Chatbot on WhatsApp and Telegram with Microsoft Copilot Studio (2025): an end-to-end guide to design, data, actions, publishing, security, and operations

What Copilot Studio is and how it fits WhatsApp and Telegram

Copilot Studio is Microsoft’s platform for building enterprise conversational agents with low code and governance. It enables:

• Answering grounded in connected, controlled sources (URLs, SharePoint/OneDrive, files, knowledge bases), citing content and avoiding speculative replies.
• Acting by connecting to APIs or flows to execute processes (tickets, bookings, status queries) with logging and traceability.
• Publishing to multiple channels, including WhatsApp and Telegram, each with its own policies and limits.

Channels and official requirements (WhatsApp/Telegram)

WhatsApp (via Azure Communication Services)

The WhatsApp channel in Copilot Studio uses Azure Communication Services (ACS) to connect the agent to the WhatsApp Business account and the configured number. It lets you initiate conversations using approved templates and reply freely within the 24-hour service window when the user messages first.

• 24-hour window: free-form replies are allowed as long as fewer than 24 hours have elapsed since the user’s last message. Outside that window, templates are required.
• Templates (HSM): required to initiate proactive conversations or re-open an expired thread. Common categories: utility/service (notifications), authentication (OTP), and marketing.
• Costs: Meta bills per “conversation” (24-hour window) and ACS per message. Plan for volume and mix (user-initiated vs. business-initiated).

Telegram (Telegram channel in Azure Bot Service)

The Telegram channel is configured by creating a bot with BotFather and pasting the token into the Azure Bot Service channel. The bot communicates through the Bot API (HTTPS) using webhooks or long polling.

• HTTPS/TLS webhooks (valid certificates and public domains).
• Typical rate limits: ~30 messages/s to different chats; ~1 message/s to the same chat; ~20/min to groups. Implement backoff and queues.
• Security: bots don’t use “secret chats” (E2E); traffic runs over HTTPS/TLS. Avoid sensitive data or apply strong minimization.

Chatbot design: objectives, intents, tone, and experience

WhatsApp and Telegram rely on micro-interactions: short questions and quick actions. Prioritize clarity, short steps, and replies with precise links. A practical sequence:

1. Define objectives with metrics (ticket reduction, conversion, response time).
2. Select high-impact intents (top-10 questions + 3 key flows: order, appointment, support).
3. Conversational UX: concise replies, buttons/lists supported by the channel, handoff to a human with context transfer.
4. Policies: data requested, languages, per-channel limits, retention, and consent.
5. KPIs: resolution rate, CTA clicks, p95 latency, cost per conversation/message.

Detailed agent creation in Copilot Studio

The process is broken down into: agent, knowledge, topics (intents), system messages, variables, actions, testing, and publishing. The clearer the agent “contract,” the more stable it will be in production.

1. New agent: clear name (Assistant-Customers), language (es-ES), environment (dev). Describe its exact scope (what it does and does not do).
2. Knowledge: create collections by domain (Shipping, Returns, Legal, Catalog) with URLs/SharePoint/OneDrive/PDF/DOCX/MD. Enable generative answers with priority to canonicals; specify not to answer if no reliable source exists.
3. Topics (intents): greeting, help, privacy, and fallback; business (order, return, appointment). Configure the “system message”: scope, tone, format (short with links), obligation to cite source when applicable, and policy for human handoff.
4. Variables: orderId, email, language, channel. Validations (regex) and helpful error messages.
5. Actions (see section): CheckOrder, CreateTicket, BookAppointment. Define input/output contracts and clear error handling.
6. Tests: at least 20 real questions and 5 edge cases per intent. Review grounding traces (sources), actions (latencies), and errors.
7. Pilot release: test site; promotion criteria: ≥80% resolution on focus intents and ≤5% answers without a valid source.

Preparing and governing knowledge (quality, versions, canonicals)

Agent accuracy depends on documentation hygiene. A single canonical source per topic reduces ambiguous answers and contradictions.

Curation and structure

• One “good” page/document per policy/process, with clear language and examples.
• Structure with H2/H3, tables, and lists; avoid images containing text without OCR.
• Metadata: owner, version, validity, category, and permanent link.
• “Work” library (drafts) and “Canonicals” (published). The agent points only to “Canonicals.”

Governance and lifecycle

• Monthly review of regulatory or business changes.
• Publish with version number and visible changelog.
• “Ready to index” checklist: spelling, broken links, validity, and examples.

Connect sources and APIs: SharePoint/OneDrive, web, databases, and services

For “live” data (order status, stock, appointment), the agent should query APIs with OAuth2 and log every invocation. For static knowledge, connect SharePoint/OneDrive libraries, web sections (FAQ/help), and CSV/JSON catalogs.

{ "openapi":"3.0.1", "info":{"title":"Orders API","version":"1.0"}, "paths":{"/orders/{id}":{"get":{"parameters":[{"name":"id","in":"path","required":true}]}}}, "components":{"securitySchemes":{"oauth2":{"type":"oauth2","flows":{"clientCredentials":{"tokenUrl":"https://idp/token","scopes":{"orders.read":"Read"}}}}}}, "security":[{"oauth2":["orders.read"]}] }

• Store secrets in Key Vault; least privilege and rotation.
• Define a minimal payload (only required fields) to reduce latency and risk.
• Retries with exponential backoff and realistic timeouts (e.g., 8–10 s).
• Correlation (conversation/action ID) for audit and diagnostics.

Advanced indexing: chunking, refresh, and quality control

The goal is for the agent to find the exact “section” and cite it correctly. To achieve this:

• Chunks of 500–1,500 words with descriptive headings.
• Split large PDFs by chapters or convert to HTML/Word with headings.
• Re-index upon publishing new versions; record the indexing date.
• Monitor “answers without source” and “outdated sources” and fix the corpus.

Actions and flows: design, authentication, errors, and traceability

Actions turn conversation into outcomes. Designing the contract well (input/output, errors, security) is key to reliability.

{ "action":"CheckOrder", "input":{"orderId":"ABC123"}, "output":{"status":"In transit","shipDate":"2025-11-06","tracking":"https://paq.ex/seg?ABC123"}, "errors":{"404":"Not found","503":"Service unavailable"} }

• Authentication: OAuth2 client credentials; tokens in Key Vault; minimal scopes.
• Errors: helpful messages and degradation paths (show partial status, open ticket).
• Traceability: correlation by conversation/action ID; logs with minimized PII.
• Resilience: queues and retries for critical actions; circuit breakers when the backend fails.

Publishing to WhatsApp with Azure Communication Services (extended step-by-step)

Copilot Studio includes a WhatsApp channel backed by ACS. The assistant links to an ACS resource, the WhatsApp Business account (WABA), and a number. Run this setup in a test environment first, then production.

Architecture summary

• Copilot Studio: orchestrates the agent (answers, grounding, actions).
• ACS WhatsApp: message delivery/reception, numbers, templates, and webhooks.
• WABA + number: registration, verification, and template categories.

Pre-checklist

• Agent published and tested on web (≥80% resolution on focus intents).
• ACS resource created with WhatsApp enabled.
• Verified WABA and ready number (avoid numbers with prior personal use).
• Essential templates drafted (service/utility, authentication, reminders) with well-defined variables.
• Privacy policy linked from messages when applicable.

Configuration in Copilot Studio

1. Open the agent → Channels → WhatsApp.
2. Select subscription, resource group, and ACS resource.
3. Assign the WhatsApp number associated with the WABA.
4. Define agent authentication: “No authentication” or “Authenticate manually” (Microsoft sign-in isn’t supported on this channel).
5. Deploy and test with the QR code generated by Copilot Studio to start the chat.

Templates: design and approval

• Use clear language consistent with the brand; avoid link shorteners unless essential.
• Typical categories: utility/service (reminders, confirmations), authentication (OTP), marketing (promotions).
• Watch approval rate and delivery rate; if they drop, review content and variables.

24-hour window and cadences

• If the user writes first, you have 24 hours to reply freely; after that, only with an approved template.
• For reactivations, define “neutral” templates (e.g., “There’s an update on your order {{1}}”).

Message types and UX

• Text, buttons (up to 3), lists, links, images, documents, and location (as available).
• Keep replies concise; one detail link for complex answers.
• Multilingual support: language variable (language) and template collection per language.

Webhooks and observability

• Configure ACS webhooks for events (delivered, read, failed).
• Log correlation with the conversation ID in Copilot and the message ID in ACS.
• Alerts for error spikes and drops in number quality.

Common errors and resolution

• Template rejected: review category, variables, and tone; comply with WhatsApp policy.
• Number blocked or low quality: excessive marketing or spam reports; reduce frequency and improve segmentation.
• Messages not delivered: check ACS credentials/roles and webhook validity.

Costs and control

• Meta bills per conversation (24 h) and ACS per message. Estimate the user/business-initiated mix to forecast spend.
• Tag campaigns and transactional traffic to measure ROI separately.
• Implement daily limits and burst protection.

Publishing to Telegram with Azure Bot Service (extended step-by-step)

Telegram integrates by creating a bot with BotFather, getting a token, and configuring the channel in Azure Bot Service. The bot talks via the Bot API (HTTPS) and can use webhooks (recommended for production) or long polling.

Pre-checklist

• Public domain with a valid TLS certificate (if using webhooks).
• Queues or backoff infrastructure to handle rate limits.
• Data policy and a “prohibited data” list (no sensitive PII).

