When you publish a bot built in Copilot Studio and users see an Authentication Failed error, the bot cannot connect to its required data sources or services. This problem typically occurs because the authentication configuration in the bot or its connected channels is incorrect or missing. Common causes include misconfigured OAuth 2.0 settings, expired or invalid app registrations in Microsoft Entra ID formerly Azure Active Directory, or incorrect redirect URIs. This article explains the root cause of the authentication failure and provides step-by-step fixes to resolve it.
Key Takeaways: Fixing Copilot Studio Bot Authentication Failed Error
- Copilot Studio > Settings > Security > Authentication: Configure the correct authentication provider and ensure the bot uses the same app registration as the one in Microsoft Entra ID.
- Microsoft Entra ID > App registrations > Your app > Authentication > Redirect URIs: Add the correct redirect URI for your bot channel typically https://token.botframework.com/.auth/web/redirect.
- Copilot Studio > Publish > Channels > Configure: Verify that the channel settings like Teams or Direct Line have the same authentication credentials as the bot’s main configuration.
Why Copilot Studio Published Bot Shows Authentication Failed
The Authentication Failed error in a published Copilot Studio bot occurs when the bot’s authentication token cannot be validated by the connected service. This is most often caused by a mismatch between the bot’s authentication configuration in Copilot Studio and the app registration in Microsoft Entra ID. When users interact with the bot through a channel such as Microsoft Teams or a custom website, the bot sends authentication requests to the identity provider. If the redirect URI, client ID, client secret, or scopes are incorrect, the identity provider rejects the request and returns an authentication failure.
Another common cause is that the bot’s app registration in Microsoft Entra ID has expired secrets or is missing the required API permissions. For example, if the bot needs to access Microsoft Graph to read user profiles or calendar data, the app registration must have the correct delegated permissions and admin consent must be granted. Without proper permissions, the authentication flow fails.
Steps to Fix Authentication Failed Error in Copilot Studio Bot
Follow these steps in order to resolve the authentication failure. Complete each step before moving to the next.
- Open your bot in Copilot Studio
Sign in to Copilot Studio at copilotstudio.microsoft.com. Select your bot from the list of available bots. If you have multiple bots, ensure you select the one that shows the authentication error. - Navigate to the authentication settings
In the left navigation menu, click Settings. Under the Security section, click Authentication. This page shows the current authentication provider and configuration for your bot. - Verify the authentication provider
Ensure the Authentication provider dropdown is set to Azure Active Directory or the correct provider for your scenario. If you are using a custom OAuth 2.0 provider, select Generic OAuth 2.0. Do not select No authentication unless your bot does not require any user identity. - Check the app registration details
Copy the Client ID shown in Copilot Studio. Open a new browser tab and go to the Microsoft Entra ID admin center at entra.microsoft.com. Navigate to Applications > App registrations. Find the app registration that matches the Client ID you copied. If the app registration does not exist, create a new one by clicking New registration and entering a name for your bot. - Update the redirect URI
In the app registration, click Authentication on the left menu. Under Redirect URIs, click Add URI. Enter the following URI exactly:https://token.botframework.com/.auth/web/redirect. Click Save. This URI is required for the bot framework to complete the authentication flow. - Generate a new client secret
In the app registration, click Certificates & secrets. Under Client secrets, click New client secret. Enter a description and set an expiration period. Click Add. Copy the secret value immediately because it will not be shown again. Go back to Copilot Studio and paste the secret into the Client secret field in the authentication settings. Click Save in Copilot Studio. - Configure API permissions
In the app registration, click API permissions. Click Add a permission. Select Microsoft Graph. Choose Delegated permissions and select the scopes your bot needs, such asUser.ReadorCalendars.Read. Click Add permissions. If required, click Grant admin consent for [your tenant] and confirm. - Republish the bot
Return to Copilot Studio. Click Publish in the top menu. Click Publish again to confirm. Wait for the publishing process to complete. This updates the bot’s authentication configuration in all channels. - Test the bot
Open the bot in the channel where the error occurred. For example, open Microsoft Teams and start a chat with your bot. Send a message that triggers authentication. If the authentication fails again, check the bot’s logs by going to Copilot Studio > Analytics > Sessions and look for error details.
If Authentication Still Fails After the Main Fix
If the error persists after completing the steps above, check these additional configuration areas.
Bot channel settings have mismatched credentials
Each channel where your bot is published may have its own authentication settings. In Copilot Studio, click Settings > Channels. Select the channel that shows the error, such as Microsoft Teams or Direct Line. Verify that the Client ID and Client secret match the values in the app registration. If they differ, update them and republish the bot.
Token expiration or caching issues
If the authentication worked previously but stopped, the client secret may have expired. Check the expiration date of the secret in the app registration. Generate a new secret if needed. Also, users may need to clear their browser cache or sign out and sign in again to obtain a fresh token. For Teams, users can sign out of Teams and sign back in.
Custom domain or tenant restrictions
If your tenant requires conditional access policies or has IP restrictions, the bot’s authentication requests may be blocked. Work with your Microsoft 365 admin to ensure the bot’s app registration is allowed through any conditional access policies. The admin can add the app registration to an exception list or modify the policy to allow the bot’s redirect URI.
Copilot Studio Bot Authentication Options Comparison
| Item | Azure AD Authentication | Generic OAuth 2.0 |
|---|---|---|
| Description | Uses Microsoft Entra ID for identity and token validation | Uses any OAuth 2.0 provider such as Google or GitHub |
| Redirect URI required | https://token.botframework.com/.auth/web/redirect | Must match the provider’s allowed redirect URI |
| Token type | Azure AD access token | Provider-specific access token |
| User sign-in experience | Uses Microsoft account or work/school account | Uses the external provider’s login page |
| Admin consent required | Yes, for tenant-wide permissions | No, unless the provider requires it |
| Best for | Bots that access Microsoft 365 data or run inside Microsoft Teams | Bots that connect to third-party services |
Now you can resolve the Authentication Failed error in your Copilot Studio published bot by verifying the app registration, updating the redirect URI, and regenerating the client secret. After republishing, test the bot in each channel to confirm the fix. If the problem continues, review the channel-specific settings and check for conditional access policies in your tenant.