Skip to content

[BUG] Copilot Studio customer connector to Azure Remote MCP Failed #1462

New issue
New issue
Open
Open
[BUG] Copilot Studio customer connector to Azure Remote MCP Failed#1462
Labels
needs-triageWorkflow: This is a new issue that needs to be triaged to the appropriate team.
@SkyloveQiu

Description

@SkyloveQiu
SkyloveQiu
opened on Jan 9, 2026

Describe the bug

Dear Microsoft,
I have tried to deploy Azure Remote MCP and connection copilot studio to Remote MCP.
I constantly got 401 in customer connector test section.
Error in customer connector

{"TimeStamp":"2026-01-09T14:10:19.082788+00:00","Log":"Microsoft.AspNetCore.Hosting.Diagnostics[1]"}
{"TimeStamp":"2026-01-09T14:10:19.0834168+00:00","Log":"Request starting HTTP/1.1 GET http://azure-mcp-storage-server.braveisland-ab803502.westeurope.azurecontainerapps.io/ - - -"}
{"TimeStamp":"2026-01-09T14:10:19.0837165+00:00","Log":"Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]"}
{"TimeStamp":"2026-01-09T14:10:19.0837563+00:00","Log":"CORS policy execution successful."}
{"TimeStamp":"2026-01-09T14:10:19.2663481+00:00","Log":"Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]"}
{"TimeStamp":"2026-01-09T14:10:19.2663952+00:00","Log":"Microsoft.IdentityModel Version: 8.14.0.0. Date 01/09/2026 14:10:19. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details."}
{"TimeStamp":"2026-01-09T14:10:19.266406+00:00","Log":"IDX10242: Security token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature."}
{"TimeStamp":"2026-01-09T14:10:19.2722096+00:00","Log":"Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]"}
{"TimeStamp":"2026-01-09T14:10:19.2722497+00:00","Log":"IDX10239: Lifetime of the token is valid."}
{"TimeStamp":"2026-01-09T14:10:19.2760156+00:00","Log":"Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]"}
{"TimeStamp":"2026-01-09T14:10:19.2760406+00:00","Log":"IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches"}
{"TimeStamp":"2026-01-09T14:10:19.2864327+00:00","Log":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]"}
{"TimeStamp":"2026-01-09T14:10:19.2864581+00:00","Log":"Failed to validate the token."}
{"TimeStamp":"2026-01-09T14:10:19.2864685+00:00","Log":"Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches"}
{"TimeStamp":"2026-01-09T14:10:19.2864763+00:00","Log":"at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable\u00601 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)"}
{"TimeStamp":"2026-01-09T14:10:19.2864843+00:00","Log":"at Microsoft.Identity.Web.Resource.RegisterValidAudience.ValidateAudience(IEnumerable\u00601 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)"}
{"TimeStamp":"2026-01-09T14:10:19.2864918+00:00","Log":"at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable\u00601 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)"}
{"TimeStamp":"2026-01-09T14:10:19.2865015+00:00","Log":"at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)"}
{"TimeStamp":"2026-01-09T14:10:19.2865098+00:00","Log":"at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)"}
{"TimeStamp":"2026-01-09T14:10:19.2906543+00:00","Log":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]"}
{"TimeStamp":"2026-01-09T14:10:19.2906746+00:00","Log":"Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches"}
{"TimeStamp":"2026-01-09T14:10:19.2916389+00:00","Log":"Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]"}
{"TimeStamp":"2026-01-09T14:10:19.2916628+00:00","Log":"Authorization failed. These requirements were not met:"}
{"TimeStamp":"2026-01-09T14:10:19.2916731+00:00","Log":"DenyAnonymousAuthorizationRequirement: Requires an authenticated user."}
{"TimeStamp":"2026-01-09T14:10:19.291683+00:00","Log":"ScopeOrAppPermissionAuthorizationRequirement:Scope/AppPermission= and \u0060scp\u0060 or \u0060http://schemas.microsoft.com/identity/claims/scope\u0060 is one of the following values: (Mcp.Tools.ReadWrite) or TokenValidationParameters.RoleClaimType is one of th following values: (Mcp.Tools.ReadWrite.All)"}
{"TimeStamp":"2026-01-09T14:10:19.2929826+00:00","Log":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]"}
{"TimeStamp":"2026-01-09T14:10:19.293004+00:00","Log":"AuthenticationScheme: Bearer was challenged."}
{"TimeStamp":"2026-01-09T14:10:19.2939525+00:00","Log":"Microsoft.AspNetCore.Hosting.Diagnostics[2]"}
{"TimeStamp":"2026-01-09T14:10:19.293971+00:00","Log":"Request finished HTTP/1.1 GET http://azure-mcp-storage-server.braveisland-ab803502.westeurope.azurecontainerapps.io/ - 401 0 - 211.1839ms"}
{"TimeStamp":"2026-01-09T14:10:19.353009+00:00","Log":"Microsoft.AspNetCore.Hosting.Diagnostics[1]"}
{"TimeStamp":"2026-01-09T14:10:19.353046+00:00","Log":"Request starting HTTP/1.1 GET http://azure-mcp-storage-server.braveisland-ab803502.westeurope.azurecontainerapps.io/ - - -"}
{"TimeStamp":"2026-01-09T14:10:19.3539174+00:00","Log":"Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]"}
{"TimeStamp":"2026-01-09T14:10:19.3539388+00:00","Log":"CORS policy execution successful."}
{"TimeStamp":"2026-01-09T14:10:19.3540343+00:00","Log":"Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]"}
{"TimeStamp":"2026-01-09T14:10:19.3540494+00:00","Log":"IDX10242: Security token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature."}
{"TimeStamp":"2026-01-09T14:10:19.3540762+00:00","Log":"Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]"}
{"TimeStamp":"2026-01-09T14:10:19.3540828+00:00","Log":"IDX10239: Lifetime of the token is valid."}
{"TimeStamp":"2026-01-09T14:10:19.3540935+00:00","Log":"Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]"}
{"TimeStamp":"2026-01-09T14:10:19.3541004+00:00","Log":"IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches"}
{"TimeStamp":"2026-01-09T14:10:19.3552654+00:00","Log":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]"}
{"TimeStamp":"2026-01-09T14:10:19.3552863+00:00","Log":"Failed to validate the token."}
{"TimeStamp":"2026-01-09T14:10:19.3552966+00:00","Log":"Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches"}
{"TimeStamp":"2026-01-09T14:10:19.3553045+00:00","Log":"at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable\u00601 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)"}
{"TimeStamp":"2026-01-09T14:10:19.3553131+00:00","Log":"at Microsoft.Identity.Web.Resource.RegisterValidAudience.ValidateAudience(IEnumerable\u00601 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)"}
{"TimeStamp":"2026-01-09T14:10:19.3553205+00:00","Log":"at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable\u00601 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)"}
{"TimeStamp":"2026-01-09T14:10:19.3553285+00:00","Log":"at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)"}
{"TimeStamp":"2026-01-09T14:10:19.3553362+00:00","Log":"at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)"}
{"TimeStamp":"2026-01-09T14:10:19.3553438+00:00","Log":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]"}
{"TimeStamp":"2026-01-09T14:10:19.3553514+00:00","Log":"Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. See https://aka.ms/identitymodel/app-context-switches"}
{"TimeStamp":"2026-01-09T14:10:19.3553592+00:00","Log":"Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]"}
{"TimeStamp":"2026-01-09T14:10:19.3554186+00:00","Log":"Authorization failed. These requirements were not met:"}
{"TimeStamp":"2026-01-09T14:10:19.3554331+00:00","Log":"DenyAnonymousAuthorizationRequirement: Requires an authenticated user."}
{"TimeStamp":"2026-01-09T14:10:19.355441+00:00","Log":"ScopeOrAppPermissionAuthorizationRequirement:Scope/AppPermission= and \u0060scp\u0060 or \u0060http://schemas.microsoft.com/identity/claims/scope\u0060 is one of the following values: (Mcp.Tools.ReadWrite) or TokenValidationParameters.RoleClaimType is one of th following values: (Mcp.Tools.ReadWrite.All)"}
{"TimeStamp":"2026-01-09T14:10:19.3554485+00:00","Log":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]"}
{"TimeStamp":"2026-01-09T14:10:19.3554561+00:00","Log":"AuthenticationScheme: Bearer was challenged."}
{"TimeStamp":"2026-01-09T14:10:19.3554638+00:00","Log":"Microsoft.AspNetCore.Hosting.Diagnostics[2]"}
{"TimeStamp":"2026-01-09T14:10:19.3554718+00:00","Log":"Request finished HTTP/1.1 GET http://azure-mcp-storage-server.braveisland-ab803502.westeurope.azurecontainerapps.io/ - 401 0 - 2.0316ms"}

