MitID Copilot Studio integration in 30 minutes: this is a step-by-step walkthrough of wiring Microsoft Copilot Studio to MitID via the Idura broker, including the userinfo call needed to surface the user’s name, birthdate, and pseudonym in the conversation.
Let's explore
Credit
This post follows the structure of Artur Bagrancev‘s LinkedIn article Building a Danish customer-facing AI agent with MitID via Idura and Copilot Studio. Artur identified Idura as a free to try MitID broker, documented the callback URL, and figured out the OAuth template strings Copilot Studio’s Generic OAuth 2 form expects. Read his post first.
What this post adds:
- The HTTP Request to
oauth2/userinfo(documented in Step 5 -> 7). Without it,User.DisplayNameand UUID is empty after login. - The 14-field response schema and which claim to use as the ERP lookup key.
MitID Copilot Studio Architecture
User → Copilot Studio (anonymous topics) → general FAQ repliesUser → Copilot Studio ("Vis min faktura" topic) → Authenticate node → Idura broker (OIDC) → MitID pre-prod (pp.mitid.com) → MitID simulator (browser) ← access token (JWT) → HTTP Request to {idura}/oauth2/userinfo with Bearer token → render name, fødselsdato, UUID in chat
The MitID Copilot Studio integration is plain OIDC: Copilot Studio speaks OIDC to Idura, and Idura handles the MitID certificates and broker plumbing. To swap Idura for Signicat, Nets eID, or IN Groupe, change the URLs. Idura support alot of different eID’s
The finished topic:
What you need for MitID Copilot Studio
- Microsoft 365 tenant with Copilot Studio licensed.
- An email address for the Idura signup.
- Browser access to
https://pp.mitid.comfor creating a MitID test user.
You do not need a production MitID broker agreement, your real MitID, or a backend API. The userinfo endpoint returns enough for a demo.
Step 1 — Idura broker
Sign up at the Idura dashboard, pick a tenant subdomain (your OIDC domain becomes {subdomain}.idura.broker), then:
- Applications → Add login application.
- Technology: Other → “Microsoft Copilot Studio”.
- Callback URL:
https://token.botframework.com/.auth/web/redirect(fixed; the bot framework receives the OAuth redirect here regardless of IdP). - Inside the app: eID methods → Danish MitID on, OpenID Connect → OAuth2 Code Flow on.
- Generate Client Secret. Copy it now — it is only shown once.
Record: Client ID, Client Secret, Domain (e.g. jenskfinance-demo.test.idura.broker).
Open https://{domain}/.well-known/openid-configuration and copy the authorization_endpoint and token_endpoint values. Typos here are the most common cause of 404s during the OAuth flow.
Step 2 — Create the agent
In Copilot Studio:
- Create → New agent.
- Name: MitID Demo – Danish Customer Agent.
- Instructions:
Du er en venlig kundeserviceassistent for et dansk teleselskab.Svar kort og hjælpsomt på dansk. For generelle spørgsmål om priser,abonnementer og åbningstider, svar uden at bede om login. Når brugeren<br>beder om personlige data (faktura, forbrug, kontooplysninger), skaldet tilhørende emne udløse MitID-login.
The agent’s Overview tab has Publish, the Test pane, and links to Knowledge, Tools, Topics, Settings:
Step 3 — Configure Generic OAuth 2
Settings → Security → Authentication → Authenticate manually.
| Field | Value |
|---|---|
| Service provider | Generic OAuth 2 |
| Client ID / Secret | from Step 1 |
| Scope list delimiter | space |
| Authorization URL | authorization_endpoint from discovery |
| Authorization URL query string template | ?response_type=code&client_id={ClientId}&redirect_uri={RedirectUrl}&scope={Scopes}&acr_values=urn:grn:authn:dk:mitid:low&state={State} |
| Token URL | token_endpoint from discovery |
| Token body template | grant_type=authorization_code&client_id={ClientId}&client_secret={ClientSecret}&code={Code}&redirect_uri={RedirectUrl} |
| Refresh body template | grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}&refresh_token={RefreshToken} |
| Scopes | openid profile |
The completed form:
Two things to get right:
acr_values=urn:grn:authn:dk:mitid:low. Uselowduring dev. Usesubstantialfor production (required by Danish law for regulated personal/financial data) orhighfor high-sensitivity data.- Require users to sign in: OFF. Enables the hybrid pattern: anonymous by default, MitID only when needed.
Publish the agent. Authentication settings do not take effect until publish.
Step 4 — The authenticated topic
Add a topic Vis min faktura with trigger phrases vis min faktura, min regning, hvad skylder jeg.
