Enable Power Platform API Permissions for Copilot Studio Automation - Entra ID app registration

When automating Copilot Studio agents or building custom integrations, you need to grant your Entra ID app registration the proper Power Platform API permissions. However, the Power Platform API often doesn’t appear in the standard API permissions list in the Azure Portal. This guide shows you how to enable the Power Platform API service principal and add the CopilotStudio.Copilot.Invoke permission to your app registration.

Table of Contents

The Problem

While setting up automated testing for Copilot Studio agents using the Copilot Studio Kit (inspired by Matthew Devaney’s excellent video Copilot Studio Test Automation: STOP Testing Manually!!), I stumbled on a frustrating issue: the Power Platform API doesn’t appear in the list of available APIs when configuring Entra ID app registration permissions.

Power Platform API missing from API permissions list

This prevents you from adding the critical CopilotStudio.Copilot.Invoke permission needed to programmatically interact with Copilot Studio agents from your applications, test automation frameworks, or custom integrations.

Why Power Platform API is Missing

The Power Platform API is not automatically enabled in every Microsoft 365 tenant. Unlike commonly used APIs (Microsoft Graph, SharePoint, etc.), the Power Platform API’s service principal must be explicitly created in your tenant before it appears in the Azure Portal’s API permissions list.

Prerequisites

Before proceeding, ensure you have:

  • Tenant Administrator Role: Required to create service principals
  • Application Administrator Role: Needed to modify app registrations
  • Microsoft Graph PowerShell SDK: For executing the commands
  • Permissions: At minimum, Application.ReadWrite.All in Microsoft Graph
  • Entra ID App Registration: An existing app registration that needs Power Platform API access

Solution Overview

The solution involves three main steps:

  1. Enable the Power Platform API service principal in your tenant using Microsoft Graph PowerShell
  2. Add the API permissions to your Entra ID app registration
  3. Grant admin consent for the permissions

Step 1: Verify Power Platform API Status

Before creating the service principal, you can verify whether the Power Platform API is already available in your tenant using Microsoft Graph Explorer.

Using Graph Explorer

  1. Navigate to Graph Explorer
  2. Sign in with your tenant administrator account
  3. Grant consent for Application.ReadWrite.All permission
  4. Execute this query:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '8578e004-a5c6-46e7-913e-12f58912df43'

Expected Results:

  • If empty: The Power Platform API service principal doesn’t exist yet
  • If returns data: The service principal already exists (you can skip to Step 3)

Checking Power Platform API availability in Graph Explorer

Understanding the App ID

The Power Platform API has a fixed application ID across all Microsoft tenants:

  • App ID: 8578e004-a5c6-46e7-913e-12f58912df43
  • Display Name: Power Platform API
  • Publisher: Microsoft Corporation

Step 2: Enable Power Platform API Service Principal

Now let’s create the service principal using PowerShell, which will make the Power Platform API available throughout your tenant.

PowerShell Script

#Install the Microsoft Graph PowerShell SDK module
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

# Connect to Microsoft Graph with Application.ReadWrite.All permission
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Create Service Principal for Power Platform API
New-MgServicePrincipal -AppId 8578e004-a5c6-46e7-913e-12f58912df43 -DisplayName "Power Platform API"

Script Breakdown

StepPurpose
Install-ModuleInstalls Microsoft Graph PowerShell SDK
Connect-MgGraphAuthenticates and requests necessary permissions
New-MgServicePrincipalCreates the Power Platform API service principal

Expected Output

DisplayName        Id                                   AppId                                SignInAudience      Servic
                                                                                                                 ePrinc
                                                                                                                 ipalTy
                                                                                                                 pe
-----------        --                                   -----                                --------------      ------
Power Platform API da21136a-683a-4a13-900d-f3c8941c4a0e 8578e004-a5c6-46e7-913e-12f58912df43 AzureADMultipleOrgs App...

