Not
Bu sayfaya erişim yetkilendirme gerektiriyor. Oturum açmayı veya dizinleri değiştirmeyi deneyebilirsiniz.
Bu sayfaya erişim yetkilendirme gerektiriyor. Dizinleri değiştirmeyi deneyebilirsiniz.
Agents in Microsoft 365 Copilot connect to backend services through plugins. A plugin can wrap a Model Context Protocol (MCP) server or an API described by an OpenAPI document. To let a plugin access a protected MCP server or API, you configure an authentication scheme so Microsoft 365 Copilot can obtain and send the right credentials on behalf of the signed-in user.
This documentation set uses MCP plugins (also called MCP servers or MCP actions) as the default walkthrough. The same configuration steps apply to API plugins built from an OpenAPI document, except where noted in each article.
Supported authentication schemes
Choose the authentication scheme that matches how your MCP server or API protects its endpoints:
| Authentication scheme | MCP plugins | API plugins | Article |
|---|---|---|---|
| Microsoft Entra single sign-on (SSO) | Supported | Supported | Configure Microsoft Entra SSO authentication |
| Dynamic client registration (DCR) | Supported | Not supported | Configure dynamic client registration |
| OAuth 2.0 authorization code flow | Supported | Supported | Configure OAuth 2.0 authentication |
| API key | Not supported | Supported | Configure API key authentication |
| No authentication (anonymous) | Supported | Supported | Configure no authentication (anonymous) |
How plugin authentication works
Each scheme relies on an authentication configuration (auth config) - a record stored in the Microsoft Enterprise token store that holds the credentials or client details needed to authenticate to your MCP server or API. You create the auth config in one of three ways:
- Microsoft 365 Agents Toolkit creates the auth config and updates your plugin manifest automatically as you build the agent.
- The declarative agent developer skill (MCP plugins only) creates the auth config and updates the manifest for you from natural-language instructions.
- The Microsoft Teams developer portal lets you create the auth config manually, or manage one that Agents Toolkit or the skill created.
Your plugin manifest references the auth config by its ID in the runtime authentication object. At runtime, Microsoft 365 Copilot uses the auth config to obtain a token or API key from the token store and includes it when the plugin calls your MCP server or API.
Follow the article for your chosen authentication scheme to configure that specific type.
- Configure Microsoft Entra SSO authentication
- Configure dynamic client registration
- Configure OAuth 2.0 authentication
- Configure API key authentication
- Configure anonymous authentication
Note
For Cowork MCP plugins, follow the same authentication configuration model described in these articles. If your OAuth provider uses the Microsoft identity platform and the plugin needs automatic token refresh, include offline_access in the Scope field with any API-specific delegated scopes.