Prisma AIRS
(For OAuth 2.0 and Microsoft Copilot Studio) Register Application on Microsoft Entra for AI Red Teaming
Table of Contents
(For OAuth 2.0 and Microsoft Copilot Studio) Register Application on Microsoft Entra for AI Red Teaming
Register
your application in Microsoft Entra ID and configure OAuth 2.0 or Microsoft Copilot Studio
authentication for AI Red Teaming to access and test protected
resources.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Configure secure and automated authentication between AI Red Teaming and Microsoft
Entra ID to enable AI Red Teaming to access and test protected APIs or Microsoft
Copilot Studio agents. By registering AI Red Teaming as a trusted application in
Microsoft Entra ID, you can obtain the necessary authentication credentials
including the client ID, tenant ID, and client secret. The process grants
appropriate API permissions that allow AI Red Teaming to interact with target
resources while configuring either the OAuth 2.0 client credentials flow or
Microsoft Copilot Studio integration.
With this configuration, AI Red Teaming can authenticate and automatically obtain
access tokens to perform security testing against OAuth 2.0-protected APIs or
Microsoft Copilot Studio agents in your Azure environment.
Use this wokflow to register AI Red Teaming in Microsoft Entra
ID.
- Register an application in Microsoft Entra ID.
- Log in to the Microsoft Entra admin center (entra.microsoft.com).Navigate to .Enter a name (for example, airt-red-teaming).In the Supported account types, select Accounts in this organizational directory only (single-tenant).Configure Redirect URI.
- (For OAuth 2.0) Skip Redirect URI because it is not needed for client credentials.
- (For Microsoft Copilot Studio) Select platform as
Web and add
https://stratacloudmanager.paloaltonetworks.com/ai-security/red-teaming/targets/create
as URI.While adding a target, Authenticate with Microsoft opens Microsoft login page. After you login, authorization code will be redirected to the above mentioned URI.The refresh token will be valid for 90 days from the time it is obtained.
Select Register.Record the following from the Overview page:- Application (client) ID—for example, 00001111-aaaa-2222-bbbb-3333cccc4444
- Directory (tenant) ID—for example, aaaabbbb-0000-cccc-1111-dddd2222eeee
Create a client secret.- In your app registration, navigate to .Add a description and expiry.Copy the secret Value immediately.The secret value is only shown once.Add application API permissions.Delegated scopes (user.read, email, openid, profile, offline_access) with grant_type=refresh_token will not work with AI Red Teaming. You must use Application permissions with grant_type=client_credentials and scope=<api>/.default.
- Go to .Select the API your target uses (for example, Microsoft Graph or your own custom API).
- Select the APIs my organization uses.
- Search for Power Platform API.
- Add application API permissions.
Configure appropriate permissions.- (For OAuth 2.0) Select Application permissions (not Delegated permissions) and select the required permissions.
- (For Microsoft Copilot Studio) In the Delegated permissions list, select CopilotStudio, enable the CopilotStudio.Copilots.Invoke, and then Add Permissions.
(Optional) Select Grant admin consent for <tenant>.This requires an administrator role.(For OAuth 2.0 only) Verify the configuration with cURL.curl -X POST \ 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=<SCOPE>'Replace the following values:- <TENANT_ID>: Directory (tenant) ID from Step 1.
- <CLIENT_ID>: Application (client) ID from Step 1.
- <CLIENT_SECRET>: Client secret value from Step 2.
- <SCOPE>: API resource URI with /.default suffix. Scope format depends on what API your target protects (for example, api://<CLIENT_ID>/.default or https://graph.microsoft.com/.default). Check your Entra ID app's Expose an API blade for the correct Application ID URI.
Expected response:{ "token_type": "Bearer", "expires_in": 3599, "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..." }(For OAuth 2.0 only) Configure the authentication in the AI Red Teaming.Set the following on your target, replacing the placeholder values with your specific tenant ID, client ID, client secret, and scope:auth_type: OAUTH2 auth_config: { "oauth2_token_url": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token", "oauth2_expiry_minutes": 60, "oauth2_headers": { "Content-Type": "application/x-www-form-urlencoded" }, "oauth2_body_params": { "grant_type": "client_credentials", "client_id": "<CLIENT_ID>", "client_secret": "<CLIENT_SECRET>", "scope": "<SCOPE>" }, "oauth2_token_response_key": "access_token", "oauth2_inject_header": { "Authorization": "Bearer {TOKEN}" } }