Ctrl+K
tatersecurity.com Open App

Microsoft 365 Copilot Integration

Connect Microsoft 365 Copilot directly to TATER via Model Context Protocol (MCP). Combine Copilot's native Microsoft Graph context (Entra ID users, Conditional Access, Defender, Intune, Outlook, Teams, SharePoint) with TATER's compliance posture, risk register, change pipeline, and configuration documentation — all from one chat.

Why Copilot + TATER together

Copilot already has access to your tenant's live state through Microsoft Graph. TATER has the compliance posture: which controls are passing, which are accepted as risk, which are pending change-control approval, and your living configuration documentation. Connecting them lets Copilot answer questions neither tool can answer alone:

  • "Our MFA control is failing — show me which 47 users haven't registered MFA, and draft an Outlook email to them."
  • "Cross-check our Conditional Access policies against TATER's expected SCuBA baseline and surface any drift."
  • "I just changed the spam filter aggressiveness level. Document it as a versioned config doc in TATER, and post a summary to the security Teams channel."
  • "Generate the SOC 2 quarterly readiness summary, save it to SharePoint, and post the executive summary to Teams."
Three integration paths

This guide covers the recommended path: a declarative agent in Microsoft 365 Copilot. There are two alternatives: Copilot Studio (no-code custom agent, broader UX surface but shallower tool loop) and Azure AI Foundry (most capable, requires more infra). For 95% of customers, the declarative agent is right. Reach out if you need help with the others.

Prerequisites

Requirement How to check / get it
Microsoft 365 Copilot license $30 / user / month. Verify in M365 admin → Licenses — you should see Microsoft 365 Copilot as a SKU with seats assigned.
Tenant ID Find at Entra admin → Tenant overview. Format: GUID. You'll need this for the admin-consent URL below.
One-time admin consent for the TATER app The simplest path. A Global Admin or Cloud App Admin pastes this URL into a browser once (replace {tenantId} with your tenant GUID), signs in, and clicks Accept:
https://login.microsoftonline.com/{tenantId}/adminconsent?client_id=45afb90d-c5de-439d-8b09-8fbfed28b321
That registers the TATER app as an enterprise application in your tenant and pre-grants the api://45afb90d-.../access scope. You should see "TATER-SecurityCompliance" appear at Entra → Enterprise applications after.
TATER OrgMembership for every Copilot user Each user who will invoke the plugin must already be a member of a TATER organization. Any role works for read tools; OrgAdmin or higher is needed for write tools (overrides, change requests, remediation triggers, config-doc upserts). Check at app.tatersecurity.com → Settings → Profile — you should see your org name in the topbar.
Choose your build path
  • Path A — Copilot Studio (recommended). No-code, no VS Code, no manifest packaging. Configure in your browser. Skip to Path A below.
  • Path B — Declarative agent (advanced, code-based). Requires the Microsoft 365 Agents Toolkit (formerly "Teams Toolkit") in VS Code, plus permission to upload custom apps in Integrated Apps. See Path B below.
Stuck on prereqs?

The most common blocker is the admin-consent step. If your IT admin won't paste the consent URL, an alternative is per-user consent: the first time each Copilot user invokes a TATER tool, Microsoft will prompt them with the standard OAuth consent dialog. That works for read-only tools but fails for write tools if your tenant restricts user consent (most do). Tenant-wide admin consent via the URL above is the cleanest path.

Power Platform redirect URIs already registered

The TATER app registration ships with all five Power Platform OAuth redirect URIs (global / us / emea / apac / india.consent.azure-apim.net/redirect) pre-registered — you do not need to add them yourself. If you previously hit AADSTS900971: No reply address provided during the OAuth dance, retry now — that error is fixed for new sign-ins.

Path A: Copilot Studio (recommended)

Copilot Studio gives you a custom Copilot agent without writing any manifest files. You'll connect it to TATER's MCP HTTP endpoint via Copilot Studio's connector UI, drop in our agent instructions, and publish the agent for your users.

