Connecting Microsoft Copilot Studio to an AWS Bedrock AgentCore Gateway
2026-05-26
Overview
Microsoft Copilot Studio supports the Model Context Protocol (MCP) to invoke external tools. AWS Bedrock AgentCore Gateway exposes MCP servers behind a JWT authentication layer. Connecting the two requires:
- A Cognito User Pool with an app client configured for the Authorization Code flow
- An AgentCore Gateway with a CUSTOM_JWT authorizer that accepts the Copilot Studio client
- A Gateway Target pointing to the MCP runtime
The resulting architecture:
Copilot Studio → (OAuth2 Authorization Code) → Cognito → JWT
↓
AgentCore Gateway (validates JWT) → MCP Runtime → Tool
Prerequisites
- An AgentCore Gateway with a target configured to an MCP runtime
- An Amazon Cognito User Pool with an active hosted UI domain
- Admin access to the Copilot Studio portal
Step 1 — Configure the Cognito app client
The app client must support the code (Authorization Code) flow with a client secret:
aws cognito-idp create-user-pool-client \
--region eu-west-1 \
--user-pool-id <USER_POOL_ID> \
--client-name "copilot-studio-mcp" \
--generate-secret \
--allowed-o-auth-flows code \
--allowed-o-auth-scopes openid email profile mcp/invoke \
--allowed-o-auth-flows-user-pool-client \
--supported-identity-providers COGNITO \
--callback-urls "https://placeholder.example.com"
The custom scope
mcp/invokemust exist on a resource server in the User Pool. Create it if it doesn’t exist:aws cognito-idp create-resource-server \ --region eu-west-1 \ --user-pool-id <USER_POOL_ID> \ --identifier mcp \ --name "MCP Server Access" \ --scopes '[{"ScopeName":"invoke","ScopeDescription":"Invoke MCP server tools"}]'
Step 2 — Authorize the client on the Gateway
The Gateway must accept the new app client’s client_id in its allowedClients list:
aws bedrock-agentcore-control update-gateway \
--region eu-west-1 \
--gateway-id <GATEWAY_ID> \
--name <GATEWAY_NAME> \
--role-arn <GATEWAY_ROLE_ARN> \
--authorizer-type CUSTOM_JWT \
--protocol-configuration '{
"mcp": {
"supportedVersions": ["2025-03-26"],
"streamingConfiguration": {"enableResponseStreaming": false}
}
}' \
--authorizer-configuration '{
"customJWTAuthorizer": {
"discoveryUrl": "https://cognito-idp.eu-west-1.amazonaws.com/<USER_POOL_ID>/.well-known/openid-configuration",
"allowedClients": ["<EXISTING_CLIENT_1>", "<COPILOT_CLIENT_ID>"],
"allowedScopes": ["mcp/invoke", "profile", "openid", "email"]
}
}'
Step 3 — Configure Copilot Studio
In Copilot Studio: Agent → Tools → Add a tool → Add a Model Context Protocol server.
Select Manual as the OAuth type and fill in:
| Field | Value |
|---|---|
| Client ID | The client_id created in Step 1 |
| Client secret | The client’s client_secret |
| Authorization URL | https://<DOMAIN>.auth.eu-west-1.amazoncognito.com/oauth2/authorize |
| Token URL | https://<DOMAIN>.auth.eu-west-1.amazoncognito.com/oauth2/token |
| Refresh URL | (same as Token URL) |
| Scopes | openid email profile mcp/invoke |
After clicking Create, Copilot Studio generates a Redirect URL.
Step 4 — Register the Redirect URL in Cognito
Add the Copilot Studio redirect URL to the client’s allowed callbacks:
aws cognito-idp update-user-pool-client \
--region eu-west-1 \
--user-pool-id <USER_POOL_ID> \
--client-id <COPILOT_CLIENT_ID> \
--callback-urls "https://global.consent.azure-apim.net/redirect/<YOUR_COPILOT_CALLBACK>" \
--supported-identity-providers COGNITO \
--allowed-o-auth-flows code \
--allowed-o-auth-scopes openid email profile mcp/invoke \
--allowed-o-auth-flows-user-pool-client
Step 5 — Test the connection
Back in Copilot Studio, click Next → Create a new connection and authenticate with a Cognito user. If everything is configured correctly, Copilot Studio obtains an access token and starts invoking MCP tools.
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
insufficient_scope |
The client_id is not in the Gateway’s allowedClients |
Add it via update-gateway (Step 2) |
invalid_scope |
The scope doesn’t exist on the resource server or isn’t enabled on the client | Verify resource server and AllowedOAuthScopes |
redirect_uri mismatch |
The Copilot redirect URL is not in the client’s callbacks | Run Step 4 |
unsupported_grant_type |
The client doesn’t have the code flow enabled |
Add code to AllowedOAuthFlows |
Failed to fetch outbound oauth token |
The target’s credential provider requests scopes invalid for client_credentials |
Use only custom scopes (e.g. mcp/invoke), not OIDC scopes |
MCP protocol version
Copilot Studio currently supports MCP protocol version 2025-03-26. Make sure the Gateway is configured with this version in supportedVersions, otherwise the connection will fail silently.