When you try to use a Copilot Studio agent inside Microsoft Teams, you may see an error message that says Authentication Failed. The agent stops responding or refuses to start a conversation. This problem usually occurs because the agent’s built-in authentication settings do not match the Teams environment or because a required Microsoft Entra ID app registration is missing or misconfigured. This article explains why the error appears and provides step-by-step fixes to resolve the authentication failure.
Key Takeaways: Fix Copilot Studio Agent Authentication in Teams
- Copilot Studio > Agents > Authentication tab: Set the authentication method to Manual for Teams custom apps.
- Microsoft Entra ID > App registrations > Certificates & secrets: Create a client secret and copy the Application ID for the agent.
- Teams admin center > Manage apps > App permissions: Grant the agent permission to access Teams data and user identity.
Why Copilot Studio Agents Show Authentication Failed in Teams
The Authentication Failed error occurs when the Copilot Studio agent cannot verify the identity of the user or the service. In Teams, every agent runs as a custom app that must authenticate through Microsoft Entra ID formerly Azure Active Directory. The agent sends a token request to Entra ID, but if the reply URL, client ID, or client secret does not match the app registration, Entra ID rejects the request and returns a 401 error.
There are three common root causes. First, the agent uses the default authentication settings that Copilot Studio generates automatically. These settings work for the Copilot Studio test pane but not for Teams. Second, the Microsoft Entra ID app registration lacks the required API permissions for Microsoft Graph or Teams. Third, the agent’s manifest file in Teams does not include the correct authentication URL, so Teams cannot send the token request to the right endpoint.
The Default Authentication Method Is Not Compatible with Teams
When you create a new agent in Copilot Studio, the platform sets authentication to Manual by default, but the configuration points to a Copilot Studio internal endpoint. Teams expects a custom app registration that you control. If you leave the default settings unchanged, the agent cannot authenticate because the token endpoint does not belong to your tenant.
Missing or Expired Client Secret
The agent uses a client secret to prove its identity to Entra ID. If you never created a secret, or if the secret expired, the authentication handshake fails. Copilot Studio does not warn you when a secret is about to expire. You must manage the secret lifecycle manually in the Azure portal.
Steps to Fix Authentication Failed in Teams
Follow these steps in order. Do not skip the app registration step even if you already have a registration for another agent. Each agent needs its own registration.
- Create a Microsoft Entra ID app registration for the agent
Sign in to the Azure portal with a Global Administrator or Application Administrator account. Go to Microsoft Entra ID > App registrations > New registration. Enter a name for the app, for example Contoso Sales Agent. Under Supported account types, select Accounts in this organizational directory only. Leave the Redirect URI empty. Click Register. Copy the Application Client ID value you will need it later. - Add a client secret
In the same app registration, go to Certificates & secrets > Client secrets > New client secret. Enter a description and set an expiration period of 180 days or 365 days. Click Add. Copy the secret value immediately. You cannot retrieve it after you leave this page. - Configure API permissions for Microsoft Graph
In the app registration, go to API permissions > Add a permission. Select Microsoft Graph > Delegated permissions. Add the following permissions: openid, profile, email, User.Read, and Team.ReadBasic.All. Click Add permissions. Then click Grant admin consent for your tenant. Confirm the consent. - Set the authentication method in Copilot Studio to Manual
Open Copilot Studio and go to Agents. Select the agent that shows the error. Click Settings in the top menu, then go to the Authentication tab. Under Authentication method, select Manual. Paste the Application Client ID from step 1 into the Client ID field. Paste the client secret from step 2 into the Client Secret field. Set the Redirect URL to:https://token.botframework.com/.auth/web/redirect. Click Save. - Update the Teams app manifest
In Copilot Studio, go to the agent’s Channels tab. Select Microsoft Teams. Click Download manifest to get the manifest.json file. Open the file in a text editor. Find thewebApplicationInfosection. Set theidvalue to the Application Client ID from step 1. Set theresourcevalue toapi://botid-{ApplicationClientID}replacing{ApplicationClientID}with your actual client ID. Save the file. - Upload the updated manifest to Teams
Go to the Teams admin center at admin.teams.microsoft.com. Select Teams apps > Manage apps > Upload. Choose the updated manifest.json file. Set permissions to Allow for all users or specific groups. Click Apply. Return to Copilot Studio and click Publish to redeploy the agent.
If Authentication Still Fails After the Main Fix
If the error persists after you complete the steps above, check the following specific scenarios.
Copilot Studio agent shows Authentication Failed only for external guest users
The agent uses the default tenant-level authentication, which does not support guest accounts. To fix this, in Copilot Studio > Agent > Settings > Authentication, change the Supported account types to Accounts in any organizational directory. Then update the app registration in Azure to allow external identities. This change requires you to reconfigure the client secret and redirect URL.
Agent works in the Copilot Studio test pane but fails in Teams
This indicates the authentication is correctly configured for the Copilot Studio internal endpoint but not for Teams. Verify that the Redirect URL in Copilot Studio exactly matches https://token.botframework.com/.auth/web/redirect. Also confirm that the manifest file includes the correct webApplicationInfo section. Re-download the manifest after saving changes in Copilot Studio.
Client secret expired after 90 days
If the secret expires, the agent cannot obtain a token. Create a new client secret in Azure portal as described in step 2. Then update the secret in Copilot Studio > Agent > Settings > Authentication. You do not need to re-upload the manifest. The agent will use the new secret on the next restart.
Copilot Studio Default Authentication vs Manual Authentication for Teams
| Item | Default Authentication | Manual Authentication |
|---|---|---|
| Configuration effort | None automatic setup | Requires Azure app registration and secret |
| Works in Teams | No | Yes |
| Token endpoint | Copilot Studio internal | Your tenant’s Microsoft Entra ID |
| Client secret management | Not applicable | You create and rotate secrets |
| User identity support | Single identity | Supports guest users with extra config |
The table shows that manual authentication is required for any Copilot Studio agent that runs inside Teams. Default authentication only works in the Copilot Studio portal and in custom websites that use the Copilot Studio web widget.
After you complete the manual authentication setup, the agent will authenticate users through Microsoft Entra ID and show no errors. Test the agent by opening Teams, navigating to Apps, finding your agent, and starting a conversation. If you need to deploy the agent to multiple tenants, repeat the app registration and manifest upload for each tenant. Use a separate client secret for each environment to avoid cross-tenant authentication failures.