web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / How to run Copilot Stu...
Copilot Studio
Suggested Answer

How to run Copilot Studio agent with only Index Data Reader access to Azure AI Search knowledge?

(0) ShareShare
ReportReport
Posted on by KP-13021921-0 4
My intention is to limit my Copilot Studio agent to only have read access to my Azure AI Search indexes. All the examples I find online regarding adding Azure AI Search as a knowledge source in a Copilot Studio agent speak to using the "Access Key" authentication type (giving it the endpoint URL and the Admin Key) but my understanding is the Admin Key has full admin privileges to the AI Search resource. I want the agent to run with only index data reader access.
 
What is the proper way to connect my agent to my Azure AI Search resource that will only give it "Search Index Data Reader" access?
  • I turned on Entra Agent Identity within the Power Platform Admin Center.
  • I then created an agent in Copilot Studio.
  • I confirmed under my agent's Settings > Advanced > Metadata area I can see it has an "Entra Agent ID" value.
  • I then granted the agent identity the "Search Index Data Reader" role within my Azure AI Search resource.
  • To add Azure AI Search as a Knowledge option for my Copilot Studio agent, what authentication option do I then use that isn't the Admin Key option? And can you provide links to articles on how to setup/complete that authentication configuration?
Thank you
 
Categories:
General topics
I have the same question (0)
  • Suggested answer
    NP-Tharaka prabhu Profile Picture
    NP-Tharaka prabhu on at

    Hi ,

    Based on my experience implementing similar architectures, the most effective approach is to use an HTTP request to Azure Cognitive Search to retrieve the top relevant results from your indexed knowledge sources. I’ve used Azure Blob Storage as the data store, and Azure Search consistently returns the most relevant matches.

     

    Once you get those high‑confidence results, you can handle them in two ways:

     

    Option 1: Feed results directly into Copilot Studio


    Pass the Azure Search results into a Generative Answers node in Copilot Studio.

    This ensures the LLM only uses the retrieved snippets, rather than scanning the full knowledge base. This greatly reduces hallucinations and keeps answers accurate and grounded.

     

    Option 2: Use a custom LLM endpoint in Azure AI Foundry

     

    Alternatively, you can forward the Azure Search output to another HTTP action that calls your LLM deployed in Azure AI Foundry.

    The LLM then refines the result and returns a clean, contextual answer back to Copilot Studio

  • KP-13021921-0 Profile Picture
    KP-13021921-0 4 on at
    Thank you for taking the time to respond. My question was primarily about how to give the native agent Knowledge connection just Index Data Reader access for Azure AI Search, instead of giving it the Admin key. We would prefer to keep the connection between the Copilot Studio agent and Azure AI Search using the built in Knowledge feature.
  • Suggested answer
    Sayali Profile Picture
    Sayali Microsoft Employee on at
    Hello,

    Today, Copilot Studio does NOT support using an Entra Agent Identity (managed identity / RBAC) when Azure AI Search is added as a built‑in Knowledge source.
    There is currently no authentication option in the Copilot Studio UI that lets you use Search Index Data Reader instead of an Admin/Query key for Azure AI Search knowledge.

  • KP-13021921-0 Profile Picture
    KP-13021921-0 4 on at
    Hi Sayali, thank you for the response. Are there any options for being able to connect Copilot Studio agents to Azure AI Search with only "Search Index Data Reader" access?
     
    As another approach, I created an Entra Application and connected using the "Service Principal (Microsoft Entra Id Application)" authentication type. It did connect (showed a green light) but it always gave me an Access Denied error when it tried to list the indexes, even though I had granted the index data reader access to the entra application.
     
    Please let me know if there are any options that work.
  • Suggested answer
    Sayali Profile Picture
    Sayali Microsoft Employee on at
    Hello,

    No. Today there is no supported way to connect a Copilot Studio agent to Azure AI Search using only Search Index Data Reader while still using the native Knowledge connector.

    If you stay with Copilot Studio → Knowledge → Azure AI Search, you must use key‑based authentication (Admin key or Query key). RBAC‑only access is not supported for the native Knowledge experience.

    This is a current platform limitation, not a misconfiguration on your side.

  • KP-13021921-0 Profile Picture
    KP-13021921-0 4 on at
    Thank you for the follow up Sayali. Are you able to provide some details on when the other Azure AI Search knowledge "Authentication Type" options should be used and what access/permissions must be granted for them to work?
     
    Client Certificate Auth
    Service Principal (Microsoft Entra ID application)
    Microsoft Entra Id Integrated
  • Suggested answer
    Sayali Profile Picture
    Sayali Microsoft Employee on at
    Hello,
    When connecting Azure AI Search to Microsoft Copilot Studio or other RAG-based agents, the authentication type determines how the agent is authorized to query the search index. Client Certificate authentication is the most restrictive and is typically used only in highly regulated environments requiring mutual TLS, but it is complex and uncommon in standard deployments. Service Principal (Microsoft Entra ID app) authentication is the recommended and most widely used approach for production agents because it enables secure, least-privilege, non-interactive access with proper RBAC roles such as Search Index Data Reader.
    Microsoft Entra ID Integrated (user-delegated) authentication is designed for per-user security trimming, where results must reflect the signed-in user’s permissions, but it requires properly configured ACLs in the index. In most Copilot Studio scenarios, Service Principal authentication is the default and best practice unless per-user visibility control is explicitly required.

     
  • KP-13021921-0 Profile Picture
    KP-13021921-0 4 on at
    Thank you for the details Sayali. You said the Service Principal (Microsoft Entra IP app) authentication is the recommended and most widely used approach for production agents. I noted in a previous comment the below:

    "As another approach, I created an Entra Application and connected using the "Service Principal (Microsoft Entra Id Application)" authentication type. It did connect (showed a green light) but it always gave me an Access Denied error when it tried to list the indexes, even though I had granted the index data reader access to the entra application."

    Can you provide any suggestions on how to troubleshoot this Access Denied error when using the "Service Principal (Microsoft Entra Id Application)" authentication type and Search Index Data Reader has already been granted to the entra app?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the February Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 131

#2
Romain The Low-Code Bearded Bear Profile Picture

Romain The Low-Code... 130 Super User 2026 Season 1

#3
chiaraalina Profile Picture

chiaraalina 36 Super User 2026 Season 1

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt
Welcome to the Copilot Studio forum!

Product updates

Microsoft Power Platform Community release plans