-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication
The application ships with authentication disabled by default (Authentication:Enabled = false) so it runs out of the box locally without any Azure dependency.
When deployed for team use, enable Microsoft Entra ID (Azure AD) OpenID Connect authentication to protect all pages and API endpoints with role-based access control.
| Mode | When to Use |
|---|---|
| Disabled (default) | Local development, single-user, air-gapped |
| Entra ID OIDC | Team deployments, production, enterprise |
Three roles are defined as Entra ID App Roles:
| Role | Access Level |
|---|---|
| Admin | Full access — agents, settings, delete operations |
| Tester | Create/run test suites, upload documents, view results |
| Viewer | Read-only access to dashboards and results |
See RBAC and Roles for the full permission matrix.
A DevelopmentAuthHandler automatically signs every request in as Admin — no login, no Entra ID, no tokens. This is suitable only for local development.
- Unauthenticated requests to the Web UI are redirected to the Microsoft login page
- The user signs in with their organizational account (supports MFA, Conditional Access)
- Entra ID returns an ID token with App Role claims
- ASP.NET Core creates a cookie-based session
- App Role claims (
Admin,Tester,Viewer) control what the user can see and do - API requests use OAuth 2.0 Bearer tokens; the CLI can use Device Code or Client Credentials flow
Set the following before starting the application:
PowerShell (local dev):
$env:AUTHENTICATION__ENABLED = "true"
$env:AZUREAD__TENANTID = "<Directory (tenant) ID>"
$env:AZUREAD__CLIENTID = "<Application (client) ID>"
$env:AZUREAD__CLIENTSECRET = "<Client secret value>"
dotnet run --project CopilotStudioTestRunner.WebUIdotnet user-secrets (recommended for local dev):
cd CopilotStudioTestRunner.WebUI
dotnet user-secrets set "Authentication:Enabled" "true"
dotnet user-secrets set "AzureAd:TenantId" "<tenant-id>"
dotnet user-secrets set "AzureAd:ClientId" "<client-id>"
dotnet user-secrets set "AzureAd:ClientSecret" "<client-secret>"Docker:
docker run -d \
-e AUTHENTICATION__ENABLED=true \
-e AZUREAD__TENANTID=<tenant-id> \
-e AZUREAD__CLIENTID=<client-id> \
-e AZUREAD__CLIENTSECRET=<client-secret> \
copilot-test-runner:latestSee Entra ID Setup for the complete step-by-step guide.
After creating the App Registration and defining the three App Roles, assign your users:
- Entra admin center → Identity → Applications → Enterprise applications → CopilotStudioTestRunner
- Users and groups → Add user/group
- Select the user and the appropriate role (Admin, Tester, or Viewer)
- Click Assign
| Setting | Value |
|---|---|
| Cookie HttpOnly | true |
| Cookie Secure |
true (HTTPS only) |
| Cookie SameSite | Lax |
| Session timeout | 60 minutes (sliding expiration, configurable) |
| Token refresh | Automatic (MSAL handles refresh tokens) |
| Endpoint | Authentication |
|---|---|
/health |
Always anonymous — required for container health probes |
/signin-oidc |
Handled by OIDC middleware |
/signout-oidc |
Sign-out endpoint |
| All other routes | Require authentication when enabled |
- Entra ID Setup — step-by-step app registration guide
- RBAC and Roles — full permission matrix
- Configuration Reference — all auth configuration keys
- Deployment — production deployment with authentication