web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Configuring Manual Aut...
Copilot Studio
Answered

Configuring Manual Auth for retrieving Dataverse information in a public web agent scenario

(1) ShareShare
ReportReport
Posted on by RodrigoCardosoDaSilva 20

Hi everyone,

I am currently developing a Copilot Studio agent that will be deployed on a public website. The requirement is to allow anonymous users (unauthenticated) to interact with the bot. However, the agent needs to query and retrieve data from a Dataverse table to provide specific answers.

The Issue:
By default, when a bot is set to "No Authentication," it operates under the user's context (which is null in this case). To access Dataverse, I need the bot to authenticate as a specific identity - specifically, an Azure App Registration (Service Principal) - to fetch the data without prompting the end-user for any credentials.

Current Approach:
I am exploring the "Manual (for any channel)" authentication setting in Copilot Studio. I want to use the Client ID, Client Secret, and Token URL from my Azure App Registration to establish a Service-to-Service (S2S) connection.

Questions:

  1. Compatibility: Can I use the "Manual" authentication configuration to handle backend S2S calls while keeping the frontend experience completely anonymous for the web user?
  2. Configuration Details: In the "Manual" auth settings, what are the specific scopes required for Dataverse when using the Client Credentials flow?
  3. Application User: Beyond the Azure side, are there specific roles that must be assigned to the Application User in the Power Platform Environment to ensure the bot can successfully "impersonate" this service identity?
  4. Best Practices: Is it better to handle this via a Power Automate flow configured with a Service Principal connection, or is it possible to achieve this natively within Copilot Studio topics using the Dataverse knowledge source and the Manual Auth token?

Also, I want to avoid a scenario where the bot triggers a sign-in card for a public user. Any insights on the correct "App Registration + Copilot Studio Auth" handshake for this specific architecture would be very helpful!

If someone has achieved the proper configuration for this scenario, I'd ask to please share the steps or documentation.

Categories:
Bot extensibility
Publish & channel management
I have the same question (0)
  • Verified answer
    Sajeda_Sultana Profile Picture
    Sajeda_Sultana 168 on at
     
    In a public web agent scenario, I’d avoid Manual Auth and instead use the Dataverse Web API with a service principal (Application User) on the back end.
    Pattern I’ve used successfully:
    • Keep the web copilot public (no signin for end users).
    • Have the copilot call your own API (or Power Automate flow).
    • That API uses the Dataverse Web API with client credentials (service principal) and a restricted security role to read only the needed tables.
    I’ve solved a very similar requirement for showing Dataverse data in multiple mobile applications, and this pattern works well to keep users anonymous while still securely surfacing Dataverse data.
     
    ✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

    ❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

    🏷️ For follow-ups  @Sajeda_Sultana
  • Verified answer
    Vish WR Profile Picture
    Vish WR 3,476 on at
    Instead of using Copilot Studio's authentication settings, I would suggest having a cloud flow in Power Automate that connects to Dataverse. You have two solid options depending on your setup:
     
    Option 1: Standard Connection (Simpler) If you're okay using your own user account or a service account that already has access, use a regular Dataverse connection. It's straightforward – Power Automate handles the auth, and your bot just calls the flow. Your anonymous users never see anything on their end.
     
    Option 2: Service Principal Connection (More Secure) If you want proper S2S with your App Registration, set up the connection using your service principal credentials. Power Automate manages all the token stuff automatically – you don't have to think about it. This is probably the "right" way if you're worried about security and scalability.
      
    • Create a cloud flow in Power Automate
    • Add your Dataverse connector (pick standard or SPN based on what makes sense for you)
    • Build your query to get the data your bot needs
    • In Copilot Studio, just add an "Invoke Power Automate flow" action
    • Pass in whatever parameters your query needs, and grab the results
    • Use that data in your bot responses

    Reference : (not a promotion for  their blog or YouTube) purely sharing the reference 
    How to use a Service Principal in Power Automate for a Dataverse connection 
    https://community.dynamics.com/blogs/post/?postid=33a9437c-09c9-4ac8-ba56-2d8223f82adf
    How to Trigger a Power Automate Flow in Copilot Studio
     
     
     
      Vishnu WR
     
    Please  Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like 
     
     
     
  • Sajeda_Sultana Profile Picture
    Sajeda_Sultana 168 on at
     
    Just following up to check if everything is working now. Let me know if you still need any help - I’m happy to assist.

    If the issue has been resolved, please consider marking the answer as solved so it can help others with a similar question.

    Thanks, and have a great day!
  • RodrigoCardosoDaSilva Profile Picture
    RodrigoCardosoDaSilva 20 on at
    Hi @Sajeda_Sultana!

    Sorry for the delayed feedback. Yours and @Vish WR's solution worked really well in our scenario.
     
    We configured a service account to be used in a Power Automate Flow to retrieve information from the Dataverse table. We also configured specific RBAC for this service account in the Power Platform Admin Center in order to allow it to only access the specific Dataverse table we were considering. We found it really interesting that we could just define some input parameters to the flow that could be automatically filled by our agent during the conversation, after it gathers the necessary information to make the adequate query in Dataverse. Really great!
     
    Thanks for the support, mates!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 322

#2
Vish WR Profile Picture

Vish WR 240

#3
Romain The Low-Code Bearded Bear Profile Picture

Romain The Low-Code... 223 Super User 2026 Season 1

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt

Product updates

Microsoft Power Platform Community release plans