Creation and configuration

1. In Telegram, open BotFather → /newbot → receive the token.
2. Azure Portal → Bot Service → Settings > Channels → Telegram → paste the token and apply.
3. Configure HTTPS webhook with a public URL and valid certificate (if applicable).
4. Test commands and menu. Enable inline mode if it adds value (quick searches in chat).

UX with Telegram

• Custom keyboards (context menus), inline keyboards, deep links (with parameters).
• Formats: text, images, documents, audio; varying size limits (optimize images/documents).
• Handoff to a human: publish an alias or link to a support channel/group when the agent lacks a reliable source.

Rate limits and robustness

• Typical thresholds: ~30 msg/s to different chats; ~1 msg/s to the same chat; ~20 msg/min to a group.
• Exponential backoff + retries with jitter; queue for campaigns.
• Monitor error codes and p95 latency.

Common errors and resolution

• 403/401: invalid token or permissions; regenerate with BotFather.
• Webhook unreachable: check DNS/TLS and firewalls.
• Flood control: implement queues and partitioned sends.

Security, GDPR, DLP, policies, and per-channel limits

• Least privilege on sources (the agent only sees what it needs); avoid “anyone with the link.”
• Privacy: minimize PII; inform and obtain consent where applicable; visible data policy in channels.
• DLP and labels: protect responses and prevent exfiltration; block sensitive patterns in outputs.
• Audit: monthly export of interactions and configuration changes; exception log with end date and owner.
• WhatsApp: comply with policy and template categories; respect the 24-hour window and terms (no “general assistants”).
• Telegram: assume HTTPS/TLS for bots (not E2E); avoid handling sensitive data on this channel.

Metrics, observability, and costs

Ongoing operations: roles, changes, runbooks, and SLOs

Minimum roles

• Product Owner: prioritizes use cases and validates value.
• Content Editor: maintains canonicals and metadata.
• Integrator: manages actions, credentials, and flows.
• Security/Compliance: DLP, audit, exceptions.
• Support: first line and human handoff.

Runbooks

• “WhatsApp template rejected/paused”: fixes and resubmission.
• “Action 5xx failure”: failover, retries, and graceful degradation.
• “Answer without source on critical intent”: refine corpus and re-index.
• “Unexpected cost increase”: review conversation mix and template content.

Reference SLOs

• Resolution ≥ 70% on focus intents.
• p95 latency ≤ 5 s with action.
• 0 exposed credentials and 0 exceptions without end date.

Prompt, flow, and QA templates

System message (base)

- Respond in Spanish (Spain), clearly and verifiably. - Prioritize collections: {Canonical-List}. - Cite document/URL where appropriate; don’t invent prices/dates. - Ask for minimal data (email/order). If sensitive, request consent. - If no reliable source is found in 2 turns, hand off to a human with context.

Flow “CheckOrder” (skeleton)

{ "flow":"CheckOrder", "input":{"orderId":"string"}, "steps":[ {"validate":{"orderId":{"pattern":"^[A-Z0-9]{6,}$","error":"Invalid ID"}}}, {"http":{"url":"https://api/orders/@{orderId}","method":"GET","timeout":"PT8S","retry":{"count":2,"policy":"exponential"}}}, {"switch":{"statusCode":{"200":[{"set":{"status":"@{body.status}","tracking":"@{body.tracking}"}}],"404":[{"return":{"error":"Not found"}}],"default":[{"return":{"error":"Unavailable"}}]}}}, {"return":{"text":"Status: @{status}. Tracking: @{tracking}"}} ] }

WhatsApp — reminder template (conceptual)

Category: Utility Content: Hello {{1}}, your appointment on {{2}} at {{3}} is confirmed. To reschedule, reply “CHANGE”. Variables: name, date, time

Templates must be approved by WhatsApp Business to be used outside the 24-hour window.

Test prompts (QA)

- “How do I return a damaged order?” (source: Returns v3.1) - “When will my order ABC123 arrive?” (action: CheckOrder) - “Shipping cost to the islands?” (source: Shipping-Policy v2.4) - “I need a pro forma invoice” (CTA to /billing)

Frequently asked questions

Official links

• Publish an agent to WhatsApp (Copilot Studio)
• WhatsApp in Azure Communication Services
• Connect a bot to Telegram (Azure Bot Service)
• Telegram Bot API (documentation)
• Telegram webhooks (HTTPS/TLS required)
• WhatsApp Business messaging policy
• Official WhatsApp template guidelines
• Per-conversation pricing (WhatsApp Business Platform)
• New: WhatsApp channel in Copilot Studio (release plan)

Conclusion and next steps

Taking a Copilot Studio agent to WhatsApp and Telegram combines three pillars: clean, canonical data, reliable actions with traceability, and disciplined operations with security and metrics. By following this guide, the client can design, connect, publish, and operate a chatbot on these channels with measurable results and policy compliance.