You get out-of-the-box Copilot Studio bot working and reading SharePoint but embedding it to SharePoint gets ugly authentication popup. You have gone trough the instructions for SSO in SharePoint containing SPFx but after two days of pulling your hair you just can’t get it working? No worries, I will explain the instructions Deploy a Microsoft Copilot Studio copilot as a SharePoint component with single sign-on (SSO) enabled (GHI instructions).
There are three app registrations, only two of need to be configured
- BOT APP REG = Automatically created app registration for Copilot Studio bot, when bot is created in Copilot Studio.
- ENTRA ID APP REG = Manually created app registration for changing bot authentication for other channels than Teams (created in step 1 in the instructions mentioned above).
- CUSTOM CANVAS APP REG = Manually created app registration for getting SSO in the bot (created in step 2 in the instructions mentioned above).
Step 1 – Configure Microsoft Entra ID authentication for your copilot
Create ENTRA ID APP REG
- Use instructions Configure user authentication with Microsoft Entra ID and follow it until Configure manual authentication step, check special stuff for steps in instruction here in steps 2 and 3
- In step Configure API permissions, add the extra scopes for SharePoint and OneDrive mentioned in GHI instructions
- In step Define a custom scope for your copilot, put the scope name as entraidappreg so that you have url where to point the SPFx solution created in last step (api://{guid}/entraidappreg)
Set Copilot Studio bot authentication to manual
Client ID = Get from ENTRA ID APP REG
Client Secret = Get from ENTRA ID APP REG
Token exchange url = Get scope from ENTRA ID APP REG, looks like api://{guid}/entraidappreg
Tenant Id = get from Azure Entra Id or from app registrations overview page
Scopes = App scopes that you added to ENTRA ID APP REG
As the GHI instructions and Microsoft instructions states, test your Copilot Studio bot now. It should work the same way it worked before setting the authentication to manual.
Step 2 – Register your SharePoint site as a custom canvas
Create CUSTOM CANVAS APP REG

- Create another app registration, leave the redirect url empty in creation
- In step Add the redirect URL, select Single-page application instead of web and set your SharePoint url without the last slash /
- Create another redirect url that ends with slash /
- Go to API Permissions and follow GHI instructions step 3. “The canvas app registration..” to add permission to your ENTRA ID APP REG, select the app registration and then check the box for nnn-entraidappreg (don’t mind the SPO.Read scope in GHI instructions picture, it is misleading that you should add SharePoint permission here, it is blog creators naming for the ENTRA ID APP REG scope name)
- Click Grant admin concent for ORGANISATION
Protip – which I could not get working
You could also add wildcard redirect url as third, but it needs to be done with manifest editor. This way this bot works in every SharePoint site in your tenant. This was a tip from a colleague but I could not get this working.

Step 3 – Download and configure the SharePoint SPFx component
Follow GHI instructions, here are the values to put in the SPFx component. Some of these were not clear for me and I needed to test many times before got the SSO working.
botURL | The token endpoint, go to Channels -> Mobile App Looks like: https://{123456789…}.50.environment.api.powerplatform.com/powervirtualagents/botsbyschema/crbf3_botname/directline/token?api-version=2022-03-01-preview |
customScope | The scope for ENTRA ID APP REG, looks like api://{guid}/entraidappreg |
clientID | CUSTOM CANVAS APP REG Client Id |
authority | https://login.microsoftonline.com/mytenant.onmicrosoft.com Be sure that first is “microsoftonline” when the next is “onmicrosoft” |
greet | false |
buttonLabel | Start bot NNN |
botName | NNN |
After this you need to create the SPFx package, please see the next post.