Microsoft 365 Copilot
Microsoft 365 Copilot is an AI-powered assistant that integrates with Microsoft 365 applications to enhance productivity and provide intelligent assistance. The Microsoft 365 Copilot connector enables integration with Microsoft 365 Copilot through external connections, allowing you to ingest external data sources to enhance Copilot's search and intelligent responses, making your organization's data accessible through Copilot's AI-powered interface.

Power end-to-end data operations for your Microsoft 365 Copilot API with Nexla. Our bi-directional Microsoft 365 Copilot connector is purpose-built for Microsoft 365 Copilot, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Microsoft 365 Copilot or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Microsoft 365 Copilot workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
Before creating a Microsoft 365 Copilot credential, you'll need to register an application in Azure Active Directory (Azure AD) and obtain OAuth 2.0 client credentials. Microsoft 365 Copilot uses Microsoft Graph API with OAuth 2.0 client credentials flow for authentication.
Azure Active Directory Setup
To obtain the required OAuth 2.0 credentials for Microsoft 365 Copilot:
-
Sign in to Azure Portal: Navigate to https://portal.azure.com/ and sign in with your Microsoft account. If you don't have an Azure account, you can create one by clicking Start free and following the registration process.
-
Access Azure Active Directory: In the Azure Portal, search for "Azure Active Directory" in the top search bar and select it from the results. Alternatively, navigate to Azure Active Directory from the Azure services menu.
-
Register a New Application: In the Azure Active Directory overview page, click App registrations in the left navigation menu, then click New registration.
-
Enter an application name (e.g., "Nexla Copilot Connector").
-
Select Accounts in this organizational directory only or the appropriate option based on your organization's requirements.
-
Leave the Redirect URI section empty for now, as client credentials flow doesn't require a redirect URI.
-
Click Register to create the application registration.
-
-
Note Application Details: After registration, you'll be taken to the application overview page. Copy and save the following values:
- Application (client) ID: This is your Client ID, which you'll need for authentication.
- Directory (tenant) ID: This is your Tenant ID, which identifies your Azure AD organization.
-
Create Client Secret:
-
In the application overview page, click Certificates & secrets in the left navigation menu.
-
Click New client secret under the Client secrets section.
-
Enter a description for the secret (e.g., "Nexla Copilot Integration").
-
Select an expiration period. For production use, consider using a longer expiration period and implementing a secret rotation process.
-
Click Add to create the client secret.
-
Important: Copy the Value of the client secret immediately. The secret value will not be shown again after you leave this page. Store it securely.
-
The Client ID, Tenant ID, and Client Secret are sensitive credentials that should be kept secure. Store them in a secure location, as you'll need them when creating the credential in Nexla. Never share these credentials publicly or commit them to version control systems.
-
Configure API Permissions:
-
In the application overview page, click API permissions in the left navigation menu under the Manage section.
-
Click Add a permission button to open the permission request panel.
-
In the Request API permissions panel, select Microsoft Graph from the list of available APIs. Microsoft Graph is the unified API endpoint for accessing Microsoft 365 services.
-
Select Application permissions (not Delegated permissions) since we're using OAuth 2.0 client credentials flow for server-to-server authentication. Application permissions allow the application to access resources on behalf of itself, rather than on behalf of a signed-in user.
-
In the search box, search for "External" to filter the permissions list. Select and add the following permissions:
ExternalConnection.ReadWrite.All- Grants full read and write access to all external connections in your organization. This permission is required for creating, updating, and managing external connections in Microsoft 365 Copilot.ExternalItem.ReadWrite.All- Grants full read and write access to all external items across all connections. This permission is required for ingesting, updating, and deleting items in external connections.
-
Click Add permissions at the bottom of the panel to add the selected permissions to your application.
-
Important: Click the Grant admin consent for [Your Organization] button next to the permissions you just added. This step requires Azure AD administrator privileges and grants consent for your application to use these permissions. Without admin consent, your application will not be able to access the Microsoft Graph External Connections API.
-
Admin consent is required for application permissions in Azure AD. If you don't have administrator privileges, you'll need to request an administrator to grant consent for the application permissions. Without admin consent, the application won't be able to access the Microsoft Graph API.
- Verify Permissions: After granting admin consent, verify that the permissions show a green checkmark with "Granted for [Your Organization]" status, indicating they've been granted consent. The status column should show "Granted" in green text. If you see "Not granted" or a warning icon, admin consent has not been successfully granted and you'll need to request an administrator to grant consent.
For complete information about Microsoft Graph API authentication and application registration, see the Microsoft Graph Authentication Documentation. For Microsoft 365 Copilot External Connections API details, see the Microsoft Graph External Connections API Documentation.
API Access Requirements
Microsoft 365 Copilot API access requires:
- Valid Azure AD Account: You must have an active Azure AD account with access to the Azure Portal
- Azure AD Application Registration: An application registered in Azure AD with the necessary permissions
- Client ID: The Application (client) ID from your Azure AD app registration
- Client Secret: A client secret value generated for your Azure AD application
- Tenant ID: The Directory (tenant) ID of your Azure AD organization
- Admin Consent: Application permissions must be granted admin consent by an Azure AD administrator
- Required Permissions:
ExternalConnection.ReadWrite.AllandExternalItem.ReadWrite.All(or equivalent permissions)
The Microsoft 365 Copilot API uses OAuth 2.0 client credentials flow for authentication, which is suitable for server-to-server authentication scenarios. Nexla handles the token acquisition and refresh automatically when you provide your client credentials.
