You built a Copilot Studio agent to query or update a Dataverse table, but the agent responds with an error or returns no data. This usually happens because the agent lacks the correct security role or the Dataverse table is not properly configured for public access. The Copilot Studio agent uses the maker’s credentials at design time but runs under a service principal or anonymous user at runtime, which requires explicit permissions on the table. This article explains the three most common causes and provides step-by-step fixes for each.
Key Takeaways: Dataverse Table Access for Copilot Studio Agents
- Power Platform admin center > Environments > Security > Roles: Assign the Basic User security role and a custom role with read or write privileges on the target table to the Copilot Studio application user.
- Dataverse table properties > Advanced options: Enable the “Allow anonymous usage” setting to grant runtime access without a named user session.
- Copilot Studio topic > Dataverse connector: Verify the connection references the correct environment and table logical name, and retest after saving the topic.
Why the Copilot Studio Agent Cannot Access the Dataverse Table
When you add a Dataverse connector action to a Copilot Studio topic, the agent attempts to read or write data from a specific table. At design time, the agent uses your user account and your security role permissions. At runtime, however, the agent runs under a different identity. For agents published to a website or Microsoft Teams, the runtime identity is an application user automatically created in the target environment. For authenticated users, the runtime identity is the signed-in user.
The application user is created with the Basic User role by default. This role allows the user to read environment data but does not grant access to custom tables. If the Dataverse table is a custom table or has restricted access, the agent fails with errors like “Access denied,” “Object not found,” or “The record does not exist.” The fix involves granting the correct security role to the application user and, in some cases, enabling anonymous usage on the table itself.
Common Error Messages
The exact error text varies by scenario. The most frequent messages are:
- “Access denied to the table ‘table_name’”
- “The record does not exist or you do not have permission to view it”
- “Object reference not set to an instance of an object”
- “Unable to connect to Dataverse. Check your connection settings.”
All these errors point to the same root cause: the runtime identity lacks the necessary privileges on the Dataverse table.
Steps to Grant the Copilot Studio Agent Access to a Dataverse Table
Method 1: Assign a Security Role to the Copilot Studio Application User
- Open the Power Platform admin center
Go to admin.powerplatform.microsoft.com. Sign in with a Global admin or Power Platform admin account. - Select the target environment
In the left navigation, click Environments. Find the environment where your Copilot Studio agent is published. Click the environment name to open its details. - Navigate to Security settings
In the environment details pane, click Settings. Under the Users + permissions section, click Users. - Locate the application user
On the Users page, switch the view from Enabled Users to Application Users. Look for a user with the name “Copilot Studio” or “Microsoft Copilot Studio.” The application user ID matches the Copilot Studio agent’s service principal ID. - Edit the user’s roles
Select the application user and click Manage roles. In the role selection dialog, check the box for Basic User if it is not already selected. Then check the box for a custom security role that grants read, write, or both permissions on the target Dataverse table. If no such role exists, you must create one first. - Save the changes
Click Save. The application user now has the required privileges. Retest the agent in Copilot Studio.
Method 2: Create a Custom Security Role for the Table
- Open the Power Platform admin center
Navigate to the same environment as in Method 1. - Go to Security roles
Click Settings > Users + permissions > Security roles. - Create a new role
Click New role. Give the role a descriptive name, for example “Copilot Agent – Table Read.” - Configure table-level permissions
In the role editor, switch to the Custom Entities tab. Find your target Dataverse table in the list. For each privilege (Read, Write, Create, Delete, Append, Append To, Assign, Share), select the appropriate access level. For most agents, Read is sufficient for query operations. Write is required for create or update actions. - Save the role
Click Save and Close. Then assign this role to the Copilot Studio application user using Method 1 steps 4 through 6.
Method 3: Enable Anonymous Usage on the Dataverse Table
If your agent is published to an anonymous website and the table must be accessible without any user authentication, you must enable anonymous usage on the table.
- Open Power Apps maker portal
Go to make.powerapps.com and select the correct environment. - Open Dataverse tables
In the left navigation, expand Dataverse and click Tables. - Select your table
Find the table the agent needs to access. Click the table name to open its properties. - Enable anonymous usage
In the table properties pane, click Advanced options. Scroll to the Access section. Set Allow anonymous usage to Yes. This setting allows the table to be read by unauthenticated callers, including the Copilot Studio agent runtime. - Save the table
Click Save. The change takes effect immediately. Retest the agent.
If the Agent Still Cannot Access the Dataverse Table
The agent uses an incorrect table logical name
Open the topic in Copilot Studio that contains the Dataverse connector action. Click the action node to inspect its properties. Verify that the Table field contains the logical name of the table, not the display name. The logical name is usually all lowercase with no spaces, for example cr977_incidentreport. If the name is wrong, select the correct table from the dropdown or type the logical name manually.
The agent connects to the wrong environment
Each Dataverse connector action includes a Connection reference. This reference points to a specific environment. If you published the agent to environment A but the connection reference points to environment B, the table will not be found. Open the connection reference in Copilot Studio and confirm the environment matches the one where the table exists.
Permissions were updated but the agent still fails
Security role changes in Dataverse can take up to 15 minutes to propagate. Wait 15 minutes, then restart the Copilot Studio agent by closing the test chat and opening a new one. If the issue persists, remove the application user from the environment and let Copilot Studio recreate it. To remove the user, go to Power Platform admin center > Environments > your environment > Settings > Users > Application Users, select the Copilot Studio application user, and click Delete. Republish the agent to trigger recreation of the application user.
| Item | Anonymous Website Agent | Authenticated Teams Agent |
|---|---|---|
| Runtime identity | Application user (service principal) | Signed-in user (Microsoft Entra ID account) |
| Required permission | Basic User role + custom role OR Enable anonymous usage on table | User’s own Dataverse security role |
| Anonymous usage setting | Must be set to Yes on the table | Not required |
| Role assignment | Assign role to application user in Power Platform admin center | Assign role to each user through standard Dataverse security role management |
This article covered the three main fixes for a Copilot Studio agent that cannot use a Dataverse table: assigning a security role to the application user, creating a custom role with table-specific permissions, and enabling anonymous usage on the table. After applying the correct fix, open your agent in Copilot Studio and run a test query against the table to confirm the issue is resolved. As an advanced tip, use the Dataverse connector’s “List records” action with a filter to verify that the agent can both connect and filter data correctly.