You want to restrict which Microsoft 365 groups and teams Copilot can access based on a user’s role or project membership. Without entitlement management packages, Copilot can surface data from any Microsoft Graph source the user has access to, which may include content outside their current project scope. Entitlement management packages let you bundle specific groups, sites, and apps and assign them to users through an access review workflow. This article walks through the steps to create an entitlement management package and connect it to Copilot so that its responses stay within the boundaries you define.
Key Takeaways: Entitlement Packages for Copilot Data Scoping
- Azure AD > Identity Governance > Entitlement Management > Catalogs: Create a catalog to group related resources for a project or department.
- Catalog > Access Packages > New access package: Define the package with roles, resources, and an access review policy.
- Copilot admin center > Data sources > Connected sources: Add the entitlement management package as a data source so Copilot respects its scope.
What Entitlement Management Packages Do for Copilot
Entitlement management is part of Microsoft Entra ID Governance. An entitlement management package is a container of resources — Microsoft 365 groups, SharePoint Online sites, Teams, and Azure AD roles — that you assign to users through a request-and-approval workflow. When you link a package to Copilot, Copilot can only retrieve and generate content from the resources inside that package for users who are assigned to it.
This setup is useful for scenarios such as a legal team that should only see case-specific documents, a product launch team that needs access to launch-related content, or a contractor who should only see data from a single project. Without entitlement management packages, you would need to manually manage group memberships and SharePoint permissions across many objects.
Prerequisites for This Setup
Before you start, confirm the following requirements:
- You have a Microsoft Entra ID P2 license (included in Microsoft 365 E5 or as an add-on).
- You have the Global Administrator or Identity Governance Administrator role in Azure AD.
- Copilot for Microsoft 365 is enabled in your tenant.
- The resources you plan to add to the package — groups, sites, or apps — already exist in your tenant.
Steps to Create an Entitlement Management Package for Copilot
Follow these steps to create a catalog, build a package, and connect it to Copilot.
- Sign in to the Microsoft Entra admin center
Open a browser and go tohttps://entra.microsoft.com. Sign in with an account that has the Global Administrator or Identity Governance Administrator role. - Navigate to Identity Governance > Entitlement Management
In the left navigation, select Identity Governance, then select Entitlement Management. This opens the management blade for access packages and catalogs. - Create a new catalog
Under the Manage section, select Catalogs. Select + New catalog. Enter a name such as Product Launch 2025 Resources and a description. Set Enabled for external users to No unless you need to assign the package to external collaborators. Select Create. - Open the catalog and add resources
Select the catalog you just created. Under the Manage section, select Resources. Select + Add resources. Choose the type of resource — Groups and Teams, Applications, or SharePoint sites. Select the specific groups, Teams, or SharePoint sites that should be part of this package. Select Add. - Create an access package inside the catalog
In the catalog, select Access packages, then select + New access package. Give the package a name such as Launch Team Data Scope. In the Resource roles tab, select the resources you added earlier and assign the appropriate role for each — for a group, choose Member; for a SharePoint site, choose Site Contributor or Site Reader. Select Next. - Configure requests and approvals
In the Requests tab, choose For users in your directory. Under Approval, select Require approval and choose one or more approvers. In the Access reviews tab, set a review frequency — for example, every 90 days — so that unused assignments are automatically removed. Select Next. - Set the lifecycle and create the package
In the Lifecycle tab, set an expiration date for assignments if needed. Leave the default settings for Access review settings. Review the configuration and select Create. The package appears in the list of access packages. - Assign the package to a test user
Select the access package you created. Under Manage, select Assignments. Select + New assignment. Choose a user, select the package, and set the assignment duration. Select Create. The user receives a notification and must approve the request if you configured approval. - Connect the package to Copilot as a data source
Open the Copilot admin center athttps://admin.cloud.microsoft.com/. In the left navigation, select Data sources. Select + Add data source. Choose Entitlement management package from the list. Select the catalog and then the access package you created. Select Add. Copilot now uses this package to scope its responses for assigned users.
Common Issues After Setting Up Entitlement Packages for Copilot
Copilot Returns Data From Outside the Package
If Copilot still shows content from resources not in the package, verify that the user has no direct membership in other groups or SharePoint sites that contain similar content. Entitlement management packages add resources to a user but do not remove existing permissions. To enforce strict scoping, remove the user from any groups or sites that are not part of the package. Use Azure AD dynamic groups or PowerShell scripts to audit and clean up existing memberships.
Users Cannot Request the Package
If the package is not visible in the My Access portal, check the Requests tab of the access package. Ensure For users in your directory is selected and that the user is in the correct directory. Also confirm that the catalog is not set to Hidden under Catalog > Properties > Hidden from My Access. If the catalog is hidden, users cannot see any packages inside it.
Copilot Does Not Show the Package as a Data Source Option
The entitlement management package option in the Copilot admin center only appears if the user signing in has the Identity Governance Administrator role. If the option is missing, sign out and sign back in with a Global Administrator or Identity Governance Administrator account. Also verify that the package has at least one resource assigned — empty packages are not listed.
Entitlement Management Package vs Direct Group Membership for Copilot Scoping
| Item | Entitlement Management Package | Direct Group Membership |
|---|---|---|
| Setup effort | Requires catalog, package, and approval workflow creation | Add user to group in Azure AD or Microsoft 365 admin center |
| Access review | Built-in periodic review and automatic removal | Manual audit or custom PowerShell script |
| Resource grouping | Bundle groups, sites, and apps in one package | Each group or site managed separately |
| Copilot integration | Explicit data source in Copilot admin center | Implicit via Microsoft Graph permissions |
| Best for | Project-based teams, contractors, compliance-driven scoping | Simple, permanent role assignments |
Use entitlement management packages when you need to scope Copilot responses to a defined set of resources and enforce recurring access reviews. Use direct group membership when the user needs permanent access to a single group and no approval workflow is required.
After completing this walkthrough, you can create entitlement management packages that limit Copilot responses to specific groups, sites, and apps. Test the setup by asking Copilot a question about a document in a resource that is not in the package — it should not return that document. For advanced management, consider creating multiple packages for different departments and assigning users through the My Access portal for self-service requests.