Copilot Studio: Manual Auth in 2026
Currently I am sharing my knowledge with the Power Platform, with PowerApps and Power Automate. With over 8 years of experience, I have been learning SharePoint and SharePoint Online
Copilot Studio manual auth guide on federated credentials, client secrets and SharePoint tips by a Microsoft expert
Key insights
- Source & overview: This video by Andrew Hess (MySPQuestions) walks through manual authentication in Copilot Studio.
It focuses on practical steps, common mistakes, and quick fixes for production agents. - Initial settings & quick tips: Turn off Ungrounded and Web when they cause noisy or unsafe results.
Check Work IQ and agent grounding before you test authentication flows. - Federated credentials: Use Federated Credentials to avoid storing long-lived secrets in code.
Store certificates in Azure Key Vault and enable the x5c claim for certificate validation. - Client secret flow: Configure a Client Secret in Azure Entra ID for app-level access when needed.
Verify the Client ID and correct Redirect URI to prevent authentication failures. - Permissions & scopes: Grant the right API Permissions and choose between Delegated Permissions (act as a user) and Application Permissions (app-only).
Set precise Scopes to limit access and avoid over-permissioning. - Troubleshooting & final steps: If AI returns wrong data, try Delete Knowledge and add content back to refresh models.
Use Configure Client Secret and ensure Require users to sign in is enabled before publishing your agent.
In a recent YouTube tutorial, Andrew Hess - MySPQuestions walks viewers through practical steps for setting up Manual Authentication in Copilot Studio and highlights common pitfalls to avoid. The video offers a hands-on look at both Federated Credentials and Client Secret flows, while also flagging configuration mistakes that often break integrations. Consequently, administrators and developers can use the session as a troubleshooting checklist and as a roadmap for more secure deployments.
Overview of the Video and Key Segments
The video begins with basic configuration advice before moving into deeper technical details across a series of short chapters. For instance, the presenter recommends turning off certain experimental features such as ungrounded or web agent settings early in the process to reduce surface area for problems. Additionally, the tutorial segments include focused discussions on Work IQ, federated credentials, client IDs, redirect URIs, and permission scopes, which together form the bulk of the operational checklist.
Andrew also emphasizes a practical order of operations that helps teams find and fix issues faster, and he uses real examples to illustrate where things commonly go wrong. In particular, he points out how having two different SharePoint environments or a mismatched client ID causes authentication failures that are easy to overlook. Therefore, following his sequence can save hours during setup and reduce back-and-forth with support teams.
Federated Credentials versus Client Secret: Tradeoffs
The tutorial contrasts the modern approach of Federated Credentials with the traditional Client Secret model, and it explains the tradeoffs clearly. On one hand, federated credentials reduce the risk of long-lived secrets by relying on certificate-based trust and often integrate with Key Vault for secure storage, which strengthens overall security posture. On the other hand, this method introduces operational complexity such as certificate lifecycle management and additional configuration steps in both the identity provider and Copilot Studio.
Conversely, configuring a Client Secret is typically simpler and familiar to many developers, but it raises security concerns because secrets can be leaked or mishandled. For organizations that prioritize simplicity and speed, client secrets may be acceptable for low-risk agents, whereas security-conscious teams should favor federated flows despite the higher maintenance burden. Thus, the choice often comes down to weighing security against operational overhead and team expertise.
Common Configuration Pitfalls and Debugging Tips
Throughout the video, the author calls out several practical issues that teams usually encounter, such as specifying the wrong client ID or misconfiguring the redirect URI. These mistakes often manifest as authentication errors that appear unrelated at first, which makes systematic verification of app registration fields essential. Furthermore, Andrew shows how to review API permissions carefully and differentiate between delegated and application permissions to ensure the agent has the correct scope.
He also covers less obvious pitfalls like having two SharePoint instances that provide similar-looking endpoints, which can lead to accidental cross-tenant requests and failed authorizations. When problems arise, the presenter recommends deleting the knowledge source and re-adding it after fixing permissions or scope definitions to clear cached states. In sum, methodical testing and reset steps help reveal hidden configuration mismatches.
Security, User Experience, and Organizational Challenges
Security and user experience often pull in opposite directions, and the video highlights this tension with concrete examples. Requiring strict sign-in guarantees secure access and accurate delegated permission checks, yet it can also increase friction for end users who expect fast, seamless interactions. Consequently, teams must balance how often agents require reauthentication against acceptable risk and operational convenience.
Beyond user friction, organizations face challenges in policy enforcement, certificate rotation, and maintaining documentation to support complex federated setups. Transitioning to federated approaches usually demands closer coordination between security, identity, and platform teams, and that coordination introduces cost and time tradeoffs. Nevertheless, the long-term reduction in secret sprawl and potential breaches often justifies the initial investment.
Practical Takeaways and Recommendations
Ultimately, the video serves as both a configuration guide and a practical troubleshooting resource for teams working with Copilot Studio in 2026. Viewers should verify key settings such as client IDs, redirect URIs, and permission scopes early, and consider whether delegated or application permissions best fit each agent’s use case. Moreover, teams that prioritize security should plan for the additional overhead of Federated Credentials and certificate management.
For administrators aiming to reduce future incidents, Andrew’s step-by-step approach provides a reliable checklist: simplify settings where possible, validate identity provider entries against app registrations, and treat permission assignments as an ongoing governance task. In this way, the video delivers useful guidance that balances security, usability, and maintainability for organizations adopting manual authentication in Copilot Studio.
Keywords
Manual Authentication 2026, Copilot Studio authentication, Federated identity Copilot Studio, Client secret rotation, Azure AD manual auth, OAuth 2.0 client credentials 2026, Secure token management Copilot, Client secret best practices