Power Platform API service principal created via PowerShell

Step 3: Add API Permissions to Your App

After creating the service principal, the Power Platform API will now appear in the Azure Portal’s API permissions list.

Via Azure Portal

  1. Navigate to Azure Portal
  2. Go to Azure Active Directory > App registrations
  3. Select your app registration
  4. Click API permissions in the left menu
  5. Click + Add a permission
  6. Select APIs my organization uses
  7. Search for “Power Platform API”
  8. Select Power Platform API from the results

Power Platform API now available in the API permissions list

  1. Choose Application permissions
  2. Expand CopilotStudio section
  3. Check CopilotStudio.Copilot.Invoke
  4. Click Add permissions

Adding Power Platform API permissions to Entra ID app

Permission Details

PermissionTypeDescription
CopilotStudio.Copilot.InvokeApplicationAllows the app to invoke Copilot Studio agents programmatically

Scope: This is an application permission (not delegated), meaning it works without a signed-in user context—ideal for automated scenarios, background services, and test automation.

Application permissions require administrator consent before they can be used.

  1. In the API permissions blade of your app registration
  2. Click Grant admin consent for [Your Tenant]
  3. Confirm by clicking Yes in the dialog
  4. Verify that the Status column shows a green checkmark with “Granted for [Your Tenant]”

Granting admin consent to Power Platform API permissions

Alternative: Manual Manifest Configuration

If the Power Platform API still doesn’t appear in the UI, you can add the permission directly via the app manifest.

App Manifest Method

  1. In your app registration, go to Manifest in the left menu
  2. Locate the requiredResourceAccess array
  3. Add the following configuration:
{
  "requiredResourceAccess": [
    {
      "resourceAppId": "8578e004-a5c6-46e7-913e-12f58912df43",
      "resourceAccess": [
        {
          "id": "38c13204-7d79-4d83-bdbb-b770e28400df",
          "type": "Role"
        }
      ]
    }
  ]
}
  1. Click Save
  2. You’ll still need to grant admin consent (Step 4)

Key IDs to Remember

ComponentGUID
Power Platform API (resourceAppId)8578e004-a5c6-46e7-913e-12f58912df43
CopilotStudio.Copilot.Invoke (permission ID)38c13204-7d79-4d83-bdbb-b770e28400df

Type: "Role" indicates this is an application permission (as opposed to "Scope" for delegated permissions)

Verification

After completing all steps, verify your configuration:

Check 1: API Permissions Blade

In your app registration’s API permissions section, you should see:

Power Platform API listed under “Configured permissions”
CopilotStudio.Copilot.Invoke permission
Type: Application
Status: “Granted for [Your Tenant]” with a green checkmark

Check 2: Test Connection

Create a simple test script to verify the permission works:

# Get access token for your app
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
    client_id     = $clientId
    scope         = "https://api.powerplatform.com/.default"
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body
$accessToken = $response.access_token

Write-Host "✓ Access token obtained successfully!" -ForegroundColor Green
Write-Host "Token expires in: $($response.expires_in) seconds" -ForegroundColor Cyan

# Decode token to verify scopes (optional)
$tokenParts = $accessToken.Split('.')
$tokenPayload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenParts[1]))
$tokenJson = $tokenPayload | ConvertFrom-Json

Write-Host "`nToken roles/scopes:" -ForegroundColor Cyan
$tokenJson.roles

Expected output should include CopilotStudio.Copilot.Invoke in the roles.

Test Access

Conclusion

Enabling the Power Platform API for Copilot Studio integration is a straightforward process once you understand that the service principal needs to be explicitly created in your tenant. By following this guide, you’ve:

✅ Created the Power Platform API service principal in your tenant
✅ Added CopilotStudio.Copilot.Invoke permission to your app registration
✅ Granted admin consent for the permission
✅ Verified your configuration
✅ Learned how to troubleshoot common issues

This one-time setup unlocks powerful automation scenarios, from test automation frameworks to custom integrations and serverless architectures that interact with Copilot Studio agents programmatically.

References