web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Tools using end-user c...
Copilot Studio
Suggested Answer

Tools using end-user credentials fail loop in Teams (new experience)

(1) ShareShare
ReportReport
Posted on by

Hi all,

 

We are seeing what looks like a regression in Copilot Studio related to tools configured to use end-user credentials.

 

This started suddenly around 2 days ago and appears to be related to the Copilot Studio new experience. We have now reproduced it across multiple Power Platform environments, so it does not appear to be isolated to a single environment, solution, connection reference, or DLP policy.

 

Summary of the issue

 

When a Copilot Studio agent is published to Microsoft Teams and a tool is configured to use end-user credentials, the tool does not complete successfully after the user grants permission.

 

Instead, the connector/tool returns the same “connect/authorize” style message as the actual response payload. The agent then receives that message instead of the expected tool data.

 

This is not the agent re-triggering the consent prompt intentionally. From the agent side, it looks like the connector call itself returns the connection/authorization message instead of the expected connector response.

 

Example behavior from the agent side:

 

The connector keeps returning that same message as its actual response payload — it is not a consent prompt I am re-triggering; it is literally what the tool returns instead of profile data. Retrying gives the same result.

 

Scope

 

This appears to affect all tools configured to use end-user credentials, not just one specific connector.

 

We have reproduced or observed the pattern with tools such as:

 

  • Office 365 Users / Microsoft 365 Users

  • Office 365 Outlook / Microsoft 365 Outlook
     
  • Work IQ/MCP tools

  • Other connector tools configured with end-user credentials

  •  
 

The simplest reproduction is with Office 365 Users → Get my profile (V2).

 

Minimal reproduction

 

Create a very simple Copilot Studio agent in the new experience:

 

  1. Agent authentication: Authenticate with Microsoft

  2. Publish to Microsoft Teams

  3. Add a tool:

    • Connector: Office 365 Users

    • Operation: Get my profile (V2) / MyProfile_V2

    • Authentication: End-user credentials

    •  

  4. Publish the agent.

  5. Install/open it in a Teams 1:1 chat.

  6. Ask the agent to call the profile tool.

  7. User is asked to connect/authorize.

  8. User clicks Allow.

  9. Trigger the tool again.
 

Expected result

 

After the user grants permission, the tool should return the user profile data, for example:


  • display name

  • email

  • user principal name

  • id 

Actual result

 

The tool does not return profile data.

 

Instead, the agent receives the same connection/authorization message as the connector response payload, and the user is effectively stuck in a loop. Retrying does not resolve it.

 

Important observations

 

We have checked the following:


  • The agent uses Authenticate with Microsoft.

  • Testing is in Teams 1:1 chats only.

  • The issue is not related to Teams group chats or channel conversations.

  • The issue reproduces in multiple environments, including both multi stage (dev/test/prod) and prod only environment

  • The issue occurs with a minimal test agent containing only one tool.

  • The connection reference exists in the solution.

  • The tool-to-connection-reference mapping appears correct.

  • The same issue occurs in unmanaged solutions and minimal test agents.

  • The issue is not specific to a complex agent, prompt instructions, SharePoint knowledge, Dataverse, or Power Automate flows.

  • The problem appears specifically when the tool is configured to use end-user credentials

  • Tools using maker-provided credentials do not appear to follow the same failure pattern.

  • The issue started suddenly around the same time and appears correlated with the Copilot Studio new experience.
 

YAML pattern seen in the minimal repro

 

The relevant tool configuration looks like this:

 

kind: ConnectorTool

 

authMode: Invoker

 

connectorId: /providers/Microsoft.PowerApps/apis/shared_office365users

 

operationId: MyProfile_V2

 

authMode: Invoker

 

This appears to be the common factor. Any tool configured to run with the end user’s credentials seems to be affected.

 

Troubleshooting already attempted

 

We have tried the following without resolving the issue:


  • Republish agent

  • Test in fresh Teams 1:1 chat

  • Use start over

  • Remove/reinstall the Teams app

  • Test in multiple environments

  • Recreate a minimal test agent

  • Verify connection references are present

  • Verify the issue is not caused by Power Automate run-only user settings

  • Verify the issue is not specific to Office 365 Users alone
  
 

Is anyone else seeing this behavior in the Copilot Studio new experience, specifically for tools configured with end-user credentials?

 

It looks like the connector authorization result is not being persisted or recognized correctly in the Teams runtime, and the connector’s “connect/authorize” response is being returned to the agent as if it were the actual tool output.

 

This seems like a platform/runtime issue rather than an agent design issue, especially because it reproduces with a minimal agent and across multiple environments.

 

Any confirmation, workaround, or Microsoft guidance would be appreciated. In particular:

 

  • Is this a known regression in the new Copilot Studio experience?

  • Is there a current issue with authMode: Invoker tools in Teams?

  • Is there a recommended way to force-refresh or re-authorize end-user tool connections at the platform level?

  • Are end-user credential tools currently expected to work in Teams 1:1 chats with Authenticate with Microsoft?


  •  
 

Thanks.

I have the same question (0)
  • Suggested answer
    Valantis Profile Picture
    6,778 on at
     
    1. Teams SSO not configured. Microsoft docs confirm: "Failing to configure the Teams SSO settings causes your users to always fail authentication when using the Teams channel."
    Even with Authenticate with Microsoft set, end-user credential tools in Teams require a separate SSO configuration. Check Settings > Security > Configure SSO for Teams and follow: https://learn.microsoft.com/en-us/microsoft-copilot-studio/configure-sso

    2. Admin policy change on Control maker credential options. A Microsoft Q&A from an employee confirms this exact sudden-break pattern: "Since this broke without any changes on your end, the most likely cause is that an admin recently updated the Control maker credential options policy in your environment or environment group."
    Check PPAC > your environment > Settings > Copilot Studio agents > Control maker credential options. If end-user credentials only is now enforced at the environment group level, that overrides individual environment settings and can cause the auth loop you're seeing.

    If neither of these is the cause, raise a support ticket referencing the exact start date (around July 3), authMode: Invoker, and the minimal repro agent details. Microsoft support can check if a platform-side change correlates with your timeline.
     
      Best regards,

    Valantis   ✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

    ❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

    🏷️ For follow-ups  @Valantis.

    📝 https://valantisond365.com/ 💼 LinkedIn ▶️ YouTube
  • Suggested answer
    11manish Profile Picture
    3,347 on at
    Given the reproducibility across environments, connectors, and minimal agents, the evidence strongly suggests a regression in the new Copilot Studio Teams runtime affecting tools configured with authMode: Invoker (end-user credentials). At present, there is no documented method to force-refresh the end-user authorization cache or rebind the connector from within Copilot Studio.

    Until Microsoft confirms and addresses the issue, this is best treated as a platform-level bug rather than an agent design or configuration problem.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 223

#2
11manish Profile Picture

11manish 200

#3
sannavajjala87 Profile Picture

sannavajjala87 168 Super User 2026 Season 1

Last 30 days Overall leaderboard