When your Copilot Studio bot fails to authenticate the SharePoint connector, it cannot read or write data from SharePoint lists, libraries, or sites. This typically happens because the bot's authentication configuration does not match the permissions required by the SharePoint resource. In this article, you will learn why the authentication fails and how to fix it by adjusting the connector settings, verifying the Microsoft Entra ID app registration, and assigning the correct API permissions.
Key Takeaways: Fixing SharePoint Connector Authentication in Copilot Studio
- Copilot Studio > Topics > Connectors > SharePoint > Edit authentication: Select the correct authentication type — OAuth 2.0 with Microsoft Entra ID.
- Microsoft Entra ID > App registrations > API permissions > Add a permission > SharePoint: Grant delegated permissions such as Sites.Read.All or Sites.ReadWrite.All.
- Copilot Studio > Publish > Channels > SharePoint: Ensure the bot is published to the SharePoint site where the connector runs.
Why the SharePoint Connector Authentication Fails in Copilot Studio
The SharePoint connector in Copilot Studio requires a valid OAuth 2.0 token that proves the bot has permission to access the target SharePoint site, list, or library. The authentication failure occurs when the Microsoft Entra ID app registration for the bot lacks the correct delegated permissions for SharePoint. Another common cause is that the bot is not published to the SharePoint site where the connector is configured, so the token request is rejected because the audience claim in the token does not match the resource URL.
The connector uses the Microsoft Graph API or SharePoint REST API to read and write data. Both APIs require specific permission scopes. If the app registration has only Application permissions but the connector uses delegated authentication, the token will be invalid. Similarly, if the admin has not granted consent for the permissions, the token request will return an unauthorized error.
The Role of the SharePoint Site URL in Authentication
The SharePoint connector in Copilot Studio requires the exact site URL where the data resides. If the URL is wrong — for example, using the root site URL instead of a subsite — the token will be issued for the wrong resource and authentication will fail. The bot must be published to the same SharePoint site or at least a site that is in the same tenant and has access to the target data.
Steps to Fix the SharePoint Connector Authentication
Follow these steps in order. After each step, test the connector by sending a message that triggers a data call to SharePoint.
- Open the connector authentication settings in Copilot Studio
Sign in to Copilot Studio. Go to Topics and select the topic that uses the SharePoint connector. Click Connectors, then select the SharePoint connector. Click Edit authentication. Verify that the authentication type is set to OAuth 2.0 with Microsoft Entra ID. If it is set to None or Basic, change it to OAuth 2.0. - Verify the SharePoint site URL in the connector
In the same connector settings, check the Site URL field. It must match the exact URL of the SharePoint site containing the list or library you want to access. For example:https://contoso.sharepoint.com/sites/ProjectAlpha. If you need to access data from a subsite, use the subsite URL, not the root site URL. - Check the Microsoft Entra ID app registration for the bot
Go to the Microsoft Entra admin center. Under Identity > Applications > App registrations, find the app registration associated with your Copilot Studio bot. The app name is usually the same as the bot name. Click the app name to open its settings. - Add SharePoint delegated permissions to the app registration
In the app registration, go to API permissions. Click Add a permission. Select SharePoint. Choose Delegated permissions. Select at least Sites.Read.All for read access or Sites.ReadWrite.All for read and write access. Click Add permissions. Then click Grant admin consent for the tenant. A green check mark should appear next to each permission. - Publish the bot to the SharePoint site
In Copilot Studio, go to Publish > Channels. Select SharePoint. Choose the specific SharePoint site where the connector runs. Click Publish. Wait for the publishing to complete. This step ensures the bot can authenticate to that site. - Test the connector with a simple data query
In Copilot Studio, open the topic that uses the SharePoint connector. Send a test message such as "Show me the latest items from the Projects list." If the bot returns data, authentication is fixed. If you still see an error, proceed to the next section.
If Copilot Studio Bot Still Cannot Authenticate After the Main Fix
The connector returns a 401 Unauthorized error
A 401 error means the token is missing or invalid. Open the Microsoft Entra app registration and go to Certificates & secrets. Ensure a valid client secret exists and has not expired. If the secret expired, create a new one and update the connector authentication in Copilot Studio with the new secret. Also, confirm that the redirect URI in the app registration matches the Copilot Studio connector callback URL. The callback URL is visible in the connector authentication settings under Redirect URI.
The connector returns a 403 Forbidden error
A 403 error means the token is valid but the user or bot does not have permission to access the specific SharePoint item. Go to the SharePoint site and verify that the bot's service account — usually the same account that created the bot — has at least Read access to the target list or library. If the connector uses delegated authentication, the token is issued for the signed-in user. That user must have permission to the SharePoint data. If the connector uses application authentication, the app itself must have site-level permissions granted via an app permission policy in SharePoint.
The connector works in test but fails in production
This happens when the bot is published to a different SharePoint site than the one used during testing. Go to Publish > Channels > SharePoint and confirm that the site URL matches the site URL in the connector settings. If the bot is embedded in a Teams app, the Teams app manifest must also include the correct SharePoint site domain in the validDomains array.
Copilot Studio SharePoint Connector: Authentication Types Compared
| Item | OAuth 2.0 with Microsoft Entra ID | Basic Authentication |
|---|---|---|
| Description | Uses token-based authentication with delegated or application permissions | Uses username and password directly in the connector |
| Security | High — tokens expire and can be revoked individually | Low — credentials are stored in plaintext and cannot be scoped |
| Supported by SharePoint Online | Yes | No — Microsoft disabled basic auth for SharePoint Online in 2022 |
| Required setup | Microsoft Entra app registration with delegated permissions and admin consent | None — but fails for SharePoint Online tenants |
Always use OAuth 2.0 with Microsoft Entra ID for SharePoint connectors in Copilot Studio. Basic authentication no longer works with SharePoint Online and will cause authentication failures.
You can now fix SharePoint connector authentication errors by adjusting the OAuth settings in Copilot Studio, adding the correct delegated permissions in Microsoft Entra ID, and publishing the bot to the target SharePoint site. Next, consider enabling audit logging in SharePoint to track all bot data access requests. As an advanced tip, use application permissions instead of delegated permissions if the bot must run without a signed-in user — this requires adding the app to the SharePoint site's Site Permissions via the SharePoint admin center.