When you try to sign in to Microsoft Copilot, you may see an error message about a WS-Federation sign-in failure. This error prevents Copilot from connecting to your Microsoft 365 tenant and blocks all Copilot features. The failure typically occurs because of a misconfigured identity provider, an expired federation certificate, or an incorrect domain federation setting in Microsoft Entra ID. This article explains the root cause of the WS-Federation sign-in failure and provides step-by-step instructions to resolve it.
Key Takeaways: Copilot WS-Federation Sign-In Failure
- Microsoft Entra admin center > Identity > External Identities > All identity providers: Review and update the WS-Federation metadata URL for your federated domain.
- PowerShell command Set-MsolDomainFederationSettings -SupportMultipleDomain: Ensures the federation settings include the correct signing certificate for WS-Federation.
- Microsoft Entra admin center > Connect > Domain names: Verify that the federated domain status is “Active” and not “Inactive” or “Pending.”
Why Copilot WS-Federation Sign-In Fails
WS-Federation is a protocol that allows Copilot to authenticate users by relying on an external identity provider such as Active Directory Federation Services. When the identity provider sends a WS-Federation response, Copilot validates the token using the signing certificate that Microsoft Entra ID has stored for that federated domain. If the certificate on the identity provider does not match the certificate in Microsoft Entra ID, or if the WS-Federation metadata endpoint is unreachable, the authentication attempt fails.
Common triggers for this failure include:
- An expired or renewed federation certificate that was not updated in Microsoft Entra ID.
- A change to the WS-Federation endpoint URL on the identity provider without updating the metadata URL in Microsoft Entra ID.
- A misconfigured relying party trust on the identity provider that does not include the Microsoft 365 service principal.
Steps to Diagnose and Fix the WS-Federation Sign-In Failure
Follow these steps in order. After each step, test the Copilot sign-in to see if the error is resolved.
Step 1: Verify the Federated Domain Status in Microsoft Entra ID
- Sign in to the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with a Global Administrator account. - Navigate to Domain names
Select Identity > Settings > Domain names. - Check the federated domain
Find the domain that is set to Federated. The status must show Active. If it shows Inactive or Pending, the domain cannot be used for authentication. Select the domain and choose Activate if available.
Step 2: Update the WS-Federation Metadata URL
- Open the federated domain settings
In the Domain names list, select the federated domain. Then select Federation settings. - Review the WS-Federation metadata URL
The Passive sign-on endpoint and Issuer URI must match the values configured on your identity provider. For example, for AD FS, the passive sign-on endpoint is usuallyhttps://sts.contoso.com/adfs/ls/. - Update the metadata URL if incorrect
Select Edit, correct the URL, and select Save.
Step 3: Refresh the Federation Certificate Using PowerShell
- Install the Microsoft Graph PowerShell module
Open Windows PowerShell as an administrator and runInstall-Module Microsoft.Graph -Scope CurrentUser. - Connect to Microsoft Graph
RunConnect-MgGraph -Scopes "Domain.ReadWrite.All", "Organization.Read.All"and sign in with a Global Administrator account. - Get the current federation settings
RunGet-MgDomainFederationConfiguration -DomainId "contoso.com"(replace contoso.com with your federated domain). - Update the signing certificate
RunUpdate-MgDomainFederationConfiguration -DomainId "contoso.com" -FederationConfigurationId "your-config-id" -SigningCertificate ". Obtain the new certificate thumbprint from your identity provider."
Step 4: Verify the Relying Party Trust on the Identity Provider
- Open the AD FS management console
On your AD FS server, open AD FS Management. - Locate the Microsoft 365 relying party trust
Expand Relying Party Trusts. Look for an entry named Microsoft Office 365 Identity Platform or similar. - Check the WS-Federation endpoint
Right-click the trust and select Properties. On the Endpoints tab, verify that the WS-Federation endpoint URL matches the passive sign-on endpoint in Microsoft Entra ID. - Update the token signing certificate
On the Signature tab, ensure the certificate is valid and not expired. If expired, renew the certificate on the AD FS server and then repeat Step 3 to update Microsoft Entra ID.
If Copilot Still Fails After the Main Fix
Copilot Returns Error 500 After WS-Federation Success
If WS-Federation completes but Copilot shows a 500 error, the issue may be a stale session or a misconfigured conditional access policy. Clear browser cookies and sign in again. If the error persists, check the conditional access policies in Microsoft Entra ID for any requirement that blocks Copilot, such as device compliance. Exclude the Copilot app from the policy temporarily to test.
WS-Federation Failure Only on Mobile Devices
If the failure occurs only on iOS or Android, the identity provider may not support WS-Federation passive sign-in from mobile user agents. Check the identity provider logs for rejected requests. As a workaround, configure the Microsoft Authenticator app to handle authentication instead of WS-Federation.
Copilot Sign-In Loops Without Error
A sign-in loop indicates that the WS-Federation response is not being accepted by Microsoft Entra ID. The most common cause is a mismatch in the Issuer URI. Compare the issuer value in the WS-Federation response with the Issuer URI in Microsoft Entra ID. They must match exactly, including trailing slashes.
Copilot Pro vs Copilot for Microsoft 365: Key Differences for WS-Federation
| Item | Copilot Pro | Copilot for Microsoft 365 |
|---|---|---|
| Authentication method | Personal Microsoft account or Microsoft Entra ID | Microsoft Entra ID with WS-Federation or SAML |
| WS-Federation support | Not required for personal accounts | Required for federated domains |
| Admin control | No tenant-level federation settings | Full control via Microsoft Entra admin center |
| Certificate update process | Not applicable | PowerShell or Microsoft Entra admin center |
If your organization uses a federated domain with WS-Federation, you must configure Copilot for Microsoft 365 correctly. Copilot Pro does not use WS-Federation and will not trigger this error.
You can now diagnose and fix the WS-Federation sign-in failure by checking the domain status, updating the metadata URL, refreshing the signing certificate, and verifying the relying party trust on your identity provider. Test the Copilot sign-in after each step to isolate the exact cause. For ongoing monitoring, set up a certificate expiry alert in Microsoft Entra ID to avoid future failures.