Custom Connector OAuth for Makers (Without the Headache)

Why this exists: Swagger and OpenAPI are the easy part. OAuth is where you lose a morning staring at errors you did not cause on purpose. This guide is the short version of what actually matters when you wire a custom connector in a normal Microsoft cloud tenant.

For you if: You build in Power Platform, you are not the person who owns Entra ID (still called Azure AD in a lot of docs), and you need the connector Test tab to go green before you touch Copilot Studio.

Scope: Microsoft-hosted only. No on-premises gateways or hybrid fairy tales.

The two lanes (pick one before you paste anything)

OAuth is just a structured way for your connector to get a token so your API trusts the call. For makers there are really two lanes.

Delegated (user context). A person signs in. The token represents them. Use this when the data or action should respect that person’s permissions.
Client credentials (app-only). No person signs in at runtime. A service principal (an app identity in Microsoft Entra) swaps a client secret or certificate for a token. Use this for shared tools where the behavior should be the same for everyone, and the API was built to accept app tokens.

If you are not sure, ask a plain question: “Should this behave like the signed-in user, or like one shared backend account?” That single answer saves you from rebuilding connections later.

What you are filling in on the Security tab

You will see different labels depending on OAuth type, but the ideas repeat.

Field	What it is (maker translation)
Identity provider	Usually Microsoft Entra if your API is protected with Microsoft login.
Client id	The app registration’s public id. Think “username for the app.”
Client secret (or cert)	The proof that your automation is allowed to act as that app. Treat it like a password. Rotates on purpose.
Authorization URL / Token URL	Where the browser (or backend) goes to start OAuth and swap a code for a token. Copy them from Entra’s endpoint docs for your cloud.
Resource URL or scope	What permission you are asking for. Wrong string, wrong token flavor, unhappy API.
Redirect URL	Where Entra sends the user after login during connector testing. Must match what is registered on the app, character for character.

If your stomach just tightened, good. Redirect mismatches and wrong scope lines are half the support tickets that are not actually “Power Platform is broken.”

A walk-through that always helps: Test tab first

Create or update the connector in Power Apps maker portal.
Set Security the way your team agreed (delegated or client credentials).
Open Test, create a connection, sign in or paste app credentials depending on the lane.
Call one simple operation with boring inputs. Prove 200 OK (or your API’s happy response) before you show up in Copilot Studio.

Why this order? Copilot Studio adds variables you do not need while you are still proving the pipe is not blocked.

When the Test tab laughs at you

Quick translations, no mysticism.

Redirect URI mismatch. The URL you registered in Entra is not the one the connector generated. Copy/paste beats typing.
AADSTS7000215 and friends around invalid client secret. Secret expired or someone rotated it. Not a mystery. Update the secret in the place your connector reads from.
Admin consent required. You did nothing wrong. Someone with directory admin rights has to approve the permission for the tenant.
401 from your API after token looks fine. Often app role vs scope confusion, or the API expects a different audience. That is when your API team and the app registration need ten minutes together.

For a fuller “open the hood in order” list, jump to Part 5: Troubleshooting kit.

Secrets: what makers actually control

Do not park long-lived client secrets in Canvas apps formulas, copy-paste emails, or screenshots. Use the patterns your org already picked: connection objects, environment variables where available, Key Vault if your admins set that up for you. If you are not sure where the secret should live, ask once and save ten incidents.

Delegated vs app-only (one table)

	Delegated (user)	Client credentials (app)
Who shows up in audits	The signed-in user	The service principal
Runtime sign-in prompt	Usually yes for first connection	No prompt if connector supports it
Good when	Mail, files, or rows that belong to people	Shared lookup tables, system maintenance, “always the same” tools

Where this goes next

Once Test is green, you are ready to attach the same connector to Copilot Studio as a tool. That is Part 2. If your tool calls Dataverse, read Part 3 before you chase “the model is dumb” when the real story is security roles.

Archives

Categories