Bug Report: Cannot connect to Copilot Studio Agent using SDK sample

[Cobra86]

Bug Report: Cannot connect to Copilot Studio Agent using SDK sample

Language / Version

• Language: C# (.NET 8.0)
• Package Version: Microsoft.Identity.Client 4.63.1
• SDK Use: Agents SDK — Copilot Studio Client Sample

---

Agent Hosting Details

• Hosting: Local development (on-prem)
• Deployment Target: N/A (running console client sample)
• Azure Bot Services: No
• Client Type: Console Client (from GitHub sample)
• .NET Runtime: .NET 8.0

---

Describe the Bug

When attempting to connect the Copilot Studio Client to an agent environment using the provided SDK sample, authentication fails with AADSTS7000218 (“client_assertion or client_secret missing”) followed by a subsequent 403 Forbidden when calling StartConversationAsync.

I’ve tested both:

• User Login (AD) — using MSAL interactive login
• Service-to-Service (S2S) — using App registration and secret

Both methods fail to authenticate or authorise the request to the Copilot Studio environment.

---

Error Details

Exception 1 – Authentication

Microsoft.Identity.Client.MsalServiceException:
A configuration issue is preventing authentication.
Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Exception 2 – Agent Connection

System.Net.Http.HttpRequestException:
Error sending request: Forbidden.

---

Config Used

"CopilotStudioClientSettings": {
  "DirectConnectUrl": "",
  "EnvironmentId": "[REDACTED]",
  "SchemaName": "[REDACTED]",
  "TenantId": "[REDACTED]",
  "AppClientId": "[REDACTED]",
  "AppClientSecret": "[REDACTED]"
}

---

To Reproduce

1. Clone the repo:

   git clone https://github.com/microsoft/Agents
   cd samples/dotnet/copilotstudio-client

2. Update appsettings.json with environment and Azure AD details.

3. Attempt to run the console client and connect using:

   • User interactive login, or
   • App registration + Client Secret (S2S).

4. Observe the authentication failure followed by a 403 Forbidden error when the app calls:

   await foreach (Activity act in copilotClient.StartConversationAsync(...))

---

Expected Behaviour

The SDK should successfully:

• Authenticate using either user login or app registration (S2S).
• Establish a connection to the Copilot Studio hosted agent.
• Begin streaming messages from the Copilot Agent into the console client.

---

Screenshots

1. Authentication error (AADSTS7000218)

2. Forbidden error (403) during StartConversationAsync

---

Additional Context

• The same app registration credentials successfully authenticate against Microsoft Graph, so the Azure AD configuration is valid.
• The issue seems specific to the Copilot Studio Client SDK flow.
• It’s unclear if the SDK sample requires a specific redirect URI, App Role Assignment, or API permission scope setup that differs from documented guidance.

[sarahcritchley]

Thanks for the issue @Cobra86 could you confirm your app has the PowerPlatform API permissions?

[Cobra86]

Thanks for the issue @Cobra86 could you confirm your app has the PowerPlatform API permissions?

Hi Sarah,

Thanks for your quick response. Yes, I can confirm

[stevkan]

@Cobra86 - I am attempting a repro of your issue and will let you know what I find. In the meantime, I noticed that your 'CopilotStudioClientSettings' is missing the UseS2SConnection property. Can you add that back in and test, again, with the client secret value (not secret id) generated in the Certificates & secrets section of your agent's app registration?

[stevkan]

@Cobra86 - I am able to repro the issue. We will begin looking into what the cause might be. I also ran into an issue related to using the client secret (i.e., useS2SConnection: true) but I am curious to see what your experience is, first.

[Cobra86]

@Cobra86 - I am able to repro the issue. We will begin looking into what the cause might be. I also ran into an issue related to using the client secret (i.e., useS2SConnection: true) but I am curious to see what your experience is, first.

Thank you very much. I tried it and same issue.

[rajeeshmenoth]

I’ve also tried the same approach and encountered a similar exception. I'm also getting a 'Forbidden' error, but it's not related to MSAL. When useS2SConnection: true is set, the service principal call successfully generates a token. However, the issue arises when sending agent conversation data, which fails - refer the below screenshot.

Console:

One area I'm not sure about is the API permissions: we've configured them in the App Registration under a different tenant (Eg R&D-related tenant), while the Copilot schema and environment ID are in the production tenant. Could this tenant mismatch be causing authentication issues ( Forbidden ) ? Are there any updates available?

[sarahcritchley]

Update: We are working on reviewing and fixing this

[Cobra86]

@sarahcritchley Thank you very much for the update. Do you happen to have an ETA for this fix?

[sarahcritchley]

No ETA yet, working on getting you one @Cobra86!

[tracyboehrer]

I am unable to repro the issue with interactive login. It is important to note that only these settings are needed:

  "CopilotStudioAgent": {
    "EnvironmentId": "", // Environment ID of environment with the CopilotStudio App.
    "SchemaName": "", // Schema Name of the Copilot to use
    "TenantId": "", // Tenant ID of the App Registration used to login,  this should be in the same tenant as the Copilot.
    "AppClientId": "" // App ID of the App Registration used to login,  this should be in the same tenant as the Copilot.
  }

Also important that the "AppClientId" is the ClientId of the app registration that was created. Not the MCS app client id.

[Cobra86]

I am unable to repro the issue with interactive login. It is important to note that only these settings are needed:

"CopilotStudioAgent": {
"EnvironmentId": "", // Environment ID of environment with the CopilotStudio App.
"SchemaName": "", // Schema Name of the Copilot to use
"TenantId": "", // Tenant ID of the App Registration used to login, this should be in the same tenant as the Copilot.
"AppClientId": "" // App ID of the App Registration used to login, this should be in the same tenant as the Copilot.
}
Also important that the "AppClientId" is the ClientId of the app registration that was created. Not the MCS app client id.

I'm using the correct values and i can confirm it's not MCS app client id.

I can login fine

then get this error

[Cobra86]

@sarahcritchley Apologies, any new updates?