You set up a connector in Copilot Studio to pull data from Salesforce, SharePoint, or a custom API. The connection works for a few hours or days, then fails with an authentication error. This forces you to manually re-authenticate each time, which disrupts your copilot workflows and wastes time. The root cause is typically a mismatch between the connector’s token refresh settings and the policies enforced by the external service. This article explains why authentication tokens expire prematurely and provides the exact steps to fix the issue permanently.
Key Takeaways: Fixing Copilot Studio Connector Authentication
- Connector authentication settings > Token lifetime: Increase the token lifetime in the external service to match Copilot Studio’s refresh interval.
- OAuth 2.0 client credentials grant: Use this grant type instead of authorization code grant to reduce user-intervention requirements.
- Service principal consent: Grant tenant-wide admin consent for the connector’s app registration to avoid per-user consent expiry.
Why Copilot Studio Connector Authentication Tokens Expire Early
When you create a connector in Copilot Studio, the platform uses OAuth 2.0 or API key authentication to access external services. The external service issues an access token with a predefined lifetime. If that lifetime is shorter than Copilot Studio’s idle timeout or refresh cadence, the token expires before the copilot needs it again.
Several factors cause early token expiry:
Default Token Lifetime Settings in External Services
Many SaaS platforms set short default token lifetimes for security. For example, Salesforce defaults to a 15-minute access token. Microsoft Entra ID defaults to 60 to 90 minutes depending on the tenant configuration. Copilot Studio does not automatically refresh tokens in the background. It reuses the stored token until the next user interaction. If the token expires during that idle period, the connector fails.
OAuth 2.0 Authorization Code Grant vs Client Credentials Grant
Copilot Studio connectors that use the authorization code grant require a user to sign in and consent. The refresh token obtained through this flow has a maximum lifetime set by the identity provider. Many providers set refresh token lifetimes to 24 hours or less. After that, the user must re-authenticate. The client credentials grant does not rely on user presence. It uses a service principal that can request new tokens automatically.
Conditional Access and Session Policies
If the external service or Microsoft Entra ID has Conditional Access policies, they can force re-authentication at intervals shorter than the token lifetime. For example, a sign-in frequency policy set to 1 hour will invalidate any token older than 60 minutes regardless of its original expiry.
Steps to Stop Connector Authentication from Expiring
Follow these steps in order. Each step addresses a specific cause of early expiry.
- Identify the connector and its authentication type
Open Copilot Studio. Go to Settings > Connectors. Select the connector that keeps failing. Note the authentication method listed: OAuth 2.0, API Key, or Basic Auth. For OAuth 2.0, note whether it uses authorization code or client credentials. - Increase the token lifetime in the external service
Log into the external service’s admin console. Locate the security or API settings. Find the access token lifetime setting. Increase it to the maximum allowed. For Salesforce, set it to 24 hours. For Microsoft Entra ID, set it to 8 hours or the tenant maximum. Save the change. - Switch to client credentials grant where supported
If the connector uses authorization code grant, check if the external service supports OAuth 2.0 client credentials. In Copilot Studio, edit the connector. Under authentication, select OAuth 2.0 Client Credentials. Enter the client ID and client secret from the app registration. This eliminates the need for a refresh token and user consent. - Grant tenant-wide admin consent for the app registration
Open the Microsoft Entra admin center. Go to Identity > Applications > App registrations. Find the app registration created by Copilot Studio for the connector. Select API permissions. Click Grant admin consent for [tenant name]. Confirm the consent. This prevents per-user token expiry. - Adjust Conditional Access policies
In the Microsoft Entra admin center, go to Protection > Conditional Access. Find the policy that applies to the app registration. Set the sign-in frequency to Every time or remove the frequency requirement. Alternatively, create an exclusion for the connector’s app registration. Save the policy change. - Test the connector after changes
Return to Copilot Studio. Select the connector and click Test connection. Run a sample action that calls the external service. Verify that the connection succeeds. Wait 24 hours and test again. If the connection still works, the fix is complete.
If Copilot Studio Connector Authentication Still Expires
Some connectors require additional configuration beyond the standard steps. The following issues and solutions cover the most common remaining failure patterns.
Connector Returns 401 Unauthorized After 8 Hours
Microsoft Entra ID default token lifetime is 60 to 90 minutes. If you set it to 8 hours but the connector still fails after 8 hours, the issue is the refresh token lifetime. In the external service, locate the refresh token timeout setting. Increase it to 90 days or the maximum allowed. For Microsoft Entra ID, use the Token lifetime policy blade to set both access token and refresh token lifetimes.
Copilot Studio Shows Token Expired After Idle Period
Copilot Studio does not automatically refresh tokens while the copilot is idle. To work around this, add a re-authentication trigger in your copilot flow. Create a topic that runs every hour. In that topic, add a Call an action step that uses the connector. This forces Copilot Studio to check the token and refresh it if needed. The action can be a simple read operation that returns no data.
Connector Uses API Key and It Expires
Some external services issue API keys with an expiration date. Log into the external service and generate a new API key that never expires. If the service does not support non-expiring keys, you must update the connector manually before the key expires. Set a calendar reminder to rotate the key every 30 or 90 days.
Copilot Studio Connector Authentication Types Compared
| Item | OAuth 2.0 Authorization Code | OAuth 2.0 Client Credentials | API Key |
|---|---|---|---|
| User interaction required | Yes, at initial setup and after token expiry | No | No |
| Token refresh mechanism | Refresh token with limited lifetime | Automatic client credential request | No refresh, key must be replaced |
| Best for | Services that require user context | Server-to-server scenarios | Simple APIs with static keys |
| Common expiry cause | Refresh token timeout or user consent revocation | Client secret rotation or policy override | Hard-coded expiration date in the key |
You can now configure Copilot Studio connectors so authentication does not expire unexpectedly. Start by increasing token lifetimes in the external service and switching to client credentials grant where possible. For connectors that must use authorization code, grant tenant-wide admin consent to remove per-user expiry. To prevent future failures, set a monthly calendar reminder to review the token lifetime policies of each connected service.