If your Power Pages site serves customers, partners, or any outside audience, you probably want your Copilot Studio agent to know who it is talking to. Maybe the agent should greet people by name, pull up their orders, or only help signed-in users. To do any of that safely, the agent needs to confirm the person’s identity. Microsoft Entra External ID is built for exactly this. It handles sign-in for external users, and you can wire it up so your agent trusts that sign-in. In this guide I will walk you through how.
What Entra External ID Brings to the Table
Microsoft Entra External ID is the identity service made for people outside your organization, like customers and partners. It manages how those users sign up, sign in, and prove who they are. When your agent uses Entra External ID, it does not have to handle passwords or accounts itself. It simply trusts the sign-in that External ID already did and reads the identity from there.
This keeps things both safe and simple. Your users get a smooth login, and your agent gets a trusted answer to the question “who is this person?”
There Is No One-Click Option, and That Is Fine
The first thing to know is that there is no out-of-the-box button that links Copilot Studio to Entra External ID. You set it up manually. That sounds harder than it is. You are really just exchanging a few values between two systems so they can trust each other. Once you have done it once, it feels straightforward.
In Copilot Studio, you find these controls under your agent’s Settings, then Security, then Authentication. There you choose to authenticate manually, which opens up the fields you need to fill in.
Step One: Get the Redirect URL
When you open the manual authentication settings, the agent gives you a Redirect URL. Copy this and keep it handy. This address tells Entra External ID where to send users back after they sign in. You will paste it into your app registration in the next step. Think of it as the return address on an envelope, so the login knows where to deliver the result.
Step Two: Register the App in Entra External ID
Over in Entra External ID, you create an app registration. This is the record that represents your agent in the identity system. During setup, you paste in the Redirect URL you copied from Copilot Studio so the two sides line up.
Inside the app registration, you also add client credentials. You choose to add a new client secret, which is a private value that proves the agent is who it says it is. Copy this secret right away and store it somewhere safe, because you often cannot see it again later. While you are here, also note down the Application or client ID, the Directory or tenant ID, and your tenant name. You will need all of these back in Copilot Studio.
Step Three: Fill In the Values Back in Copilot Studio
Return to the manual authentication settings in your agent. Now you paste in the values you gathered: the client ID, the client secret, and the addresses that point to your Entra External ID tenant. These fields tell the agent how to reach the identity service and how to confirm a sign-in.
Take your time and copy each value carefully. A single wrong character here is the most common reason the connection fails. Once everything is in place and saved, the agent knows how to send users to sign in and how to read the result when they come back.
Step Four: Match It Up With Power Pages
Power Pages supports the full range of authentication options, so you want the site and the agent to agree. By default, an agent created from Power Pages uses a generic OAuth 2 setup tied to the site. When you move to Entra External ID, make sure your Power Pages site itself is also set up to use External ID for its users. When both the site and the agent lean on the same identity service, the sign-in flows through cleanly and the visitor only logs in once.
This match matters. If the site uses one identity service and the agent expects another, users hit confusing prompts. Keeping both on Entra External ID gives that smooth single sign-in feel.
Test With a Real External Account
Once it is all connected, test it the way a real customer would. Use an account from your Entra External ID setup, not your own internal admin account. Sign in on the site, open the agent, and confirm it recognizes you. Check that any feature that depends on identity, like greeting by name or pulling up records, actually works.
Then try it signed out to make sure the agent behaves the way you planned for people who have not logged in. Testing both states is the only way to be sure your setup is solid.
A Few Tips to Keep It Healthy
Store your client secret carefully and set a reminder for when it expires, because secrets do expire and a lapsed one will break sign-in overnight. Keep a short note of every value you copied and where it came from, so future you can troubleshoot fast. And review your settings whenever you change identity providers on the site, so the agent and the site never drift apart.
Wrapping Up
Adding Entra External ID to a Copilot Studio agent on Power Pages takes a handful of careful steps. You grab the Redirect URL, register an app in External ID, gather the client ID and secret, paste those values back into the agent, and make sure your site uses the same identity service. There is no single button for it, but the path is clear once you see it. Do it well and your agent will know exactly who it is helping, which opens the door to safer, more personal conversations for every external user.