Copilot Studio - Model Context Protocol

Custom MCP-Server - Problem with OAuth2.0 Grant-Type Authorization Flow

(3) Share

Report

Posted on by MM-27080827-0

Current Setup:

- Custom MCP-Server on Mulesoft Anypoint Platform

- HTTP-Streamable

- OAuth2.0 Grant-Type Authorization flow against Micrsosoft Azure EntraID

- Custom Connector-Config (see below)

- In Postman everything including OAuth-Dance works fine.

- OAuth-Dance in Copilot-Studio also seems to work in the first place and i See a connection with my username logged in.

- Custom Engine Agent and Declarative Agent M365 (both not working)

Error:

- in the Tools-Section of the Agent it does not show any Tools (the get Tools call never arrived at the MCP-Server)

- In the Log of the MCP-Server I see only one call including a Bearer-Token (initialize-call). After that no call is sending a Bearer-Token and therefore failing

Swagger of Custom MCP-Connector (created with UI instead of Swagger-code cause of credentials etc.)

///
swagger: '2.0'
info:
title: Mulesoft MCP
description: MCP Test Specification, YAML for streamable MCP support in Copilot Studio
version: 1.0.0
host: xxxxx
basePath: /
schemes:
- https
paths:
/mcp:
post:
summary: Mulesoft Test Car Management Server
x-ms-agentic-protocol: mcp-streamable-1.0
operationId: InvokeMCP
responses:
'200':
description: Success
security:
- oauth2:
- https://graph.microsoft.com/.default
securityDefinitions:
oauth2:
type: oauth2
flow: accessCode
tokenUrl: https://login.windows.net/common/oauth2/authorize
scopes:
https://graph.microsoft.com/.default: https://graph.microsoft.com/.default
authorizationUrl: https://login.microsoftonline.com/common/oauth2/authorize
security:
- oauth2:
- https://graph.microsoft.com/.default

///

I have the same question (3)

All responses (5)

Answers (0)

SS-29081442-0 7 on at

Like (0)

Report

Custom MCP-Server - Problem with OAuth2.0 Grant-Type Authorization Flow

The one i got working in below , May be it will help

Was this reply helpful? Yes No
CU08091809-0 2 on at

Like (0)

Report

Custom MCP-Server - Problem with OAuth2.0 Grant-Type Authorization Flow

I am running into the same issue. Using Postman I can get a bearer token from the oauth flow and call my mcp server. Integration with tools like cursor work. Though when I add the mcp server to the agent I cannot list any tools and agent chats return a meaningless error with a guid and a timestamp. Tools list is empty From the tool configuration page in the "Test" step, I can test the POST using a oauth connection and calling the tools/list command and that works.

Was this reply helpful? Yes No
KrishnaPaudel on at

Like (0)

Report

Custom MCP-Server - Problem with OAuth2.0 Grant-Type Authorization Flow

Running into exact same issue.

Additional observations:

1. Once custom connector is set up, testing it from the UI throws "502: bad gateway" error. But calling it using Postman or CURL works just fine.

2. Facing "No tools available." when the connector is added to Copilot agent.

3. While trying to chat, it asks for the consent (Allow/Cancel) and it hangs on clicking Allow. Activity Map shows "Waiting for user".

Was this reply helpful? Yes No
DD-18091934-0 11 on at

Like (0)

Report

Custom MCP-Server - Problem with OAuth2.0 Grant-Type Authorization Flow

We are running into this frustrating issue with our MCP Server being able to connect via OAuth but no tools are showing up. Our server successfully authenticates through OAuth and completes the MCP initialization handshake - we can see in the logs that Copilot Studio calls the initialize endpoint, receives our response with 6 available tools, and even sends the notifications/initialized message confirming everything worked. However, despite this apparently successful setup, Copilot Studio never discovers or shows any of our tools. What's puzzling is that according to the MCP specification, after initialization Copilot should call tools/list to discover available tools, but this never happens. We've tried embedding the tools directly in the initialize response as a workaround, ensured session continuity is working properly, and verified our OAuth scopes are all approved, but still no luck. The same server works fine with PowerApps when we send proper JSON-RPC requests. Has anyone else encountered this issue where Copilot Studio completes MCP initialization but doesn't actually discover the tools?

Are there any Copilot Studio-specific requirements or non-standard behaviors we should know about? Any guidance would be really appreciated since we're stuck at this point.

Was this reply helpful? Yes No
Suggested answer

DAnny3211 132 on at

Like (0)

Report
Custom MCP-Server - Problem with OAuth2.0 Grant-Type Authorization Flow

Hi, From what you've described, it seems the OAuth2.0 flow completes successfully during the initial handshake, but subsequent requests from Copilot Studio to your MCP server are missing the Bearer token. This breaks the expected behavior, especially for authenticated endpoints like `tools/list`. Here are a few things to check: 1. **Token Propagation**: Ensure that the token obtained during the OAuth "dance" is being stored and reused correctly by Copilot Studio. If the token is not persisted or refreshed, subsequent calls may be unauthenticated. 2. **Connector Configuration**: In your Swagger, the `securityDefinitions` and `security` sections appear correct, but double-check that: - The `tokenUrl` should be `https://login.microsoftonline.com/common/oauth2/token` (not `/authorize`). - The `authorizationUrl` is also correct, but ensure it matches the flow you're using (`accessCode` implies Authorization Code Flow). - The scope `https://graph.microsoft.com/.default` is valid and granted in Azure Entra ID. 3. **Copilot Studio Behavior**: According to [Microsoft's documentation](https://learn.microsoft.com/en-us/microsoft-copilot-studio/mcp-add-existing-server-to-agent) [1](https://learn.microsoft.com/en-us/microsoft-copilot-studio/mcp-add-existing-server-to-agent), Copilot Studio should automatically attach the Bearer token to all subsequent MCP calls after authentication. If this doesn’t happen, it may be due to: - A misconfigured redirect URI or token endpoint. - The token not being stored in the expected variable (`System.User.AccessToken`). - A known issue with token refresh or propagation, as discussed [here](https://community.powerplatform.com/forums/thread/details/?threadid=CDBF3AE9-167D-4548-A6EB-0C1C997801BD) [2](https://community.powerplatform.com/forums/thread/details/?threadid=CDBF3AE9-167D-4548-A6EB-0C1C997801BD). 4. **Testing**: Try using the MCP onboarding wizard in Copilot Studio instead of a manual connector setup. This often ensures proper token handling and tool discovery. 5. **Logging**: If possible, inspect the headers of the failing requests. If the `Authorization: Bearer` header is missing, Copilot Studio may not be correctly binding the token to the session. Please verify if this response was helpful. Thanks and best regards, Daniele *Note: This response was prepared with support from Copilot to ensure clarity and completeness.*

Was this reply helpful? Yes No