The api on Azure is granted.
The response header is
{
"content-length": "0",
"date": "Fri, 09 Jan 2026 15:45:23 GMT",
"www-authenticate": "Bearer realm="azure-mcp-storage-server.braveisland-ab803502.westeurope.azurecontainerapps.io", resource_metadata="http://azure-mcp-storage-server.braveisland-ab803502.westeurope.azurecontainerapps.io/.well-known/oauth-protected-resource\", Bearer error="invalid_token", error_description="The audience '(null)' is invalid"",
"x-ms-apihub-cached-response": "true",
"x-ms-apihub-obo": "false",
"x-ms-au-caller-id": "2774560a-59a5-454f-9161-30dabeb89529",
"x-ms-au-creator-id": "2774560a-59a5-454f-9161-30dabeb89529",
"x-ms-dlp-ef": "-|-/-|-|-",
"x-ms-dlp-gu": "-|-",
"x-ms-dlp-re": "-|-",
"x-ms-environment-id": "0533837e-008c-ec99-be78-0910314c124c",
"x-ms-mip-sl": "-|-|-|-",
"x-ms-tenant-id": "f8be18a6-f648-4a47-be73-86d6c5c6604d"
}

Could you look into this issue please?
Thank you so much

Expected behavior

The expect behavior is connect to Copilot Studio properly

Actual behavior

does not connect to Azure Remote MCP

Reproduction Steps

https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/how-to/deploy-remote-mcp-server-copilot-studio

Environment

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageWorkflow: This is a new issue that needs to be triaged to the appropriate team.

    Type

    No type

    Projects

    Azure MCP Server

    Status

    Untriaged

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions