Your Copilot Studio agent responds correctly in the Test Chat pane, but after you publish it, the live agent returns errors, wrong answers, or no response at all. This split behavior usually means the published version does not have the same permissions or data connections as the draft you tested locally. The agent’s runtime environment for published agents enforces stricter security boundaries, and your configuration may not have been fully transferred. This article explains the root cause of the discrepancy and provides step-by-step fixes to align your published agent with your test results.
Key Takeaways: Fixing Published Agent Failures in Copilot Studio
- Copilot Studio > Topics > Published agent authentication: The published agent uses a different identity than the test chat. You must configure authentication for the published endpoint.
- Copilot Studio > Data sources > Published agent data connections: Test chat may use your admin credentials to access data, but the published agent needs explicit data source permissions (Microsoft Graph, Dataverse, or custom connectors).
- Copilot Studio > Settings > Channels > Direct line or Teams: Each channel has separate configuration. A working test chat does not guarantee the channel’s settings are correct.
Why the Published Agent Fails While Test Chat Works
Copilot Studio agents run in two distinct execution contexts. The Test Chat pane uses your own Microsoft 365 identity and permissions. When you type a question, the agent executes under your account, which has full access to the data sources you configured — Microsoft Graph, SharePoint sites, Dataverse tables, or custom APIs. The published agent, however, runs under a system identity or an end-user identity depending on the channel. If you publish to Teams, the agent runs under the end user’s identity. If you publish to a custom website via Direct Line, the agent runs under an anonymous identity unless you set up token exchange.
The most common root cause is that the agent’s published authentication method is set to “No authentication” or “User authentication” without the correct Azure AD app registration. In Test Chat, the agent inherits your session. In production, it has no identity at all, so it cannot access any data source that requires permissions. Another frequent cause is that the data source connections — such as a SharePoint site or a Dataverse environment — were configured only for the test environment and not added to the published agent’s runtime scope.
A third cause is that the agent’s topics or generative AI settings differ between the draft and the published version. When you publish, Copilot Studio compiles the agent. If you made changes to topics, variables, or power automations after the last publish, those changes are missing from the live agent. The test chat always runs the latest draft, so it works. The published agent runs the last compiled snapshot, so it fails.
Steps to Align Published Agent with Test Chat Results
- Check the agent’s authentication settings
Open Copilot Studio. Select your agent. Go to Settings > Security > Authentication. If the dropdown shows “No authentication,” change it to “User authentication” or “Authenticate with Microsoft Entra ID” depending on your channel. For Teams agents, select “User authentication.” For custom websites, select “Authenticate with Microsoft Entra ID” and provide the client ID of an Azure AD app registration that you own. Save the change and republish. - Verify data source permissions for the published agent
Go to Settings > Data sources. Every data source listed here must grant access to the identity that the published agent uses. If you use “User authentication,” each end user needs at least read permission on the SharePoint site or Dataverse table. If you use “Authenticate with Microsoft Entra ID,” the Azure AD app registration must have delegated permissions for each data source. Test by opening the Azure portal, finding your app registration, and checking API permissions. - Publish the latest draft explicitly
In Copilot Studio, click the Publish button in the top toolbar. A dialog shows the last publish date. Click Publish again to confirm. Wait for the confirmation message “Published successfully.” Then test the live agent by opening the channel URL or the Teams app. Do not rely on the Test Chat pane alone — it always runs the draft, not the published version. - Test each channel separately
Go to Settings > Channels. Select the channel you are using — Teams, Direct Line, or a custom channel. Each channel has its own configuration panel. For Teams, ensure the agent is added to the correct Microsoft Teams app and that the app is installed in the target tenant. For Direct Line, regenerate the secret token if it expired. Test the published agent by sending a message through the actual channel, not the Test Chat pane. - Review topic triggers and conditions
Open Topics and select the topic that fails in production. Check the trigger phrases and conditions. If the topic uses variables that rely on user context, ensure the published agent can capture that context. For example, if a topic uses “User.DisplayName,” the agent needs the user’s identity. With “No authentication,” this variable is empty. Change the authentication method or remove the variable dependency. - Check Power Automate flows attached to the agent
If your agent calls a Power Automate flow, open the flow in Power Automate. Go to Settings > Run only user. If the flow runs under your account, it will fail for other users. Change the run-only user to the flow owner or use a connection reference that each user can authenticate. Republish the agent after updating the flow permissions.
If the Published Agent Still Has Issues After the Main Fix
Agent returns “I’m sorry, I can’t answer that” after publish
This generic response usually means the agent cannot find any topic or generative AI content that matches the user’s query. In Test Chat, the agent may fall back to your own Microsoft Graph data or generative answers that use your account’s permissions. After publish, those generative answer sources may be blocked. Go to Settings > Generative AI > Data sources. Ensure “Allow the AI to use its own general knowledge” is turned on if you want fallback answers. Also verify that the data sources listed under “Grounded data” are accessible by the published agent’s identity.
Agent fails with HTTP 401 or 403 errors in logs
Open the agent’s analytics in Copilot Studio. Go to Analytics > Session logs. Find a failed session and expand the error details. A 401 error means authentication failed. A 403 error means the identity lacks permissions. Return to the authentication settings and data source permissions. For a 401 error, regenerate the channel secret or token. For a 403 error, grant the Azure AD app registration or the end user the required permissions on the target resource.
Agent works in Test Chat but fails in Teams mobile app
Teams mobile and Teams desktop use different authentication flows. The mobile app may not support certain token grant types. In Azure AD, go to your app registration > Authentication. Under “Mobile and desktop applications,” add the Teams mobile redirect URI: https://login.microsoftonline.com/common/oauth2/nativeclient. Also enable “Allow public client flows.” Republish the agent and test again on the mobile device.
| Item | Test Chat | Published Agent |
|---|---|---|
| Authentication | Uses your signed-in Microsoft 365 identity | Uses channel-specific identity (none, user, or app) |
| Data source access | Uses your permissions automatically | Requires explicit permissions for the runtime identity |
| Topic version | Always runs the latest draft | Runs the last compiled snapshot |
| Power Automate runs | Uses your flow connection | Uses the flow owner or connection reference |
| Channel configuration | Not applicable | Must be configured per channel |
You can now diagnose and fix the gap between your Copilot Studio test chat and the published agent. Start by checking the authentication method and data source permissions. Then republish the latest draft explicitly. For persistent issues, examine the session logs for HTTP error codes and adjust the Azure AD app registration or channel settings accordingly. As an advanced step, configure a custom authentication token exchange for Direct Line channels to pass the end user’s identity securely.