PVA series – authentication in Power Virtual Agent

Today Microsoft already released some of the features, which were planned to be released on 2nd of December 2019, in their “new” product: Power Virtual Agent. One of them is “Authentication”. In this post I will help you to set up Azure Active Directory as an oAuth2.0 authentication endpoint.

How does authentication in PVA works?

Once you put authentication action in the conversation flow and conversation reaches that point:

Authenticate action in conversation flow

It will display a card with a button to the user, that once clicked will generate an OTP that user has simply to copy and paste into a chat window:

Authentication flow in Power Virtual Agent

Once user successfully logs in, the there are two variables that are being used in flow after that:

  1. IsLoggedIn – boolean variable, true if logged in (what a surprise :P)
  2. AuthToken – this is simply a bearer token generated for the user


To access authentication settings of your bot you have to navigate to the following URL:

Important! You can define a single authentication endpoint per each bot.

The page is showing an empty form, actually not very easy to fill with information, if you are not an expert in Azure AD πŸ™‚

Power Virtual Agent authentication configuration

Luckily, there is the documentation written quite well, that helps us to set values for these fields if we want to use AAD as the provider:

Field nameValue
Connection nameConnection name
Service ProviderPower Virtual Agents only supports generic OAuth2 providers.
Client IDClient ID of the Azure app (read further)
Client Secret Client Secret of the Azure app (read further)
Scope List delimiterUse: ,
Authorization URL Template oauth2/v2.0/authorize
Authorization URL Query String Template?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}
Token URL Template
Token URL Query String TemplateUse: ?
Token Body Templatecode={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
Refresh URL Template
Refresh URL Query String TemplateUse: ?
Refresh Body Templaterefresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
ScopesFor the purpose of authentication it should be: openid

Azure app

Since the configuration requires the app’s client id and secret key, also the scope name, you have to configure that app in AAD.

To do that open – app registrations blade under Azure AD blade. Next create “new registration”:

Next define its name and choose “Multitenant” option for the supported account types:

Once the app is registered, you must configure redirect URL. To do that do the following:

  1. Next go to the “Authentication” blade
  2. Click “Add a platform” button
  3. Type: “”
  4. Select “Access tokens” option
  5. Hit “Configure”.

Next you have to also grant permissions for the app. To do that do the following:

  1. Go to “API permissions” blade
  2. Click “Add a permission” button
  3. Choose “Microsoft Graph”
  4. Hit “Delegated permissions”
  5. Select “openid” option
  6. Hit “Add permissions” button

Finally go to the “Certificates & secrets” and generate new secret key:

Then copy its value and paste it in the Power Virtual Agent configuration window. Finally go to the “Overview” blade to copy “Client ID” value:

That’s it! Azure App is registered and configured. Copy it’s key and id, and paste in the Power Virtual Agent configuration screen.

I hope this post will help to save hours of searching and figuring out how to configure the authentication with AAD for PVA. Leave me a comment if you need any support!

Tomasz Poszytek

Hi, I am Tomasz. I am expert in the field of process automation and business solutions' building using Power Platform. I am Microsoft MVP and Nintex vTE.


Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.