web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / MCP Tool (Custom Conne...
Copilot Studio
Answered

MCP Tool (Custom Connector) Connection getting stale around every hour

(3) ShareShare
ReportReport
Posted on by 24
We have an Azure App Service setup as an MCP server. We are trying to connect to the MCP Server as a Tool in Copilot Studio Agent using Entra OAuth2.0 Authentication. We have setup the Tool to use End User Authentication. The connection is working fine in Copilot Studio and on publishing to Teams and Copilot.  The problem is the OAuth Connection keeps getting stale every hour. We have setup the Refresh Url to be the same as the Token URL but looks like the Refresh workflow is not working correctly. Here is the below error that keeps popping up every hour and the connection shows up as stale.
 
 
I have the same question (0)
  • Suggested answer
    Valantis Profile Picture
    6,735 on at
     

    Your Entra OAuth2 connection goes stale every hour because access tokens expire after 1 hour by default, and your tool probably isn't getting a refresh token.

     

    Try this:


    1. Add offline_access to your OAuth scopes (space-separated) and recreate the connection. Without this, Entra won't issue a refresh token.

    2. Check Entra Conditional Access for Sign-in frequency policies. If there's a 1-hour reauth policy on the app or user, that's forcing the reauthentication.

    3. Look at Entra sign-in and Conditional Access logs for Copilot Studio to see exactly what's blocking token refresh.

    4. If you need zero reauth prompts, switch from end-user authentication to a service principal or app-only credential model. Copilot Studio will always prompt users when tokens expire with end-user auth.

     

    Let me know if that worked out for you.

  • Suggested answer
    Valantis Profile Picture
    6,735 on at

    Hi @chadhap , Just wanted to check in and see if everything is working now. If you still need any help, feel free to let me know.

    Also, if the issue is resolved, it would be great if you could mark the answer as solved so others with the same question can find it easily.

     

    Thanks and have a great day!

  • chadhap Profile Picture
    24 on at
    Hi,
     
    Sorry for the delayed response. We have not been able to resolve this issue still. We have been working with Microsoft Unified Support for the past couple of weeks without any luck too. We have added offline_access to the Scope and recreated connection. Also, we do not have any Conditional Access Policy that are setup for 1-hour reauth. The closest one we have is for every 8-hour reauth. I do not see any logs for the Copilot Studio account in Entra. If we look at my account as we are using OAuth Connection for my account for testing, I see the success ones where I reconnect the stale connection but I do not see any failed or interrupted sign-in logs. 
     
    Service Principal option works without connection becoming stale, but that does not serve our business purpose as we want to have the end-user authentication setup for this agent.
     
  • jDeveloper Profile Picture
    5 on at

    Hi,

     

    Just checking in to see if there is any update on this issue. We are experiencing the same behavior with MCP tools in Copilot Studio using OAuth 2.0 end‑user authentication: the connection works initially but becomes stale after the access token expires, even with offline_access configured and no restrictive Conditional Access policies in place.

     

    Is this a known product issue, and is there any recommended workaround or roadmap for proper refresh token handling for MCP tools?

     

    Thanks!

  • AE-26020945-0 Profile Picture
    6 on at
    Is it possible to make this a high prio case? 
    We have exactly the same issue as described above. 
    Has anyone find a solution on this? 
  • CU24031433-0 Profile Picture
    10 on at
    Hello, we have currently hit the same roadblock. Did you manage to solve it in any way? 
  • SW-27031042-0 Profile Picture
    4 on at
    Just stumbled on the same issue too. This is a showstopper before being able to publish an agent to the business. The process for "re-connecting" is anything else than intuitive i M365 Copilot.
  • CU17041014-0 Profile Picture
    4 on at
    We're experiencing the exact same problem. Here's our setup in detail:                                                                                
                                                                                                                                                           
    Architecture:                                                                                                                                          
      - Copilot Studio agent using Claude Sonnet 4.6 as the reasoning model                                                                                    
      - Two MCP servers deployed as Azure Container Apps (one for profile generation, one for PowerPoint rendering + SharePoint write)                         
      - The PowerPoint renderer MCP uses OAuth 2.0 (Manual configuration) with On-Behalf-Of (OBO) flow to write files to SharePoint via Microsoft Graph API

