Understanding Copilot Studio Agents App Registration
When you create an Agent within Copilot Studio, a corresponding App registration is automatically generated. These app registrations are named after the Agent, suffixed with “(Microsoft Copilot Studio)”. You can view these app registrations in the Azure Portal under App registrations > All applications.
Agent Certificates and Federated Identity
Each app registration associated with a Copilot Studio Agent includes three certificates and two federated credentials as of January 2025. These components enable secure communication between agents and your data sources and services.
Certificates
The three certificates are identical across all app registrations linked to Copilot Studio Agents, with the latest expiry date being 24/09/2025. For more details on how these certificates are automatically updated or rotated, refer to App registration, certificates, and configuration values for Copilot Studio. It’s worth considering whether these certificates are necessary, given the presence of federated identities, which might eventually eliminate the need for certificates or client tokens. The future set up of those app registrations will tell.
Federated Identities
There are two federated identities:
- Multi-Tenant Federated Identity:
- Issuer:
https://login.microsoftonline.com/{tenantId}/v2.0
- Subject Identifier:
/eid1/c/pub/t/{tenantId}/a/m1WPnYRZpEaQKq1Cceg--g/{GUID}
This identity seems to cater to multi-tenant scenarios.
- Issuer:
- Single-Tenant Federated Identity:
- Default setting is single-tenant.
- This identity is specific to the end user’s tenant.
The default set up is for single tenant.
Experimenting with App Registrations
I experimented by deleting the certificates within the app registration to observe any impact on the agent’s behavior with no immediate differences in behaviour. Additionally, I have renamed the app registration successfully to give it more meaning, e.g. adding dev in its name to indicate the purpose is for development.
Agent Lifecycle
Deleting an Agent
When an Agent is deleted, the corresponding app registration is also removed, ensuring no orphaned app registrations remain.
Renaming an Agent
However, when an Agent is renamed, the corresponding app registration is not automatically renamed. This might require manual updates to keep the names consistent.
Duplicate Agent
If I create another agent with the same name as a renamed agent, a duplicate app registration can be created unless the app registration names are updated manually.
Conclusion
App registrations within the tenant for those Copilot Studio Agents enable interactions with different data sources. From a governance perspective, if a company has naming conventions, it’s advisable to rename these app registrations to reflect their purpose. As Copilot Studio Agents are still evolving, the setup of these app registrations may change over time.
References
App registration, certificates, and configuration values for Copilot Studio.