Announcements
@adilei According to https://learn.microsoft.com/en-us/microsoft-copilot-studio/advanced-end-user-authentication?tabs=web... you should supply User.AccessToken. I'm using the rest api, and it is a bit unclear how to do it. I guess the bearer token in the header still is reserved for the directLineSecret? Should i supply it in a body? If so what key should I use? Also, is there any documentation for this. I'm making a native iOS app, and most documentations seems to be about web
Are you wanting to set up single sign on? Using which IDP?
SSO, yes. IDP = identity provider? I'm already using the GraphAPI in my app for other stuff. Then I used the
MSAL library for iOS to login. And from that I have an accesstoken.
Okay, great, so make sure you have configured authentication for your copilot:
Configure user authentication - Microsoft Copilot Studio | Microsoft Learn
If you are using MSAL, I'm guessing you also have an app registration for your client, but check the steps here anyway:
Configure single sign-on with Microsoft Entra ID - Microsoft Copilot Studio | Microsoft Learn
The docs aren't clear about it, but you will have to create a custom scope for your copilot app registration, and grant permissions on that scope for your client app registration.
Once you have both app registrations set up, you can use a pattern similar to the one implemented here:
CopilotStudioSamples/BuildYourOwnCanvasSamples/3.single-sign-on/index.html at master · microsoft/CopilotStudioSamples (github.com)
Basically: 1. intercept a sign-in request via directline, 2. respond with the token
I have done the necessary stuff above. I even found the link you are refering to about responding with the token. But I don't understand how to translate that to a Rest API. IT says:
exchangeTokenAsync(resourceUri).then(function (token) { if (token) { directLine.postActivity({ type: 'invoke', name: 'signin/tokenExchange', value: { id: activity.attachments[0].content.tokenExchangeResource.id, connectionName: activity.attachments[0].content.connectionName, token }, "from": { id: userId, name: clientApplication.account.name, role: "user" }
As I asked before:
"I'm using the rest api, and it is a bit unclear how to do it. I guess the bearer token in the header still is reserved for the directLineSecret? Should i supply it in a body? If so what key should I use?"
I can't figure out the answer to that from the code above.
Are you asking how to post an 'invoke' activity over directline?
Yes. Over the rest api. As a POST, I guess.
Two options: (1) send an invoke activity : https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-direct-line-3-0-api-reference?view=azure-bot-service-4.0#send-an-activity
https://github.com/Microsoft/botframework-sdk/blob/main/specs/botframework-activity/botframework-activity.md#invoke-activity
Or (2) post the token to the sasUrl endpoint (which will probably be easier).
Here's how to extract the sasUrl endpoint:
const activityMiddleware = () => next => (...args) => { if (args[0].activity.attachments?.[0]?.contentType === 'application/vnd.microsoft.card.oauth') { var postEndpoint = args[0].activity.attachments?.[0].content.tokenPostResource.sasUrl; // Perform an HTTP POST to postEndpoont with the body of: // { // "token": <client_token> // } if(success) return false; else return next(...args); } else { return next(...args); } };
The sasUrl I've seen in the json response from a GET of
https://directline.botframework.com/v3/directline/conversations/<conversationid>/
activities
as
"
https://token.botframework.com/api/sas/postToken?expiry=1714583537&id=key2&state=<id>&
hmac
I'll try to use that and add the body as above.
I'll get back with the result later.
Yep, that's the one. Just make sure you client app registration has the scopes you need to access Graph API, because in this pattern, Copilot Studio won't validate or process the token - just uses it
I could extract the sasUrl.
But when I make a POST using the sasUrl, I get a 401.
I tried without headerfields.
I tried with both conversationId and accessToken as Bearer.
What could be the reason for a 401?
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Congratulations to our 2026 Super Users!
Congratulations to our 2025 community superstars!
These are the community rock stars!
Stay up to date on forum activity by subscribing.
Valantis 802
Vish WR 331
Haque 292
