Microsoft Copilot Studio supports the Model Context Protocol (MCP) to invoke external tools. AWS Bedrock AgentCore Gateway exposes MCP servers behind a JWT authentication layer. Connecting the two requires:

1. A Cognito User Pool with an app client configured for the Authorization Code flow
2. An AgentCore Gateway with a CUSTOM_JWT authorizer that accepts the Copilot Studio client
3. A Gateway Target pointing to the MCP runtime

The resulting architecture:

Copilot Studio → (OAuth2 Authorization Code) → Cognito → JWT
     ↓
AgentCore Gateway (validates JWT) → MCP Runtime → Tool

Prerequisites

• An AgentCore Gateway with a target configured to an MCP runtime
• An Amazon Cognito User Pool with an active hosted UI domain
• Admin access to the Copilot Studio portal

Step 1 — Configure the Cognito app client

The app client must support the code (Authorization Code) flow with a client secret:

aws cognito-idp create-user-pool-client \
  --region eu-west-1 \
  --user-pool-id <USER_POOL_ID> \
  --client-name "copilot-studio-mcp" \
  --generate-secret \
  --allowed-o-auth-flows code \
  --allowed-o-auth-scopes openid email profile mcp/invoke \
  --allowed-o-auth-flows-user-pool-client \
  --supported-identity-providers COGNITO \
  --callback-urls "https://placeholder.example.com"

The custom scope mcp/invoke must exist on a resource server in the User Pool. Create it if it doesn’t exist:

aws cognito-idp create-resource-server \
  --region eu-west-1 \
  --user-pool-id <USER_POOL_ID> \
  --identifier mcp \
  --name "MCP Server Access" \
  --scopes '[{"ScopeName":"invoke","ScopeDescription":"Invoke MCP server tools"}]'

Step 2 — Authorize the client on the Gateway

The Gateway must accept the new app client’s client_id in its allowedClients list:

aws bedrock-agentcore-control update-gateway \
  --region eu-west-1 \
  --gateway-id <GATEWAY_ID> \
  --name <GATEWAY_NAME> \
  --role-arn <GATEWAY_ROLE_ARN> \
  --authorizer-type CUSTOM_JWT \
  --protocol-configuration '{
    "mcp": {
      "supportedVersions": ["2025-03-26"],
      "streamingConfiguration": {"enableResponseStreaming": false}
    }
  }' \
  --authorizer-configuration '{
    "customJWTAuthorizer": {
      "discoveryUrl": "https://cognito-idp.eu-west-1.amazonaws.com/<USER_POOL_ID>/.well-known/openid-configuration",
      "allowedClients": ["<EXISTING_CLIENT_1>", "<COPILOT_CLIENT_ID>"],
      "allowedScopes": ["mcp/invoke", "profile", "openid", "email"]
    }
  }'

Step 3 — Configure Copilot Studio

In Copilot Studio: Agent → Tools → Add a tool → Add a Model Context Protocol server.

Select Manual as the OAuth type and fill in:

After clicking Create, Copilot Studio generates a Redirect URL.

Step 4 — Register the Redirect URL in Cognito

Add the Copilot Studio redirect URL to the client’s allowed callbacks:

aws cognito-idp update-user-pool-client \
  --region eu-west-1 \
  --user-pool-id <USER_POOL_ID> \
  --client-id <COPILOT_CLIENT_ID> \
  --callback-urls "https://global.consent.azure-apim.net/redirect/<YOUR_COPILOT_CALLBACK>" \
  --supported-identity-providers COGNITO \
  --allowed-o-auth-flows code \
  --allowed-o-auth-scopes openid email profile mcp/invoke \
  --allowed-o-auth-flows-user-pool-client

Step 5 — Test the connection

Back in Copilot Studio, click Next → Create a new connection and authenticate with a Cognito user. If everything is configured correctly, Copilot Studio obtains an access token and starts invoking MCP tools.

Troubleshooting

MCP protocol version

Copilot Studio currently supports MCP protocol version 2025-03-26. Make sure the Gateway is configured with this version in supportedVersions, otherwise the connection will fail silently.