    OAuth configuration in Copilot Studio (MCP tool):                                                                                                        
      - Authentication: OAuth 2.0, Manual                                                                                                                      
      - Client ID: <our app registration client ID>                                                                                                            
      - Client Secret: <valid secret>                                                                                                                          
      - Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize                                                                 
      - Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token                                                                             
      - Refresh URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token (same as Token URL, as per Microsoft docs)
      - Scopes: api://<client-id>/access_as_user offline_access                                                                                         

    Azure AD App Registration:                                                                                                                               
      - Custom scope exposed: api://<client-id>/access_as_user                                                                                                 
      - Delegated permissions: Sites.ReadWrite.All, User.Read                                                                                                  
      - Application permissions: Sites.Read.All, Sites.ReadWrite.All                                                                                         
      - Admin consent granted for all                                                                                                                          
      - Redirect URI from Copilot Studio is registered under Authentication → Web                                                                              

    What works:                                                                                                                                              
      - Initial OAuth connection succeeds — user is prompted to sign in, consent is granted                                                                  
      - The MCP server receives the user's token in the Authorization header                                                                                   
      - OBO token exchange succeeds and files are written to SharePoint with per-user permissions                                                            
      - Everything works correctly for the first ~60 minutes                                                                                                   
                                                                                                                                                               
    What breaks after ~1 hour:                                                                                                                               
      - The connection shows as "stale" in Copilot Studio                                                                                                      
      - The MCP tool calls fail with token refresh errors                                                                                                      
      - Users must manually re-authenticate by going back to the tool configuration and creating a new connection                                            
      - Error observed: OAuth 2 access token refresh failed: invalid_grant                                                                                     

    What we've verified:                                                                                                                                     
      - offline_access is included in the scopes (this should trigger issuance of a refresh token)                                                             
      - The Refresh URL is correctly set to the /oauth2/v2.0/token endpoint                                                                                    
      - The app registration is configured as a confidential client (not public)                                                                             
      - The client secret is valid and not expired                                                                                                             
                                                                                                                                               
    Our conclusion:
    It appears Copilot Studio is either not storing the refresh token returned by Azure AD, or not invoking the refresh flow when the access token expires.  The 1-hour expiry aligns exactly with the default Azure AD access token lifetime, confirming the refresh is simply not happening.                        

    Any guidance would be appreciated.
  • Suggested answer
    CU24031433-0 Profile Picture
    10 on at
    Hey everyone, I come with a solution. Maybe not for everyone, but certainly worked for us. 
     
    A little context first - when registering an MCP server in Copilot Studio, the onboarding wizard creates a Power Platform custom connector in the background. This is what the Agent uses to communicate with your MCP.
     
    This connector has the settings you set up during the onboarding, like URL of MCP, auth details, etc. The issue? By default, this connector cannot use managed identity. You're basically forced to reauth every hour, because the Agent does not have access to your MS account and cannot use it for its functionality. That's where the manual reauth comes in.
     
    How to fix that? The custom connector literally has a setting whether to use managed identity. By default, it is false... You have to rewrite to true. Second thing - your Entra auth application for the MCP server needs two things - offline_access is one of them. The second one - in Expose an API, you need to create a scope to allow other applications access to this one. In allowed apps, add app "fe053c5f-3692-4f14-aef2-ee34fc081cae" as allowed app. It is a first party MS app for Power Platform Connections. With this setup, the managed identity from Copilot Studio or teams is finally being used, no more reauths. 
     
    Have fun!
  • Suggested answer
    chadhap Profile Picture
    24 on at
    Using the managed identity approach, I am seeing the connection is not becoming stale in Copilot App for the published agent. We are still seeing the Stale Connection in Copilot Studio though.
     
    The one thing we have implemented to make the Token Refresh to work is we introduced a Client App Registration. The Token refresh was not working from Power Platform Custom Connector due to the MCP App Registration trying to call itself. We created a new App Registration in Azure as a Dummy client for the MCP App Service. We then are using the Client App Registration in the MCP Tool as the Client ID. We had to give the Offline_access and User_Impersonation permission to the MCP App service. We also added the Client App as having permission to run the MCP App Service. Here is the App permissions given for the client app registration.
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 277

#2
11manish Profile Picture

11manish 206

#3
sannavajjala87 Profile Picture

sannavajjala87 156 Super User 2026 Season 1

Last 30 days Overall leaderboard