azure direct-line-botframework power-platform msal microsoft-copilot

How to bypass login popup when using Copilot Studio with manual authentication in a custom web app?

I'm integrating a Microsoft Copilot Studio agent into my company's custom groupware web app (C#), and I want to avoid showing any Microsoft login popups or authentication prompts inside the chat.

My Goal

Use manual authentication (Authenticate manually) in Copilot Studio.
Avoid any login prompts (no popup, no OAuth card in Web Chat).
Users are already authenticated in our groupware, so their information (UPN, email, Azure Object ID) is available.
The chat should start immediately without asking the user to log in again.

What I’ve Tried

Followed the official Microsoft docs:
https://learn.microsoft.com/en-us/microsoft-copilot-studio/configure-sso?tabs=webApp
Sample code from GitHub:
https://github.com/microsoft/CopilotStudioSamples/tree/main/SSOSamples/SSOwithEntraID
YouTube guide:
https://www.youtube.com/watch?v=gvrYegvyzIk
Implemented MSAL and configured acquireTokenSilent() with the right scopes.
It works only after the user has manually signed in using MSAL popup or redirect.
I also tried intercepting the tokenExchange process and manually injecting a token acquired via the App-only client_credentials flow (Azure AD app with Graph API permissions).
Even then, Copilot shows the OAuth card again or fails with 502 Bad Gateway errors.

Problem

I already know who the user is — they’re logged into our app.
But unless they go through Microsoft login flow manually at least once, MSAL can't silently get a token.
Even if I call our backend API to get an App token and pass that into tokenExchange, Copilot rejects it.

My Questions

Is there any way to fully skip login prompts (MSAL popup or OAuth card) when using Copilot with manual authentication?
Can App-only tokens (client_credentials flow) be accepted by Copilot during tokenExchange?
If I already have UPN, Azure Object ID, etc., can I make Copilot trust that without Microsoft login?
Can SAML login or other external auth be linked with Copilot’s OAuth flow?
Is the only reliable option to force the user to manually authenticate once, so that silent MSAL login works afterward?

Any help or recommendations are greatly appreciated. 🙏
Let me know if you need code snippets from my exchangeTokenAsync() function or Web Chat configuration.

Solution

Note: To fully bypass login prompts in Microsoft Copilot Studio using manual authentication, you must pre-authenticate users in your app and securely pass a valid user-delegated access token (not an app-only token) to the token exchange endpoint.

Copilot requires a user context, so app-only tokens (client_credentials flow) won't work. Unfortunately, at least one user login via MSAL is required to enable silent token acquisition afterward.

Microsoft Copilot Studio bots require user-delegated access tokens to provide user-specific experiences (contextual history, personalization, etc.). These tokens cannot be obtained silently unless the user has:

Previously signed in interactively.
Granted consent for the requested scopes.

Even if you have the user’s UPN, Object ID, or session in your system, Microsoft’s identity platform requires a login consent from the user to issue a token on their behalf.

Note: Tokens from the client_credentials (app-only) flow will be rejected by Copilot’s tokenExchange because they don’t represent a user identity.

Sample : Send Token to Bot via tokenExchange Event:

const token = await getToken();

window.WebChat.renderWebChat({
  directLine: window.WebChat.createDirectLine({ token: '<Your Direct Line Token>' }),
  userID: '<user-id>',
  store: window.WebChat.createStore({}, ({ dispatch }) => next => action => {
    if (action.type === 'DIRECT_LINE/CONNECT_FULFILLED') {
      dispatch({
        type: 'WEB_CHAT/SEND_EVENT',
        payload: {
          name: 'tokenExchange',
          value: { token }
        }
      });
    }
    return next(action);
  })
}, document.getElementById('webchat'));

At least one login is required for Microsoft to issue a user-delegated token.
Once signed in, you can use acquireTokenSilent() to avoid repeated prompt.
Copilot Studio requires a user context — app tokens are not enough.