Enhancing Copilot Studio Extensions for SAP by using Adaptive Cards and Principal Propagation

In the previous blog, SAP connectivity from the Copilot Studio and Power Platform were explored, let’s now look at an enhanced version of the scenario highlighted previously.

Let’s say, you are a salesperson that realizes that a material in a sales order is not available and want to help replace the unavailable item for the customer using a Copilot. You then try to do the following:

1. You ask the Copilot to help look through all the materials in the SAP system and find the best replacement.
2. You get a suitable replacement suggestion from Copilot and try to access material stock information for that material. However, you, as a salesperson are not able to access that information as you do not have the right authorization to do so in the SAP system.
3. You message your colleague who does have the authorization to check material stock information for you. The colleague checks the stock information and informs you that the material is in stock.
4. You then decide to update the sales order with the new material and remove the old material from the sales order.

Here is a video which demonstrates the scenario and how it has been enhanced from the previous blog. 

As you can see from the video, the scenario is possible and has been enhanced from the one in the pervious blog with two additional Power Platform and Copilot Studio abilities added to it:

• Adaptive cards
• Authorization/ Principal Propagation

Adaptive cards: 

Information returned via chatbots shouldn’t be restricted to looking only as good as the UI of the platform you deploy the bot on, it would be more interactive and personal to your brand to have a way to choose how users get to interact with the bot you created. This is where adaptive cards are a game changer. 

Here are some examples in the above scenario where adaptive cards were used:

1) To display the adaptive card with information from the SAP system in a digestible and visually appealing format with the SAP logo to show the information is from the SAP system.

2) To create a form-like input while modifying the sales order to provide an easy way to get information from the user with the SAP logo to show the change will be made to the SAP system.

To create and modify adaptive cards in the Copilot Studio, you can add an adaptive card either to a question or the message as shown below.

You can then modify the code in JSON (as shown below) to make it look the way you want, add URLs for images/logos you would like to show. You can also use the adaptive card designer to have a better idea of the elements you can make use of. The code for the adaptive cards used in the scenario are on the GitHub Repo.

Principal Propagation for Authorization: 

Principal propagation ensures that a user’s identity is securely passed from one system to another, allowing for proper authorization and access control. It plays a crucial role in maintaining security and seamless user experiences across different systems.

In this case, it ensures that an M365 user has the right access to the SAP system to access information without them having to use their SAP credentials to login. Here is an outline of the steps to implement this:

1. Set Up Microsoft Entra ID: Entra ID serves as the central identity provider for your applications. It manages user identities, authentication, and access control. When a user logs in, Entra ID validates their credentials and issues tokens (such as JWT) that represent their identity. 

2. Configure Azure API Management (APIM): APIM acts as a gateway for APIs, managing their exposure, security, and policies. It handles requests from clients and routes them to the appropriate backend services. In APIM, you configure Entra ID authentication for your APIs. When a client makes a request, APIM validates the token with Entra ID to ensure the user’s identity. Additionally, APIM forwards requests to the backend system (e.g., SAP) based on the API configuration, including features like caching and rate limiting.

3. Flow of Principal Propagation:

   1. User requests an APIM endpoint.
   2. APIM validates the user’s token with Entra ID.
   3. If valid, APIM extracts the user’s identity.
   4. APIM forwards the request to SAP with the user’s identity.
   5. SAP uses this identity for authorization. SAP accepts only tokens they issued themselves and therefore we need to interact with their Identity Provider.
4. Integrating with Power Platform: You can create a custom connector in Power Platform that calls the APIM API. This allows you to seamlessly incorporate principal propagation into your Power Automate flow. You can read more about creating custom connectors here.

Here are resources that discuss Principal Propagation and the steps associated with its implementation in detail:

Principal propagation in a multi-cloud solution between Microsoft Azure and SAP, Part I: Building the foundation

Configure SAP Principal Propagation with AAD and SAP OAuth server

To learn more about how to implement this new version of the scenario visit the GitHub repo that has detailed instructions as well as Power Automate flows you can readily import to your environment.