emma_s
Databricks Employee
Databricks Employee

So I think I see the issue now: Shared agents in Copilot Studio (Teams/M365) using pre-configured connections (either OAuth or service principal) do not successfully flow user identity to downstream resources for users other than the creator; only the agent owner or users who manually create their own connections can interact with the agent as intended. This is due to how the identity/authentication delegation works in Microsoft Power Platform and Copilot Studio.

This is why it works when they set up the connection themselves but not when they try to use the one you created. The workaround other than setting it up themselves would be to set it up using a service principal instead. This means the Service principal permissions would be used by all users.
SPs are machine-to-machine identities that are not associated with any specific end user. When you share an agent configured to use an SP, all users interact with the Databricks backend as the SP—not as themselves. This means user-level governance, auditing, or personalized data access cannot be enforced beyond what the SP has been granted.

But bear in mind if you take this approach then you won't be using the individual users permissions on the genie so granular access control won't apply. It will be based on the service principal permissions.