Authenticate
Credentials required
OAuth2 client credentials (2-legged) authentication for Microsoft Graph External Connections API.
| Field | Required | Secret | Description |
|---|---|---|---|
| Client ID | Yes | No | The Application (Client) ID from your Azure AD app registration, used to authenticate your application with Microsoft Graph External Connections API. |
| Client Secret | Yes | Yes | The confidential client secret value generated for your Azure AD application, enabling secure authentication to the Microsoft Graph External Connections API. |
| Tenant ID | Yes | No | The Azure Active Directory tenant (directory) ID where your application is registered, identifying your organization's Microsoft 365 environment. |
| API Version | Yes | No | Microsoft Graph API version (e.g. v1.0 or beta). Allowed values: v1.0 (Stable); beta (Preview) |
| Base URL | Yes | No | Base URL for Microsoft Graph API. |
Create a credential in Nexla
- After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
New Credential Overlay – Microsoft 365 Copilot

-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
-
Enter your Azure AD Application (client) ID in the Client ID field. This unique identifier authenticates your application with Microsoft Graph API. You can find this value in your Azure AD app registration overview page.
-
Enter your Azure AD client secret value in the Client Secret field. This confidential key is used to securely authenticate your application during API requests. The client secret is obtained from the Certificates & secrets section of your Azure AD app registration.
-
Enter your Azure AD Directory (tenant) ID in the Tenant ID field. This identifier specifies your Azure AD organization and is used to construct the token endpoint URL. You can find this value in your Azure AD app registration overview page.
-
Select the Microsoft Graph API version in the API Version field. Use
v1.0for stable, production-ready APIs, orbetafor preview features and the latest capabilities. The default value isv1.0. -
Confirm the Base URL field. The default value
https://graph.microsoft.comis the standard base URL for Microsoft Graph API requests and should be left unchanged unless directed otherwise.
The Client ID, Client Secret, and Tenant ID are sensitive information that should be kept secure. Nexla will store these credentials securely and use them only for API authentication purposes. Ensure your Azure AD application has the necessary permissions (ExternalConnection.ReadWrite.All and ExternalItem.ReadWrite.All) and that admin consent has been granted for these permissions.
- Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.
Use as a data source
The Microsoft 365 Copilot connector enables you to interact with the Microsoft Graph External Connections API to retrieve information about external connections, schemas, and items that have been ingested into Copilot — useful for monitoring external connection status, verifying ingested data, analyzing connection metadata, or auditing what data has been made available to Copilot users. To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Microsoft 365 Copilot connector tile, then select the credential that will be used to connect to the Microsoft 365 Copilot instance, and click Next; or, create a new Microsoft 365 Copilot credential for use in this flow.
Manual configuration
Microsoft 365 Copilot sources are configured entirely through the Advanced tab, since Microsoft 365 Copilot does not expose pre-built endpoint templates for data sources. Select the method that will be used for calls to the Microsoft 365 Copilot API from the Method pulldown menu, then enter the URL of the Microsoft Graph External Connections API endpoint from which this source will fetch data in the Set API URL field. Microsoft Graph API endpoints typically follow the pattern https://graph.microsoft.com/v1.0/external/connections (or /beta/... for preview features). Follow the instructions in Connect to Any API to configure date/time and lookup macros, path to data, metadata, and request headers.
Microsoft Graph API list responses wrap the returned records in a top-level value array, so the path to data for most endpoints is $.value[*]. The Authorization header (OAuth 2.0 Bearer token) is handled automatically by Nexla based on your credential configuration and does not need to be added as a request header.
Once all of the relevant settings have been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched, and click the Create button in the upper right corner of the screen to save and create the new Microsoft 365 Copilot data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Use as a destination
Click the + icon on the Nexset that will be sent to the Microsoft 365 Copilot destination, and select the Send to Destination option from the menu. Select the Microsoft 365 Copilot connector from the list of available destination connectors, then select the credential that will be used to connect to the Microsoft 365 Copilot organization, and click Next; or, create a new Microsoft 365 Copilot credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Microsoft 365 Copilot endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Manual configuration
Microsoft 365 Copilot destinations can also be manually configured to send data to any valid Microsoft Graph External Connections API endpoint. Using manual configuration, you can also configure Nexla to automatically send the response received from the Microsoft 365 Copilot API after each call to a new Nexla webhook data source. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, attribute exclusions, record batching, and response webhooks.
Microsoft Graph API endpoints typically follow the pattern https://graph.microsoft.com/v1.0/external/connections/{connectionId}/items/{itemId} (or /beta/... for preview features); for update/upsert operations, include the ID of the object to be updated at the end of the URL. Microsoft Graph API typically expects JSON for request bodies. The Authorization header (OAuth 2.0 Bearer token) is handled automatically by Nexla based on your credential configuration and does not need to be added as a request header.
Save & activate
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured Microsoft 365 Copilot external connection, open the destination resource menu, and select Activate.
The Nexset data will not be sent to the Microsoft 365 Copilot external connection until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.