web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Multi-tenant app not w...
Copilot Studio
Unanswered

Multi-tenant app not working for Copilot Agent Authenticate manually

(1) ShareShare
ReportReport
Posted on by LC-15092120-0
Hi there, we built an agent inside Copilot studio. We followed the instruction Configure user authentication with Microsoft Entra ID - Microsoft Copilot Studio | Microsoft Learn
which works well when we use a single tenant App(MSFT). However, in our scenario, we need to use cross-tenant app since another resource is in Torus domain. But when I switch to cross-tenant app, I cannot login, it gives me message: 
{
  "message": "Login failed",
  "statusCode": 401,
  "responseBody": "{\"error\":\"invalid_client\",\"error_description\":\"AADSTS70052: The identity must be a managed identity, a single tenant app, or a service account. Trace ID: c803564a-12f5-4d58-9f39-58dd3f2ffd00 Correlation ID: 60ddc952-1eb8-4aa3-8f23-0b47aef22db3 Timestamp: 2025-10-08 18:46:21Z\",\"error_codes\":[70052],\"timestamp\":\"2025-10-08 18:46:21Z\",\"trace_id\":\"c803564a-12f5-4d58-9f39-58dd3f2ffd00\",\"correlation_id\":\"60ddc952-1eb8-4aa3-8f23-0b47aef22db3\"}"
}
 
Categories:
General topics
I have the same question (0)
  • Michael E. Gernaey Profile Picture
    Michael E. Gernaey 52,970 Super User 2025 Season 2 on at
    Multi-tenant app not working for Copilot Agent Authenticate manually
     
    Can I please ask a few questions.
     
    1. Technically (not a question) Agents aren't setup to do this, for several reasons but..
     
    a) in this instance those app registrations are only good for the one tenant (which is why it works on the one)
    b) I would need to understand how your actual multi-tenant configuration is setup (which is more an Azure situation not copilot), can still help, but will try
    c) what channels are you publishing this on? technically an anonymous open one shouldn't be a problem
    d) what authentication are you using?
    e) what Tools / connectors etc are you using?
     
    2. Primarily you are usually going to need a master agent so that you can route to the child agents. Making sure to publish to Channel that support this, such as Teams or some internal Web app, or of course a completely Open (as mentioned anonymous agent). the other issue is, do the people who will use it, and depending on your connector configurations (Agent flows / power automate) do users in different tenants have access to the data and or authorization to the end points that the Agent will use regardless.
     
    Also this is Copilot Studio, NOT Copilot Studio lite correct?
     
    3) Lastly and maybe I should have put this first, Make sure that your App Registration is setup for Multi-tenant, by default it will be single which would make this fail. Make sure you have the proper Redirect URLS.
    Make sure to give the proper scopes openid, profile and user.Read
     
    Its recommended to Expose an API, with a custom stop under Expose an APi, add in admin and user consent for the scope
    For identy types, makes sure you enable Managed, Single Tenant App, Service accounts or client credentials with a client secret.
     
    I also use the Power CAT Copilot Studio KIT (well all of the CAT stuff really lol, but specifically for Copilot as this can help you too).
     
    I believe #3 s really your issue soI should have written it first, but brain dumps come as the come lol
     

    If these suggestions help resolve your issue, Please consider Marking the answer as such and also maybe a like.

    Thank you!
    Sincerely, Michael Gernaey
  • LC-15092120-0 Profile Picture
    LC-15092120-0 on at
    Multi-tenant app not working for Copilot Agent Authenticate manually
    1. Technically (not a question) Agents aren't setup to do this, for several reasons but..
     
    a) in this instance those app registrations are only good for the one tenant (which is why it works on the one)
    b) I would need to understand how your actual multi-tenant configuration is setup (which is more an Azure situation not copilot), can still help, but will try
    We built a multi-tenant app, the home tenant is Torus while the target tenant is MSFT. In other words, we built the app in Torus and already provisioned to MSFT.
    c) what channels are you publishing this on? technically an anonymous open one shouldn't be a problem
    We published it on Teams channel
    d) what authentication are you using?
    Authenticate manually. The service provide is : Microsoft Entra ID V2 with federated credentials.
    e) what Tools / connectors etc are you using?
     Http request
    2. Primarily you are usually going to need a master agent so that you can route to the child agents. Making sure to publish to Channel that support this, such as Teams or some internal Web app, or of course a completely Open (as mentioned anonymous agent). the other issue is, do the people who will use it, and depending on your connector configurations (Agent flows / power automate) do users in different tenants have access to the data and or authorization to the end points that the Agent will use regardless.
     
    Also this is Copilot Studio, NOT Copilot Studio lite correct?
     it is copilot studio full version
    3) Lastly and maybe I should have put this first, Make sure that your App Registration is setup for Multi-tenant, by default it will be single which would make this fail. Make sure you have the proper Redirect URLS.
    Make sure to give the proper scopes openid, profile and user.Read
     Yes, our App registered as multi-agent and provisioned to MSFT. The redirect URL is the default on copilot studio https://token.botframework.com/.auth/web/redirect
    Its recommended to Expose an API, with a custom stop under Expose an APi, add in admin and user consent for the scope
    Expose an API: this is for the service api we call, right? Service api already add my multi-tenant api in
    Authorized client applications
    For identy types, makes sure you enable Managed, Single Tenant App, Service accounts or client credentials with a client secret.
     where is identity types? And we are multi-tenant app not single tenant app?
    I also use the Power CAT Copilot Studio KIT (well all of the CAT stuff really lol, but specifically for Copilot as this can help you too).
     I will try this. Thanks.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Forum hierarchy changes are complete!
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Romain The Low-Code Bearded Bear Profile Picture

Romain The Low-Code... 265 Super User 2025 Season 2

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 257 Super User 2025 Season 2

#3
Sam_Fawzi Profile Picture

Sam_Fawzi 84 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Welcome to the Copilot Studio forum!

Product updates

Microsoft Power Platform Community release plans