the chatbot to:

Be embedded in our internal website
Use knowledge from a Graph connector to an internal site
Work without requiring users to sign in, since both the chatbot and knowledge source are internal

What is the recommended authentication method for this setup (internal site + graph connector)?

Categories:

General topics

I have the same question (0)

All responses (3)

Answers (0)

Suggested answer

SwatiSTW 807 Super User 2026 Season 1 on at

Like (1)

Report
Copy link

Link copied!

You want to embed a Copilot chatbot on your internal WordPress site that uses a Graph connector to the same internal site, and you need it to work without asking users to log in.

Follow these steps:

1. In Copilot Studio, set the authentication method to Authenticate manually in the bot settings.

2. In Azure AD, create two app registrations — one for the chatbot and one for the WordPress frontend — and configure them for single sign-on.

3. In the chatbot app registration, add the redirect URI https://token.botframework.com/.auth/web/redirect and configure the required credentials.

4. Grant delegated Microsoft Graph API permissions like profile, openid, and ExternalItem.Read.All for the Graph connector.

5. In the WordPress frontend, use MSAL (Microsoft Authentication Library) to silently acquire an access token for logged-in users (after their first login).

6. Embed the chatbot using Direct Line JS, and after the chat connects, send the acquired token to the bot using a tokenExchange event:

const userToken = await msalInstance.acquireTokenSilent({ scopes: ['openid', 'profile'] });
window.WebChat.renderWebChat({
directLine: window.WebChat.createDirectLine({ token: botToken }),
store: window.WebChat.createStore({}, ({ dispatch }) => next => action => {
if (action.type === 'DIRECT_LINE/CONNECT_FULFILLED') {
dispatch({
type: 'WEB_CHAT/SEND_EVENT',
payload: { name: 'tokenExchange', value: { token: userToken } }
});
}
return next(action);
})
}, document.getElementById('webchat'));

7. This configuration allows the chatbot to work behind the firewall with silent SSO and use the Graph connector without requiring users to log in again.

Was this reply helpful? Yes No
Suggested answer

Community member 11 on at

Like (0)

Report
Copy link

Link copied!

Hi @SwatiSTW,

Thank you very much for the detailed answer.

Because everything is already protected internally, we're hoping to let users interact with the chatbot without needing to log in at all. From your steps, it sounds like even with "Authenticate manually" + MSAL, users still have to sign in at least once, which doesn’t work for us. Please advise if I understand incorrectly.

Is there any supported way to use Copilot with a Graph connector without requiring end-user authentication, assuming the environment is already secured and internal?

Appreciate any alternatives if available — just trying to avoid unnecessary sign-in prompts for internal users who are already on a protected network and make all user experience smoothly. :)

Thanks again! :)

Was this reply helpful? Yes No
Community member 11 on at

Like (0)

Report
Copy link

Link copied!

Hi @SwatiSTW and Microsoft Community,

Just checking in to see if there's been any update or guidance on this?

To recap:
We’re embedding a Copilot Studio chatbot on an internal WordPress site, using a Graph Connector that indexes the same internal content. The environment is entirely protected behind a firewall, and we’re trying to avoid requiring users to log in to interact with the chatbot, since they are already within a secure internal network.

From previous replies, even the “Authenticate manually” method with MSAL seems to prompt users to log in at least once, which we’re hoping to avoid.

Is there any supported or documented way to run a Copilot chatbot in such a setup without any user sign-in at all, leveraging the internal protection and app-level authentication (client secret) set on the Graph Connector?

Any insight or confirmation would be greatly appreciated — we’re nearing the end of our Copilot Studio trial and would like to validate this scenario before proceeding further.

Thanks again!

Was this reply helpful? Yes No