PingOne Advanced Identity Cloud

Microsoft Copilot Studio

The Microsoft Copilot Studio application automatically discovers the AI agents you have hosted in Microsoft Copilot Studio. Once discovered, the platform gives you complete visibility into their core components:

  • Capabilities: Associated tools and knowledge bases.

  • Security and access: Execution credentials and IAM-based identity bindings.

The application combines identity creation and governance using separate reconciliation processes. A reconciliation on the Account provisioner object type creates and updates agent identities, and a reconciliation on the Agent Tool provisioner object type updates agent tools and entitlements.

Prerequisites in Advanced Identity Cloud

Before using the Microsoft Copilot Studio application, ensure you’ve taken these actions:

  • Purchased the Agent Governance add-on capability for Advanced Identity Cloud.

  • Modified the user managed object with a custom_iga_identity_type property in the Alpha realm. Learn more in Create the identity type.

  • Obtained the Microsoft Copilot Studio connector JAR file. This isn’t available to download from Backstage yet, but is available from your Ping Identity representative.

Prerequisites in Microsoft Copilot Studio

Before you can use the application, you must register an application with Azure. You need a Microsoft Azure subscription to complete this procedure:

  1. Sign on to the Azure portal as an administrative user.

  2. Select App registrations under Azure services.

  3. On the Register an application page, enter a name for the application, for example FR-Connector.

  4. Select the supported account types and enter a Redirect URI. The redirect URI is the Advanced Identity Cloud URI that Azure should redirect to after successful authentication, using the format https://<tenant-env-fqdn>/login/admin.

  5. On the new registration page, make a note of the Application (client) ID and the Directory (tenant) ID. You’ll need these to configure the connector.

  6. Generate a client secret:

    1. Select Certificates & secrets > New client secret.

    2. Enter a description, select an expiration date, and click Add.

    3. Copy the client secret value.

  7. Set the API permissions:

    Service Permission

    Dynamics CRM

    mcp.tools, user_impersonation

    Microsoft Graph

    user.read

    PowerApps Service

    user

  8. Navigate to the Power Platform admin center.

  9. Navigate to Environments and select your environment.

  10. Select Settings > Application Users.

  11. Add the application you created and grant it the System Administrator role.

Register the application

  1. In the Advanced Identity Cloud admin console, go to apps Applications, and click grid_view Browse App Catalog.

  2. In the Browse App Catalog modal, select an application, and click Next.

  3. Review the Application Integration information, and click Next.

  4. In the Application Details window, specify the name, description, application owners, and logo for the application.

  5. Leave the Authoritative checkbox unselected.

  6. Click Create Application.

Configure the provisioner

  1. In the Advanced Identity Cloud admin console, go to apps Applications.

  2. Click the application you just registered to open the application details page.

  3. Click the Provisioning tab, then compare the message displayed with these options:

    • You haven’t set up provisioning yet
      This message indicates that Advanced Identity Cloud has found a connector server with a compatible connector installed, but you haven’t set up provisioning yet. In this case, click Set up Provisioning to set up provisioning for the application.

    • No Connector Servers available
      This message indicates that Advanced Identity Cloud either can’t find a connector server to use for provisioning or that it can find a connector server but it doesn’t have a compatible connector installed for this application.

      Show guidance
      • If you haven’t set up a connector server:

        1. Register a remote server

        2. (Optional) Reset the client secret

        3. Download a remote server

        4. Add the Microsoft Copilot Studio connector JAR file to the remote server’s connectors folder.

        5. Configure the remote server

        6. Refresh the Microsoft Copilot Studio application page in your browser, then begin step 3 again.

      • If you’ve already set up a connector server:

        1. Add the Microsoft Copilot Studio connector JAR file to the remote server’s connectors folder, then restart the connector server.

        2. Refresh the Microsoft Copilot Studio application page in your browser, then begin step 3 again.

  4. In the Connect to Microsoft Copilot Studio modal, enter the following information:

    • Tenant ID: Enter your Copilot Studio tenant GUID. For example, enter c9fe364e-8947-4045-8d4d-e281f1edd60e.

    • Environment URL: Enter your Copilot Studio environment URL. The expected format is https://<org-name>.crm<region-number>.dynamics.com.

    • Client ID: Enter the OAuth 2.0 client GUID. For example, 2d7b3e1c-4f8a-41a9-bc2e-0e9f57a34d12.

    • Client Secret: Enter the OAuth 2.0 client secret.

    • Scan Offline Inventory: Select this checkbox to extract and audit the background Access Control Lists (ACLs) for your agents. This allows the application to map out sharing permissions and visibility rules, helping you flag agents that have been over-shared with broad security groups or the entire organization.

    • Inventory URL: Enter your Copilot Studio inventory URL. This is the target webhook or Dataverse endpoint URL used to retrieve your enterprise Copilot Studio inventory data. The integration queries this location to pull the underlying metadata schemas for your discovered agents.

    • Include unpublished Agents: Select this checkbox to expand the discovery scope to include draft, inactive, or pre-production agents. This ensures complete visibility into your entire AI footprint, allowing you to catch security misconfigurations or hardcoded credentials before an agent is published to a live channel.

  5. (Optional) Click Show advanced settings to set any of the following options:

    Show advanced settings options
    Application specific settings
    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

    Pool configuration
    Field Description

    Max idle and active container instances

    The maximum number of idle and active container instances. The default value is 10.

    Max Idle Connector Instances

    The maximum number of idle connector instances. The default value is 10.

    Set Timeout Period

    Select to enable a timeout period for the connection. After enabling, configure the following:

    • Timeout period (ms): The timeout period in milliseconds.

    Set Minimum Idle Time

    Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:

    • Min idle time (ms): The minimum idle time in milliseconds.

    Min Idle Instances

    The minimum number of idle connector instances.

    Result Handler configuration
    Field Description

    Enable for connectors with the attribute normalizer interface

    Enables the attribute normalizer interface for supported connectors.

    Enable local filtering/search features

    Enables local filtering and search capabilities.

    Enable case insensitive filter

    Configures filters to ignore case sensitivity.

    Enable configuration of search attributes; disable for local connectors

    Enables search attribute configuration. Disable this option for local connectors.

    1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.

      Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.

    2. In the Operation Rate Limits area, select the operations to enforce rate limits on.

      You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.

      For each selected operation, configure the following fields:

      Field Description

      Request Limit

      Requests allowed over time.

      Request Period

      Limit resets after this time (ms).

      Request Timeout

      Time before exception thrown (ms).

  6. Click Connect.

  7. Verify that the status shows Connected.

Configure provisioning and reconciliation resources

To configure provisioning and reconciliation resources, follow the instructions in Onboard AI agents in the Agent Governance documentation.