You need to stop Copilot Pages from appearing for members of certain Microsoft 365 groups in your tenant. This feature, which generates and saves web-based pages from Copilot conversations, may conflict with data handling policies or workflow restrictions for specific teams. The control is not in the Copilot settings pane but in the Microsoft 365 admin center through SharePoint and OneDrive integration policies. This article explains how to disable Copilot Pages for selected groups using PowerShell and Conditional Access policies.
Key Takeaways: Disabling Copilot Pages by Group
- SharePoint Online Management Shell: Run PowerShell cmdlets to block Copilot Pages for specific groups via site-level policy.
- Conditional Access > Block Copilot Pages app: Create a policy that prevents the Copilot Pages web app for assigned groups.
- Microsoft 365 admin center > Org settings > Copilot: Verify the global toggle for Copilot Pages is on; group-level blocks override this.
How Copilot Pages Work and Why You Might Restrict Them
Copilot Pages is a feature that lets users save Copilot-generated content as persistent web pages in SharePoint. These pages can be edited, shared, and discovered by other users in the organization. When a user asks Copilot to create a page, the system writes a .aspx file to the user’s OneDrive for Business site and then makes it available through the Copilot interface.
The feature is enabled by default for all users who have a Copilot for Microsoft 365 license. However, some groups, such as contractors or teams handling sensitive data, should not be able to create or view Copilot Pages. Microsoft provides two mechanisms for restriction: SharePoint site-level policy via PowerShell and Conditional Access policies in Azure AD. Both methods target the Copilot Pages app registration in your tenant.
The root cause of unwanted Copilot Pages is the broad default enablement. There is no user-facing toggle to disable the feature per user or per group. You must use administrative tools to enforce the restriction.
Steps to Disable Copilot Pages for Specific Microsoft 365 Groups
You have two methods to achieve this. Use PowerShell for a direct site-level block or Conditional Access for an app-level block. Both methods require global admin or SharePoint admin privileges.
Method 1: Using SharePoint Online Management Shell
This method blocks the Copilot Pages feature at the SharePoint site level for all users in a group. It prevents the creation of new pages but does not remove existing pages.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. Press Y to confirm the installation. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.comand sign in with your global admin credentials. - Identify the group site URL
Each Microsoft 365 group has a connected SharePoint team site. Go to the Microsoft 365 admin center, select Groups, then Active groups. Find your target group and copy the Site URL from the details pane. - Block Copilot Pages on the site
Run the following cmdlet, replacing the URL with your group site URL:Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/GroupName -DenyAddAndCustomizePages $true. This prevents the Copilot Pages app from writing to the site. Note that this also blocks other custom script capabilities. - Verify the policy
RunGet-SPOSite -Identity https://yourtenant.sharepoint.com/sites/GroupName | Select DenyAddAndCustomizePages. The output should show True.
Method 2: Using Conditional Access Policy
This method blocks the Copilot Pages web application for specific users or groups. It prevents access to the feature entirely, regardless of which site they are on.
- Sign in to the Azure portal
Go to portal.azure.com and sign in as a Conditional Access administrator or global administrator. - Navigate to Conditional Access
Select Azure Active Directory, then Security, then Conditional Access. - Create a new policy
Click New policy and give it a name, for example Block Copilot Pages for Contractors. - Assign the target group
Under Assignments, select Users and groups. Choose Select users and groups, then select your Microsoft 365 group. Do not include yourself unless you want the block applied to you. - Target the Copilot Pages app
Under Cloud apps or actions, select Cloud apps. Click Select apps and search for Copilot Pages. The exact app name is Microsoft Copilot Pages with App ID 8c5b6b2d-7b9a-4a8c-9c3f-1e2d4f6a8b0c. Select it. - Set the access control to Block
Under Access controls, select Block access. Then click Select. - Enable the policy and save
Set Enable policy to On. Click Create.
If Copilot Pages Still Appear After Applying the Block
Even after applying these policies, users might still see Copilot Pages due to caching or overlapping permissions. Here are the most common residual issues and their fixes.
Copilot Pages Created Before the Policy Was Applied
Existing pages remain accessible. To remove them, open the SharePoint site where the pages were saved. Go to Site contents, find pages with Copilot in the title or metadata, and delete them manually. Use PowerShell with Remove-PnPFile to bulk delete if needed.
Policy Does Not Apply to Guest Users
Conditional Access policies apply only to user objects in your directory. Guest users from external tenants are not affected. To block Copilot Pages for guests, add the guest user accounts to the same Microsoft 365 group used in the policy. Alternatively, use SharePoint external sharing settings to restrict guest access entirely.
Users Can Still Access Copilot Pages via Direct Link
The Conditional Access block prevents the app from launching. If a user receives a direct URL to a Copilot Page, they might still open it in a browser if they are not signed in with their work account. To prevent this, configure SharePoint to require sign-in for all site access. Go to the SharePoint admin center, select Policies, then Sharing. Set external sharing to Only people in your organization.
PowerShell vs Conditional Access: Key Differences
| Item | PowerShell (Set-SPOSite) | Conditional Access |
|---|---|---|
| Scope | Single SharePoint site | Entire app across all sites |
| Ease of setup | Requires PowerShell knowledge | GUI in Azure portal |
| Impact on other features | Blocks all custom scripts | Only blocks Copilot Pages |
| Removal of existing pages | Does not remove pages | Does not remove pages |
| Applicable to guest users | Yes, if guest is site member | Only if guest is in the group |
You can now disable Copilot Pages for specific Microsoft 365 groups using either PowerShell or Conditional Access. For a precise block that does not affect other functionality, use the Conditional Access method. For a site-specific block that also prevents other custom scripts, use PowerShell. After applying the policy, verify that affected users cannot create new pages by asking them to open the Copilot interface and attempt to save a page. To remove existing pages, use SharePoint site content management. As an advanced tip, combine both methods: use Conditional Access to block the app and PowerShell to remove existing pages on the target group site.