Microsoft Copilot Studio Connector

Overview

The Microsoft Copilot Studio connector allows your Copilot agents to securely interact with StrongDM-managed resources. End users can list their entitled resources and run commands against SSH servers and SQL databases directly from a Copilot agent, without embedding credentials or changing your existing StrongDM infrastructure.

When a user interacts with a Copilot agent that has the StrongDM connector, StrongDM authenticates the user via OAuth and enforces access based on their existing StrongDM entitlements. All commands run through StrongDM's control plane and are logged just like any other StrongDM-mediated access.

No database credentials, SSH keys, or secrets are exposed to Copilot at any point. Credential injection and command execution happen exclusively on your organization's StrongDM-managed nodes.

How It Works

The integration connects Microsoft Copilot Studio to StrongDM through the following flow:

1. A StrongDM administrator creates a Microsoft Copilot Studio connection in the StrongDM Admin UI and receives OAuth credentials and several URLs.

2. A Copilot developer creates a custom connector in Microsoft Copilot Studio and then adds the connector to their agent, using the StrongDM credentials and URLs.

3. When an end user invokes a StrongDM tool through the Copilot agent, the user is redirected through an OAuth flow with StrongDM (if not already authenticated). StrongDM issues a short-lived access token scoped to that user.

4. Copilot resource interactions on the user's behalf flow through StrongDM's control plane and the organization's StrongDM nodes, which route the traffic as they would normal user actions.

Prerequisites

StrongDM requirements

To set up the Microsoft Copilot Studio connector, you need the following in StrongDM:

• Administrator permission level

• At least one operational StrongDM node (gateway, relay, or proxy cluster) with access to the target resources

• The resources you want to expose through Copilot must be configured in StrongDM.

• Your organization must be on the US StrongDM control plane.

Microsoft requirements

On the Microsoft side, you need the following:

• Microsoft Copilot Studio environment with permissions to create or edit agents

• Ability to add custom connectors to a Copilot Studio agent

For detailed information about working with connectors in Microsoft Copilot Studio, see Microsoft's Copilot Studio documentation.

Limitations

Be aware of the following limitations during the Tech Preview:

• US control plane only: The Microsoft Copilot Studio connector is available only for organizations on the US StrongDM control plane.

• Rate limiting: The connector is rate-limited to prevent excessive requests.

• Supported resource types: Only SSH servers and SQL databases (PostgreSQL, MySQL, and Microsoft SQL Server) are supported. Other resource types are not available through the connector.

• No agent-specific entitlements: Access is enforced based on the end user's StrongDM entitlements only. Composite identity authorization (combining agent identity and user identity) is not supported in this release.

• Microsoft Copilot Studio only: The connector works with Microsoft Copilot Studio agents. Other agentic platforms are not supported through this integration.

Supported Resources

During the Tech Preview, the connector supports the following StrongDM resource types:

• SSH servers: Run shell commands against SSH resources to which the user has access.

• SQL databases: Run SQL queries against supported database resources to which the user has access. Supported databases include PostgreSQL, MySQL, and Microsoft SQL Server.

End users can also list the resources to which they are entitled in StrongDM.

Set Up the StrongDM Connection

Follow these steps to create the Microsoft Copilot Studio connection in StrongDM.

1. Log in to the StrongDM Admin UI.

2. Go to Integrations and then under SaaS Agents, find Microsoft Copilot Studio and click Connect.

3. Enter a Name for the connection (for example, "Copilot Production" or "Copilot Dev Team") and then click Connect.

4. StrongDM generates a Client ID and Client Secret and shows those as well as an Authorize URL, Token URL, Refresh URL, and OpenAPI URL. Leave this tab open to copy these values when configuring the connector in Microsoft Copilot Studio, or store them securely.

Configure the Connector in Microsoft Copilot Studio

After you have the client ID, client secret, and URLs from StrongDM, add the a custom connector to your Copilot Studio agent. At a high level, the steps are as follows:

1. Open Microsoft Copilot Studio.

2. Go to Tools, click New tool, choose Custom connector, and then choose Import an OpenAPI from URL from the dropdown.

3. On the popup Import an OpenAPI from URL view, enter a Connector name (such as "StrongDM") and for Paste in the URL for the Open API, paste the value from the StrongDM connector setup screen that was called OpenAPI URL and then click Import.

4. The settings on the General tab can be adjusted as needed, such as the connector's icon or description.

5. Open the Security tab and ensure the Authentication type is set to "OAuth 2.0". Fill in the Client ID, Client secret, Authorization URL, Token URL, and Refresh URL from the StrongDM connector setup screen. Leave Scope empty.

6. The Definition tab includes information about the connector that is pulled in from the Open API specification. There should be three Tools available in the list on the left-hand side.

7. The Code tab can be skipped.

8. The Test tab requires the connector to be created to proceed, so click Create connector, and wait for the connector to be created and create a connection (which requires authenticating to link to your StrongDM account) and test if desired. If you don't want to create a connection to your StrongDM account and test here, you don't have to. You will just be prompted to do so on first use later.

9. Navigate to Agents in the sidebar, and click Create blank agent.

10. In the agent's Tools tab, click Add a new tool, and then search for the name of the custom connector you just added. The tools available via that connector should appear as results. Select one, and choose Add and configure. Repeat for the other tools.

11. Now that your agent has the custom connector's tools configured, chat with the agent and ask it what StrongDM resources are available to it. You can watch it use the List Available Resources tool to find them and respond. You may also test an interaction with a resource here.

For detailed steps on how to add and configure connectors in Copilot Studio, see Microsoft's documentation on custom connectors .

End User Authentication

When an end user first interacts with a StrongDM tool through a Copilot agent, they are prompted to authenticate with StrongDM via an OAuth flow. The user must have an existing StrongDM account and must be entitled to the resources they are trying to access.

After authentication, StrongDM issues a short-lived access token. The user does not need to re-authenticate for subsequent requests until the token expires.

Auditing and Logging

All commands executed through the Copilot connector are logged in StrongDM's existing audit surfaces, just as any other user interaction with a resource would be. When viewed in the StrongDM Admin UI, log entries created through the Copilot integration also indicate the integration associated with the entry.

Troubleshooting

User cannot authenticate through the Copilot agent

Verify that the user has an active StrongDM account and is able to log in to StrongDM directly. The OAuth flow requires a valid StrongDM user identity.

User cannot see or access a resource

Confirm that the user is entitled to the resource in StrongDM. Go to Access > Roles in the Admin UI and verify that the resource is attached to a role the user is a member of. The connector enforces the same entitlements as any other StrongDM access method.

Commands fail or time out

Check that the StrongDM node (gateway, relay, or proxy cluster) that has access to the target resource is online and healthy. You can verify node status in the Admin UI under Networking.

Additionally, in Tech Preview, check to verify that the command Copilot ran is using the StrongDM resource ID rather than the resource name. Sometimes during testing, Copilot mistakenly used the resource name. This is a known issue that will be corrected for in the future.

Still encountering issues?

Contact your StrongDM Tech Preview team. When reaching out, provide the connection name, the resource name or ID, and any error messages displayed in the Copilot agent.