  1. Open copilotstudio.microsoft.com and sign in. Click Create → Agent.
  2. Name the agent TATER Compliance Analyst. For the description, paste: "Continuous compliance, risk register, and configuration documentation for our M365 tenant. Inspect control status, remediate findings, capture evidence, and maintain living network documentation."
  3. For the agent's Instructions, copy the full contents of instructions.md and paste them in.
  4. Click Tools in the left rail, then Add a tool → Custom connector → New custom connector → Import an OpenAPI file. Upload copilot-studio-connector.yaml — this is the Swagger 2.0 variant required by Copilot Studio's import wizard. (We also publish the OpenAPI 3.0 spec as openapi.yaml for Postman / generic SDK use, but Copilot Studio rejects 3.0 specs.)
  5. In the connector wizard, fill in the OAuth fields. Most are universal TATER values — identical for every customer because TATER is a multi-tenant Entra app. Only Client Secret and Redirect URL are tenant-specific:
    FieldValueSource
    Hostapi.tatersecurity.comTATER's public API
    Authentication typeOAuth 2.0Standard
    Identity providerAzure Active Directory (or "Microsoft Entra ID" in newer UI)Standard
    Client ID45afb90d-c5de-439d-8b09-8fbfed28b321TATER app — same for every customer; do not change.
    Client secretLeave blank if your tenant accepts public-client OAuth. Otherwise see Confidential-client below.Your tenant (only if confidential-client)
    Authorization URLhttps://login.microsoftonline.com/common/oauth2/v2.0/authorizeStandard. /common works because TATER is multi-tenant. You can substitute your tenant ID for stricter scoping.
    Token URLhttps://login.microsoftonline.com/common/oauth2/v2.0/tokenStandard, same caveat as above.
    Resource URL (if shown — v1.0 wizards only)api://45afb90d-c5de-439d-8b09-8fbfed28b321TATER app — the token's audience. Same prefix as Scope, just without /access. v2.0 wizards auto-derive this from Scope and don't show the field.
    Scopeapi://45afb90d-c5de-439d-8b09-8fbfed28b321/accessTATER scope — the permission inside the resource. Same for every customer.
    Redirect URLPower Platform's centralized OAuth proxy: https://global.consent.azure-apim.net/redirect — same for all non-sovereign customers. Copilot Studio confirms it after you save (regional variants like us.consent.azure-apim.net/redirect may apply to government/sovereign tenants).Standard (Power Platform endpoint)
  6. Save and test the connector. Copilot Studio will surface a "Sign in" link — click it, complete the OAuth dance with your TATER-member account, and you should see "Connected".
  7. Back in the agent, click Test in the upper-right and try: "What's the current TATER organization context?" — the agent should call get_org_context and report your org.
  8. Click Publish. Choose the channels you want (M365 Copilot Chat, Teams, web). Approve any tenant-admin consent prompts.
Advanced — confidential client (when your tenant requires it)

If your tenant rejects public-client OAuth (most enterprise tenants do), you register a small connector app in your own tenant — this app has its own Client ID + Client Secret, and a delegated permission grant to the TATER app (45afb90d-...). You then use your connector app's Client ID and Secret in the Copilot Studio wizard above instead of TATER's. Quick path:

  1. Entra admin → App registrations → New registration. Name it TATER Copilot Connector. Single-tenant.
  2. Certificates & secrets → New client secret. Copy the value — you'll paste it into the Copilot Studio connector wizard.
  3. API permissions → Add a permission → APIs my organization uses → search for TATER-SecurityCompliance → Delegated permissions → access. Grant admin consent.
  4. Authentication → Add platform → Web → redirect URI https://global.consent.azure-apim.net/redirect (Power Platform's standard custom-connector callback — same for all non-sovereign tenants). Add a regional variant too if your environment is in a sovereign cloud.
  5. Use this app's Client ID and secret in the Copilot Studio connector instead of TATER's Client ID directly.

Recommended manifest values (Entra ID → App Registrations → your connector app → Manifest):

{
  "isFallbackPublicClient": false,
  "web": {
    "redirectUris": [
      "https://global.consent.azure-apim.net/redirect"
    ]
  }
  // Note: requestedAccessTokenVersion lives on the *resource* app
  // (TATER, already set to 2), not on your connector. Leave it null here.
}
  • isFallbackPublicClient: false — prevents accidental public-client fallback when a client secret isn't presented. Good practice for any confidential client.
  • Add a publicClient.redirectUris block with https://login.microsoftonline.com/common/oauth2/nativeclient only if you have a separate desktop / native client that needs to talk to TATER. Copilot Studio itself does not need this — it uses the web platform exclusively.

Path B: Declarative agent (advanced, code-based)

For teams that want full custom branding, source-controlled manifests, or to bundle multiple agents in one Teams app package. Requires VS Code, the Microsoft 365 Agents Toolkit (formerly "Teams Toolkit"), and Integrated Apps permission to upload custom apps.

