We're working with a con a project that is a top priority for them. It involves deploying an MCP server on Container Apps and a chat interface. They're evaluating options for the interface, but we think a Copilot agent makes the most sense. I'm trying to use your Copilot Studio MCP lab as a POC and everything works as expected following the steps you provide, but the customer has a firm requirement for Entra auth on the container app and I'm struggling to get that working with the custom connector.
Thanks for sharing the details—this is a great use case
Key Considerations
Container App Authentication
When you enable Entra auth on Container Apps, the app is protected by Azure AD. Any incoming request must include a valid Bearer token issued by Entra.
Custom Connector Authentication
The connector needs to acquire a token from Entra and attach it to requests. This usually involves:
Registering an App Registration in Entra.
Configuring the connector with OAuth 2.0 settings (Authorization URL, Token URL, Client ID, Secret, Scopes).
Ensuring the resource URI matches the Container App’s protected endpoint.
Copilot Studio Connector Behavior
Copilot Studio supports OAuth 2.0 for custom connectors, but the tricky part is aligning the connector’s token acquisition with the Container App’s expected audience.
Recommended Steps 1. App Registration
Create an App Registration in Entra for the Container App.
Note the Client ID, Tenant ID, and Client Secret.
Under Expose an API, set the Application ID URI (e.g., api://<your-app-id>).
Add required permissions (usually user.read or custom scopes).
2. Enable Authentication on Container App
In Azure Portal → Container App → Authentication, select Microsoft Entra ID.
Use the App Registration created above.
Ensure the redirect URI matches what Copilot Studio expects (usually https://global.consent.azure-apim.net/redirect for connectors).
Test the connector to ensure token acquisition works.
4. Validate Audience
The Container App will validate the audience claim in the token. Make sure the token’s aud matches the App ID URI you set in Expose an API.
Common Pitfalls
Mismatch in redirect URI → Connector won’t complete OAuth flow.
Wrong scope → Token doesn’t include required permissions.
Audience mismatch → Container App rejects token.
let me know if you need help with any of the above.
Was this reply helpful?YesNo
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Share
Report
All responses (
Answers (
720
