This repository offers a baseline architecture for integrating Copilot Studio and Power Platform with Azure AI resources. The solution is designed with a strong focus on enterprise readiness and network security.
- Copilot Studio with Azure AI Search
- Seamless integration of Copilot Studio with Azure AI resources.
- Enterprise-grade network configuration for secure and scalable deployments.
- Observability tools for monitoring and troubleshooting.
- Secure authentication mechanisms aligned with enterprise standards.
- Modular Terraform code structure for easy customization and reuse.
- Support for remote state management using Azure Storage.
- Automated resource tagging for better organization and cost tracking.
- Validation of input variables to ensure robust deployments.
- Pre-configured backend setup for remote state storage.
- Documentation and examples for quick onboarding and usage.
This enterprise-ready architecture demonstrates how to securely connect Copilot Studio with Azure AI Search through a private virtual network infrastructure. The solution focuses on data security, network isolation, and compliance with enterprise governance policies.
Power Platform Integration:
- Copilot Studio Bot: Central conversational AI interface that processes user queries
- AI Search Connector: Secure connector that enables Copilot Studio to query Azure AI Search while respecting enterprise data boundaries
Azure Infrastructure:
- Virtual Network (VNet): Provides network isolation and secure communication channels
- Private Endpoints: Ensures Azure AI Search and Storage Account traffic remains within the corporate network perimeter
- Azure AI Search Service: Indexes and searches through enterprise data with built-in AI capabilities
- Storage Account: Stores indexed documents and search artifacts securely
Enterprise Security & Governance:
- Network Injection Policy: Enforces that Power Platform resources communicate through designated virtual networks
- Private Network Access: All data flows through private endpoints, eliminating exposure to public internet
This architecture ensures that sensitive enterprise data never traverses public networks while enabling powerful AI-driven search capabilities through Copilot Studio. The network injection policy guarantees that Power Platform connectors respect corporate network boundaries, providing an additional layer of security for regulated industries.
IMPORTANT: In order to deploy and run this example, you'll need:
-
Azure subscription. If you're new to Azure, get an Azure account for free and you'll get some free Azure credits to get started. See guide to deploying with the free trial.
-
Azure EntraID App Registration. To run the example you will have to create an App Registration and give it permissions inside Azure. Detailed configuration instructions are available in the App Registration Setup Guide.
-
Power Platform. If you are new to Power Platform and Copilot Studio, you can get 30-day trial for free
-
Power Platform settings. To enable the required Copilot functionality, configure the following settings in your Power Platform tenant administration portal:
- Copilot in Power Apps: Enable this setting to allow AI-powered assistance within Power Apps development
- Publish Copilots with AI features: Allow Copilot authors to publish from Copilot Studio when AI features are enabled
-
Power Platform licenses. The designated user must have the following Power Platform licenses assigned:
-
Microsoft Power Apps
-
Power Automate
-
Copilot Studio
To simplify license management, you can use an Azure subscription with a Billing Policy instead of assigning licenses directly. Configure this by using the following flag:
azd env set USE_BILLING_POLICY "true"
Note: After creating the Billing Policy, navigate to the Power Platform Admin Center and ensure that the Copilot Studio product is selected. This is a known issue that will be addressed in future updates.
-
The following user configuration is required to interact with the Azure and Power Platform resources deployed by this solution:
Required Roles:
- Contributor or Owner role on the Azure subscription for managing Azure resources
- Power Platform System Administrator or appropriate environment-specific roles for managing Power Platform connections and Copilot Studio resources
Access Permissions: Upon deployment, the configured user will be granted:
- Owner/Contributor access to the created Azure resources
- Administrative permissions for Power Platform connections
- Full access to the deployed Copilot Studio bot
Note: While Power Platform Administrator role provides comprehensive access, users with environment-specific administrative roles may also be sufficient depending on your organization's security requirements.
You have a few options for setting up this project. The easiest way to get started is GitHub Codespaces, since it will setup all the tools for you, but you can also set it up locally if desired.
You can run this repo virtually by using GitHub Codespaces, which will open a web-based VS Code in your browser:
Once the codespace opens (this may take several minutes), open a terminal window.
A related option is VS Code Dev Containers, which will open the project in your local VS Code using the Dev Containers extension:
-
Start Docker Desktop (install it if not already installed)
-
Open the project:
-
In the VS Code window that opens, once the project files show up (this may take several minutes), open a terminal window.
-
Install the required tools:
- Azure CLI - Required for managing Azure resources and authentication
- Azure Developer CLI - Platform-specific installers available via package managers or direct download
- PowerShell 7 - Required for non-Windows systems; Windows users may use built-in PowerShell
- .NET 8.0 SDK - Includes .NET CLI, runtime, and development tools
- Terraform - HashiCorp official distribution via package manager or binary
- TFLint - Optional but recommended for infrastructure validation
- PAC CLI - Microsoft Power Platform developer tooling
- Gitleaks - Pre-commit hook integration recommended
- Python 3.9, 3.10, or 3.11
- Important: Python and the pip package manager must be in the path in Windows for the setup scripts to work.
- Important: Ensure you can run
python --versionfrom console. On Ubuntu, you might need to runsudo apt install python-is-python3to linkpythontopython3.
-
Create a new folder and switch to it in the terminal.
-
Run this command to download the project code:
azd init -t https://github.com/Azure-Samples/Copilot-Studio-with-Azure-AI-Search
Note that this command will initialize a git repository, so you do not need to clone this repository. This will also create a new folder with the environment name you entered though the cmd steps in the
.azurefolder. It will also set it as the default environment for any calls toazdgoing forward.
The steps below will provision Azure and Power Platform resources and will deploy Copilot Studio bot.
-
Login to your Azure account and config azd to use Az CLI authentication:
az login --service-principal --username <SP_CLIENT_ID> --password <SP_SECRET> --tenant <TENANT_ID> azd config set auth.useAzCliAuth "true"
-
Login to your Power Platform:
pac auth create --name az-cli-auth --applicationId <SP_CLIENT_ID> --clientSecret <SP_SECRET> --tenant <TENANT_ID> --accept-cleartext-caching
Note: the
pac auth createcommand may return a warning about being unable to connect to a Dataverse organization. This is expected, and will not impact the deployment. -
Set you internative testing user.
azd env set RESOURCE_SHARE_USER '["entraid_user_object_id"]'
Set this value to the Azure Entra ID object ID of the primary administrator or developer who will manage and modify the deployed solution resources in the future. This user will be granted administrative access to the Power Platform resources (such as bot ownership and environment management) and will have visibility into the Azure resources provisioned by this deployment. Replace
entraid_user_object_idwith the actual object ID of the intended admin or developer. -
Deploy your infrastructure
azd up
This will provision all the resources including building a search index based on the .pdf files found in
datafolder.- You will be prompted to select a location. One of the resources is Azure OpenAI resource, which is currently available in a limited amount of regions.
East USmay be the best option for you. Check the OpenAI model availability table - In Codespaces environments, ensure that the postCreateCommand in devcontainer.json has completed (including PAC CLI installation) before running
azd upto avoid PAC-related errors. - If you encounter a 403 Unauthorized error when initializing the Terraform backend, verify that the storage account's network access settings allow traffic from your IP address. You may need to whitelist your IP or temporarily enable public access, depending on your organization's policy.
- You will be prompted to select a location. One of the resources is Azure OpenAI resource, which is currently available in a limited amount of regions.
- Go to Copilot Studio webpage
- In the top right corner select environment with name starting
Copilot Studio + Azure AI - Open the
AI Search Connection Exampleagent.
To clean up all the resources created by this sample:
- Run
azd down - When asked if you are sure you want to continue, enter
yes
All the Azure and Power Platform resources will be deleted.
Note
Azure OpenAI resources are soft-deleted by default and remain in a "recently deleted" state for 48 hours. If you need to redeploy with the same resource names before the retention period expires, you can manually purge the soft-deleted resource using:
az cognitiveservices account purge --location <region> --resource-group <rg-name> --name <openai-name>In CI/CD workflows, this purge step is automated to prevent deployment conflicts.
See the Security Considerations guide for a concise overview of baseline controls, mitigated risks, and recommended hardening steps for production.
This guide provides three options for deploying this template: Basic (dev/test), Zone‑redundant (single‑region production), and Regional failover ready (manual cross‑region recovery). Infrastructure Resilience Considerations provides prescriptive guidance on identity, networking, resiliency, scaling, and cost trade‑offs. The template defaults to Basic which ensures you have full control of and responsibility for choosing the cost, sizing, and resilience for your production environments.
For organizations requiring deployment through CI/CD pipelines, this solution supports secure GitHub self-hosted runners and includes a turnkey bootstrap that provisions private Terraform remote state and a runner in Azure. The configuration emphasizes private networking (private endpoints, no public IP) and least‑privilege access for enterprise environments.
For step‑by‑step setup—including OIDC authentication, running the bootstrap workflow, capturing backend outputs, and targeting jobs to the runner—see the CI/CD guide.
Refer to the Testing Guide for end-to-end instructions covering Copilot Studio agent functional tests and optional Azure AI Search integration tests. It explains required environment variables, two execution paths (auto-populated after azd up or manual configuration), and commands for validating search connectivity, index population, and bot responses before production hardening.
If your organization needs to deploy into existing virtual networks and enforce corporate routing, egress, and inspection controls, this template supports bring‑your‑own networking. You can wire services to your VNet/subnets, use private endpoints and private DNS, and keep public exposure disabled while meeting enterprise policies.
For supported topologies, prerequisites, and step‑by‑step wiring (subnet requirements, private endpoints for Azure AI Search and Storage, DNS zones, NAT/firewall egress), see the Bring Your Own Networking guide.
If you need to deploy into a pre-created or centrally managed Azure resource group (to align with enterprise naming, policy, or billing), the template can target an existing resource group rather than creating a new one. This is especially useful when developers don’t have subscription-level permissions—allowing deployments to proceed with resource group–scoped access.
For prerequisites and configuration flags, see the Custom Resource Group guide.
- Power Platform environment basics
- Copilot Studio getting started
- Azure AI Search resources
- Azure Developer CLI Hooks
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described below. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
The partner_id configuration in infra/providers.tf enables anonymous
telemetry that helps us justify ongoing investment in maintaining and improving this template.
Keeping this enabled supports the project and future feature development. To opt out of this
telemetry, simply remove partner_id. When enabled, the partner_id is appended to the
User-Agent on requests made by the configured terraform providers.
Microsoft encourages customers to review its Responsible AI Standard when developing AI-enabled systems to ensure ethical, safe, and inclusive AI practices. Learn more at https://www.microsoft.com/en-us/ai/responsible-ai.
This is a sample built to demonstrate the capabilities of modern Generative AI apps and how they can be built in Azure. For help with deploying this sample, please post in GitHub Issues.