Six nodes:
- Message — “Et øjeblik — du skal lige logge ind med MitID.”
- Authenticate node. Exposes
User.IsLoggedIn,User.AccessToken,User.DisplayName,User.Id. - Condition on
User.IsLoggedIn = true: Success branch → HTTP Request (Step 5). Failure branch → Message “Beklager, jeg kunne ikke logge dig ind med MitID.” - Message with the personalized response.
Step 5 — Call userinfo for the claims
The access token authenticates the user but does not populate the claim variables. User.DisplayName is typically empty. To get name, birthdate, and the MitID pseudonym (UUID), call the broker’s userinfo endpoint.
5a. HTTP Request node
- URL:
https://{domain}/oauth2/userinfo(e.g.https://jenskfinance-demo.test.idura.broker/oauth2/userinfo) - Method:
GET - Save response as:
Var1
5b. Headers — Power Fx Authorization
Headers and body → Edit. The Authorization value is a Power Fx expression, not a string literal:
| Header | Value | Notes |
|---|---|---|
Authorization | "Bearer " & System.User.AccessToken | Power Fx. The quotes around "Bearer " and the trailing space are required. |
Accept | application/json | Plain string. |
Body: No content. Timeout: 30000 ms. Error handling: Raise an error.
"Bearer " & System.User.AccessToken
5c. Response schema
Set Response data type to Record, then Edit schema and add the fields the userinfo endpoint returns:
| Field | Type | What it is |
|---|---|---|
name | String | Full name from MitID |
birthdate | String | YYYY-MM-DD |
dateofbirth | String | Duplicate of birthdate |
uuid | String | MitID person-pseudonym. ERP lookup key. |
sub | String | OIDC subject (per-application) |
cprNumberIdentifier | String | Empty unless you request the cpr scope |
country | String | DK |
identityscheme | String | mitid |
authenticationtype | String | Matches acr_values |
nameidentifier | String | Internal broker name id |
aud | String | Client ID (audience) |
iss | String | Idura issuer URL |
iat | Number | Issued-at (unix seconds) |
exp | Number | Expiry (unix seconds) |
Topic.Var1.name, Topic.Var1.birthdate, Topic.Var1.uuid are now available downstream.
Step 6 — Personalize the message
Final message node. Use the Insert variable menubar button. Typing {Topic.Var1.X} literally does not convert to chips (the editor is Draft.js).
Velkommen [Var1.name]Fødselsdato: [Var1.birthdate]MitID UUID: [Var1.uuid]Din seneste faktura (demo): 349,00 kr. forfalden 1. juni 2026. Status: Ubetalt.
Use one variation with Enter for line breaks. Shift+Enter creates a new variation (alternative phrasing), not a new line.
Save and publish.
Step 7 — Test
Create a MitID test user at https://pp.mitid.com (real MitID does not work against pre-prod) and pair it with the browser-based authenticator simulator. In the Test pane:
Hvornår har I åbent?→ FAQ answer, no login.vis min faktura→ pre-auth message + sign-in card → Login.- MitID login → enter test user → approve in simulator → validation code in chat.
The agent renders:
Velkommen Abelina Jørgensen
Fødselsdato: 1971-12-31
MitID UUID: 611f75de-e60d-4e52-87a0-3997d26c3350
Din seneste faktura (demo): 349,00 kr. forfalden 1. juni 2026. Status: Ubetalt.
Round-trip: about 20 seconds once the simulator is paired.
Which MitID Copilot Studio claim is the ERP lookup key?
uuid.
| Claim | Use as ERP lookup key? | Why |
|---|---|---|
uuid | Yes | MitID person-pseudonym. Stable across logins, unique per person, available without the cpr scope. Persist in your customer master. |
sub | No | Stable per broker-application. Rotates if you re-register the broker app. Session identifier only. |
cprNumberIdentifier | No | Empty unless you request the cpr scope, which needs a separate Danish CPR agreement. |
name, birthdate | No | Display only. Not unique. |
First login: look up uuid. If missing, run onboarding. Subsequent logins: direct lookup.
Production checklist for MitID Copilot Studio
- Sign a broker production agreement (Idura, Signicat, Nets eID, IN Groupe).
- Switch
acr_valuesto:substantial(or:highfor highly sensitive data). - Real backend that validates JWTs against the broker’s JWKS and maps
uuidto your internal customer ID. - Audit log every MitID-gated call.
- Privacy notice and consent text shown before the sign-in card.
- Remove all
:lowflows and pre-prod identities.
