(For OAuth 2.0 and Microsoft Copilot Studio) Register Application on Microsoft Entra for AI Red Teaming

Table of Contents

Azure Entra ID and AI Red Teaming OAuth 2.0 Integration

(`For OAuth 2.0 and Microsoft Copilot Studio`) Register Application on Microsoft Entra for AI Red Teaming

Register your application in Microsoft Entra ID and configure OAuth 2.0 or Microsoft Copilot Studio authentication for AI Red Teaming to access and test protected resources.

Where Can I Use This?	What Do I Need?
Prisma AIRS (AI Red Teaming)	Prisma AIRS AI Red Teaming License Prisma AIRS AI Red Teaming Deployment Profile An Azure account with an active subscription Admin access to Microsoft Entra ID (to grant application permissions)

Configure secure and automated authentication between AI Red Teaming and Microsoft Entra ID to enable AI Red Teaming to access and test protected APIs or Microsoft Copilot Studio agents. By registering AI Red Teaming as a trusted application in Microsoft Entra ID, you can obtain the necessary authentication credentials including the client ID, tenant ID, and client secret. The process grants appropriate API permissions that allow AI Red Teaming to interact with target resources while configuring either the OAuth 2.0 client credentials flow or Microsoft Copilot Studio integration.

With this configuration, AI Red Teaming can authenticate and automatically obtain access tokens to perform security testing against OAuth 2.0-protected APIs or Microsoft Copilot Studio agents in your Azure environment.

Use this wokflow to register AI Red Teaming in Microsoft Entra ID.

Register an application in Microsoft Entra ID.
1. Log in to the Microsoft Entra admin center (entra.microsoft.com).
2. Navigate to Entra IDApp registrationsNew registration.
3. Enter a name (for example, airt-red-teaming).
4. In the Supported account types, select Accounts in this organizational directory only (single-tenant).
5. Configure Redirect URI.
  (For OAuth 2.0) Skip Redirect URI because it is not needed for client credentials.
  (For Microsoft Copilot Studio) Select platform as Web and add https://stratacloudmanager.paloaltonetworks.com/ai-security/red-teaming/targets/create as URI.
  
  While adding a target, Authenticate with Microsoft opens Microsoft login page. After you login, authorization code will be redirected to the above mentioned URI.
  The refresh token will be valid for 90 days from the time it is obtained.
6. Select Register.
7. Record the following from the Overview page:
  Application (client) ID—for example, 00001111-aaaa-2222-bbbb-3333cccc4444
  Directory (tenant) ID—for example, aaaabbbb-0000-cccc-1111-dddd2222eeee
Create a client secret.
1. In your app registration, navigate to Certificates & secretsClient secretsNew client secret.
2. Add a description and expiry.
3. Copy the secret Value immediately.
  
  The secret value is only shown once.
Add application API permissions.

Delegated scopes (user.read, email, openid, profile, offline_access) with grant_type=refresh_token will not work with AI Red Teaming. You must use Application permissions with grant_type=client_credentials and scope=<api>/.default.
1. Go to API permissionsAdd a permission.
2. Select the API your target uses (for example, Microsoft Graph or your own custom API).
  Select the APIs my organization uses.
  Search for Power Platform API.
  Add application API permissions.
3. Configure appropriate permissions.
  (For OAuth 2.0) Select Application permissions (not Delegated permissions) and select the required permissions.
  (For Microsoft Copilot Studio) In the Delegated permissions list, select CopilotStudio, enable the CopilotStudio.Copilots.Invoke, and then Add Permissions.
4. (Optional) Select Grant admin consent for <tenant>.
  
  This requires an administrator role.
(For OAuth 2.0 only) Verify the configuration with cURL.
```
curl -X POST \
                        'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \
                        -H 'Content-Type: application/x-www-form-urlencoded' \
                        -d 'grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=<SCOPE>'
```
Replace the following values:
- <TENANT_ID>: Directory (tenant) ID from Step 1.
- <CLIENT_ID>: Application (client) ID from Step 1.
- <CLIENT_SECRET>: Client secret value from Step 2.
- <SCOPE>: API resource URI with /.default suffix. Scope format depends on what API your target protects (for example, api://<CLIENT_ID>/.default or https://graph.microsoft.com/.default). Check your Entra ID app's Expose an API blade for the correct Application ID URI.
Expected response:
{ "token_type": "Bearer", "expires_in": 3599, "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..." }

(For OAuth 2.0 only) Configure the authentication in the AI Red Teaming.

Set the following on your target, replacing the placeholder values with your specific tenant ID, client ID, client secret, and scope:

auth_type: OAUTH2
         auth_config: {
             "oauth2_token_url": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token",
             "oauth2_expiry_minutes": 60,
             "oauth2_headers": { 
               "Content-Type": "application/x-www-form-urlencoded" 
             },
             "oauth2_body_params": {
               "grant_type": "client_credentials",
               "client_id": "<CLIENT_ID>",
               "client_secret": "<CLIENT_SECRET>",
               "scope": "<SCOPE>"
              },
              "oauth2_token_response_key": "access_token",
              "oauth2_inject_header": { 
                "Authorization": "Bearer {TOKEN}" 
              }
            }

Networks Channels Management

Azure Entra ID and AI Red Teaming OAuth 2.0 Integration

Prisma AIRS Docs

(For OAuth 2.0 and Microsoft Copilot Studio) Register Application on Microsoft Entra for AI Red Teaming

Prisma AIRS Docs

(`For OAuth 2.0 and Microsoft Copilot Studio`) Register Application on Microsoft Entra for AI Red Teaming

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring