Skip to content

Add Support for CopilotStudio Agent-to-Agent Connector for AgentsSDK to populate UserAuthorization #219

New issue
New issue
Open
Open
Add Support for CopilotStudio Agent-to-Agent Connector for AgentsSDK to populate UserAuthorization#219
Labels
TriageNew issue, yet to be triaged
@MattB-msft

Description

@MattB-msft
MattB-msft
opened on Jul 19, 2025

Copilot Studio is adding a feature that allows users to integrate with an AgentsSDK hosted agent via the Agent-to-Agent feature announced at Microsoft Build 2025.

This feature uses the PowerPlatform Connector system to facilitate this connectivity and supports the Expect Replies and Streaming deliverymode patterns to communicate with the published Agent Endpoint ( by default /api/messages ). Communications from CopilotStudio using the Agent-to-Agent Connector will contain an http header “connector=true” that will identify it as originating from the connector system.
When operating in support of a PowerPlatform Connector, it is not necessary to register or configure an Azure Bot Service registration. This creates a critical challenge with the UserAuthorization feature of the AgentsSDK.

By default,
The User Authorization Subsystem is setup to work with Azure Bot Service’s Token Endpoint to support managing user authorization, with the expectation that the Token Service will provide the necessary infrastructure and links to manage authentication flows. Tokens produced from this system will always be On-Behalf-Of tokens for a given user.

In the case of the Agent Operating with the Agent-to-Agent Connector, An agent is contacted by the PowerPlatform Connectors system using either the requesting user’s identity or a service principle. This identity(token) will surface in the incoming request bearer token. The token on this request can be either a On-Behalf-Of token or a Service Principal depending on how the connector is configured. When in this state the incoming token must be made available on the UserAuthorization GetTurnTokenAsync method.
Behavior when processing a “connector” originated request:

Example header indicating that this is a connectors request:

x-ms-agentsdk-caller=Connector

Modifications:
UserAuthorization.DefaultHandlerName : this will return the name “PowerPlatformConnector”
UserAuthorization.GetTurnTokenAsync : this will return the current bearer token from the incoming request
UserAuthroziation.ExchangeTurnTokenAsync : this will operate normally.

Metadata

Metadata

Assignees

No one assigned

    Labels

    TriageNew issue, yet to be triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions