You built a Copilot Studio agent and want to embed it on your company website, but the agent refuses to load or the embed code produces an error. This problem usually occurs because the website domain is not authorized in the Copilot Studio publishing settings, or because the agent requires authentication that the website cannot provide. This article explains the exact cause of the failure and provides a step-by-step fix to get your agent running on your site.
You will learn how to check domain authorization, adjust authentication settings, and verify that the embed snippet is correctly configured. No coding skills are required, but you need access to the Copilot Studio admin portal and your website’s HTML source.
Key Takeaways: Fixing a Copilot Studio Agent That Won’t Load on Your Website
- Copilot Studio > Settings > Security > Data loss prevention > Allowed domains: Add your website domain to the allowed list to prevent the agent from being blocked.
- Copilot Studio > Settings > Channels > Web > Authentication: Set authentication to “No authentication” or configure a valid OAuth provider for your site.
- Website HTML embed code: Ensure the
<script>tag points to the correct agent ID and is placed before the closing</body>tag.
Why Your Copilot Studio Agent Fails to Load on a Website
When you publish a Copilot Studio agent, the platform generates an embed snippet that includes a unique agent ID and a connection to Microsoft’s Bot Framework. The agent must be able to verify that the requesting website is permitted to host it. If the website domain is not explicitly listed in the agent’s security settings, the Bot Framework rejects the request and the agent does not load.
A second common cause is authentication mismatch. Copilot Studio agents can require user sign-in via Azure AD, Microsoft Entra ID, or a custom OAuth provider. If your website does not pass the required authentication tokens, the agent displays a login error or remains blank. For public-facing websites that do not enforce user login, the agent must be configured to allow anonymous access.
A third cause is a corrupted or outdated embed snippet. If you copied the script tag before republishing the agent after a settings change, the snippet may contain an old agent ID or a broken endpoint URL. Refreshing the snippet from the Copilot Studio publishing page resolves this.
Steps to Add Your Copilot Studio Agent to a Website
Follow these steps in order. Each step addresses one of the three root causes described above.
- Add your website domain to the allowed domains list
Open Copilot Studio and go to Settings > Security > Data loss prevention. Under Allowed domains, click Add domain. Enter your full website domain, for examplewww.yourcompany.com. Includelocalhostif you are testing locally. Click Save. - Set the agent authentication mode for anonymous access
In Copilot Studio, select your agent and go to Settings > Channels > Web. Under Authentication, choose No authentication if your website does not require user login. If your site uses Azure AD, select Azure AD (Microsoft Entra ID) and register your website as a valid redirect URI. Click Save. - Republish the agent to generate a fresh embed snippet
Go to Publish in the left navigation pane. Click Publish again to force a full republish. Wait for the confirmation message. This step applies all security and authentication changes to the live agent. - Copy the updated embed code
After republishing, click Publish > Channels > Web. Click Copy next to the embed snippet. The snippet looks like this:<script src="https://copilotstudio.microsoft.com/agents/abc123/embed.js"></script>. Do not modify the script tag manually. - Insert the embed code into your website HTML
Open your website’s HTML file or content management system template. Paste the script tag just before the closing</body>tag. Do not place it inside the<head>section. Save and publish the page. - Test the agent on the live website
Open your website in a private browser window or a browser where you are not logged into any Microsoft account. Confirm that the agent icon appears and that you can start a conversation. If the agent does not load, open the browser’s developer console (F12) and check for JavaScript errors or HTTP 403 responses.
If the Agent Still Has Issues After the Main Fix
Agent loads but shows a blank chat window
This indicates that the agent is reaching your website but failing to initialize. The most common reason is a Content Security Policy (CSP) on your website that blocks the Bot Framework endpoint. Add the following directives to your website’s HTTP response headers or <meta> tag:
script-src 'self' https://copilotstudio.microsoft.com; frame-src 'self' https://copilotstudio.microsoft.com; connect-src 'self' https://copilotstudio.microsoft.com
After updating the CSP, clear your browser cache and reload the page.
Agent requires sign-in even though authentication is set to none
This happens when the agent uses a topic or skill that calls a Microsoft Graph API or a custom connector that requires user context. Review your agent’s topics. If any topic uses a Power Automate flow that calls Microsoft Graph with the user’s identity, either remove that flow or configure the flow to use a service account. Alternatively, set the agent authentication to Azure AD and ensure your website passes the correct tokens.
Embed code returns a 404 error
A 404 error means the agent ID in the embed snippet is invalid or the agent was deleted. Go back to Copilot Studio and confirm that the agent still exists. If you renamed the agent, the ID remains the same. If you deleted the agent, create a new one and publish it. Copy the fresh embed snippet.
| Item | Copilot Studio Agent (Anonymous) | Copilot Studio Agent (Authenticated) |
|---|---|---|
| Authentication | No authentication required | Azure AD, Microsoft Entra ID, or custom OAuth |
| Best for | Public websites without user login | Internal portals or customer portals with login |
| Domain restriction | Must be added to allowed domains list | Must be added to allowed domains list and registered as redirect URI |
| Embed snippet | Standard script tag | Script tag with token endpoint parameter |
| User data access | No user context | Can access user’s Microsoft Graph data |
Now you can add your Copilot Studio agent to any website by controlling domain permissions, authentication mode, and the embed snippet. Start with the allowed domains step because it is the most common blocker. After the agent loads, test a conversation that uses a topic with a connector to confirm end-to-end functionality. As a final check, use the browser developer tools to monitor network requests and verify that all calls go to copilotstudio.microsoft.com without errors.