Step B-1: Download the manifest files

Step B-2: Package as a Teams app

  1. Install Microsoft 365 Agents Toolkit in VS Code (formerly "Teams Toolkit" — the marketplace listing was renamed in early 2026; same extension ID).
  2. Run Teams: Create new appCustom Engine AgentDeclarative AgentStart with manifest.
  3. Point the toolkit at declarative-agent.json. It scaffolds a Teams app project.
  4. Drop api-plugin.json, openapi.yaml, and instructions.md into the project's appPackage/ directory.
  5. Run Teams: Provision & Package to produce a .zip.

Step B-3: Configure the OAuth connection

Same OAuth values as Path A's connector wizard, but configured via M365 admin center → Settings → Integrated apps → Connections. After save, copy the verification token and paste it into api-plugin.json under auth.verification_tokens.openai, then re-package.

Step B-4: Upload to your tenant

  1. M365 admin center → Integrated apps → Upload custom apps.
  2. Approve any tenant-wide permission consent.
  3. Assign to a pilot security group before tenant-wide rollout.
  4. Wait 2–4 hours. The agent appears in the Copilot agent picker.
"Upload custom apps" missing from Integrated apps?

Your tenant has the "Allow users to install Teams custom apps" setting disabled. Either enable it (M365 admin → Settings → Org settings → Microsoft Teams → Manage apps) or use Path A (Copilot Studio) instead, which doesn't require this permission.

Auth nuance — admin actions through Copilot

Single-identity OAuth limitation

Copilot's OAuth flow is single-identity per session. If the user signs into Copilot with a non-admin account, they will see "Access denied" when invoking write tools (override creation, change requests, remediation triggers). Two workarounds:

  1. Sign into Copilot with an admin TATER account for write actions (clunky but works today).
  2. Wait for the elevation-key feature — planned for a future release. The user will store their admin API key in TATER → Settings → Profile, and the MCP server will auto-elevate when needed. The audit log will record both identities (e.g., jmiles@bletzer.com via jmiles-a@bletzer.com via Copilot).

For now, the safest pattern is to use Copilot for read/inspect/draft work, and switch to the TATER web app or Claude Desktop (with admin API key) for committing changes.

Test the integration

Open Microsoft 365 Copilot (Office.com or Teams) or Copilot Studio, select the TATER Compliance Analyst agent, and try:

  • "What's the current TATER organization context?" — should call get_org_context and report the org you're a member of.
  • "Show the most critical failing controls." — should call get_failing_controls with severity=Critical.
  • "Document the Conditional Access policy that blocks legacy auth." — should call Graph to read the policy, then call upsert_config_doc to persist a structured doc in TATER.

If the agent says it can't reach TATER or returns 401, double-check the OAuth connection: scope must be exactly api://45afb90d-c5de-439d-8b09-8fbfed28b321/access and the admin-consent URL must have been completed for your tenant.

Audit attribution

Every TATER tool invoked through Copilot is recorded in the TATER audit log with:

  • The signed-in Copilot user's userEmail and userId
  • via: 'copilot' — so SuperAdmins can filter for Copilot-driven activity in Activity Log
  • The full tool name and arguments (sanitized for length, capped per CLAUDE.md audit-size limits)

This means every override, change request, remediation trigger, evidence comment, or config doc created through Copilot is fully attributable to a real human identity — same as actions taken in the TATER web app or via Claude Desktop. Copilot is treated as just another channel.

Safety guardrails

The shipped instructions.md requires Copilot to describe write actions and ask for confirmation before invoking any TATER tool that mutates compliance state. Destructive Microsoft Graph actions (deleting users, modifying tenant-wide settings) are explicitly forbidden — the agent is instructed to use TATER's create_change_request instead, so the change is registered in the change pipeline before being executed manually.

You can tighten or relax these guardrails by editing instructions.md and re-packaging the agent. We recommend keeping confirmation-before-write enabled in production tenants.

What's next

  1. Review the agent's daily activity in Activity Log filtered by via=copilot for the first 1–2 weeks — it surfaces patterns where the agent's tool selection or instruction handling could be improved.
  2. Customize instructions.md with your org-specific policies (preferred frameworks, escalation rules, naming conventions, etc.) and re-package.
  3. Add additional conversation_starters to the manifest for common workflows your team runs (quarterly reviews, audit prep, client onboarding).
  4. If you build a Copilot Studio agent for a different audience (e.g., a customer-facing agent that sees only public Trust Center data), reach out — we have a separate manifest for that.