You have access to a shared mailbox in Outlook, but Copilot cannot read its emails or suggest replies. This happens because Copilot uses a different permission model than the classic Exchange client. Standard mailbox access granted through Outlook does not automatically extend to Copilot. This article explains how permission inheritance works for shared mailboxes in Copilot for Microsoft 365, what settings control access, and how to verify or grant the correct permissions.
Key Takeaways: Shared Mailbox Permissions for Copilot
- Exchange admin center > Recipients > Shared mailboxes > Mailbox delegation: Grants Full Access to a shared mailbox. This permission alone does not enable Copilot to read the mailbox.
- Microsoft 365 admin center > Settings > Org settings > Copilot > Data sources: Controls which Microsoft Graph data Copilot can read for grounded responses. Shared mailboxes are included only if the user has explicit Send-As or Full Access with auto-mapping enabled.
- PowerShell cmdlet Add-MailboxPermission -AutoMapping $true: Enables auto-mapping for shared mailboxes, which is required for Copilot to detect and read the mailbox content.
How Copilot Accesses Shared Mailbox Data
Copilot in Outlook uses Microsoft Graph to read mailbox content. This is different from the MAPI or REST protocols used by the classic Outlook client. When you add a shared mailbox to your Outlook profile, you typically use the Add shared folder option or receive auto-mapping from Exchange Online. These methods grant access through the client interface but do not automatically register the mailbox in Microsoft Graph for Copilot.
Permission inheritance for shared mailboxes follows a specific chain. The shared mailbox object in Exchange Online must have at least one of the following permissions assigned to the user: Full Access with auto-mapping enabled, Send-As, or Send on Behalf. When auto-mapping is enabled, Exchange Online automatically pushes the shared mailbox into the user’s Outlook profile and registers it in Microsoft Graph. Without auto-mapping, Copilot cannot discover the mailbox because Graph does not receive the permission mapping.
A common misconception is that granting Full Access through the Exchange admin center alone is sufficient. Full Access allows the user to open the mailbox in Outlook and read messages, but it does not create the Graph-based permission entry that Copilot requires. The missing piece is the AutoMapping attribute on the mailbox permission. When AutoMapping is set to True, Exchange adds the mailbox to the user’s msExchDelegateListLink attribute, which tells Graph to include the mailbox in the user’s accessible mailboxes list.
Steps to Verify and Grant Correct Permissions
Use the following steps to check and configure permissions so Copilot can work with a shared mailbox. You need Exchange Online administrator rights to run these commands.
- Check existing permissions with PowerShell
Open Exchange Online PowerShell and runGet-MailboxPermission -Identity "sharedmailbox@domain.com" | Where-Object {$_.User -like "user@domain.com"}. Look for the AccessRights column. If you see FullAccess but the AutoMapping column shows False, the permission is not inherited by Copilot. - Enable AutoMapping on an existing permission
RunRemove-MailboxPermission -Identity "sharedmailbox@domain.com" -User "user@domain.com" -AccessRights FullAccessto remove the current permission. Then runAdd-MailboxPermission -Identity "sharedmailbox@domain.com" -User "user@domain.com" -AccessRights FullAccess -AutoMapping $true. The -AutoMapping $true parameter is the critical switch that enables Copilot access. - Verify the mailbox appears in Outlook
Close and reopen Outlook. The shared mailbox should appear automatically in the folder pane. If it does not appear, runGet-MailboxAutoMapping -Identity "user@domain.com"to confirm the mailbox is mapped. If the mailbox is listed, but Copilot still does not work, proceed to the next step. - Check Copilot data source settings in the Microsoft 365 admin center
Go to Microsoft 365 admin center > Settings > Org settings > Copilot > Data sources. Ensure that Microsoft Graph data is enabled. This setting controls whether Copilot can read any mailbox data, including shared mailboxes. If it is disabled, no shared mailbox data will be accessible. - Test Copilot in Outlook
Open Outlook, select the shared mailbox from the folder pane, and click the Copilot icon in the ribbon. Ask a simple question like “Summarize the last three emails in this mailbox.” If Copilot responds with content, the inheritance is working. If you see an error stating “Copilot cannot access this mailbox,” repeat steps 1 through 3 and confirm the user has at least Send-As permission as a fallback.
If Copilot Still Cannot Read the Shared Mailbox
Copilot returns “No data” or “Access denied” for shared mailbox content
This error typically occurs when the user has Full Access without AutoMapping, or when the shared mailbox is a security group or distribution group that does not support mailbox delegation. Verify that the shared mailbox is a UserMailbox type, not a MailUser or MailEnabledSecurityGroup. Run Get-Recipient -Identity "sharedmailbox@domain.com" | fl RecipientTypeDetails in PowerShell. If the type is anything other than SharedMailbox, convert it using Set-Mailbox -Identity "sharedmailbox@domain.com" -Type Shared.
Copilot works for some users but not others on the same shared mailbox
Permission inheritance is per-user, not per-mailbox. Each user must have an individual permission entry with AutoMapping set to True. If you added users through a group-based delegation, such as assigning Full Access to a security group, the group members do not inherit AutoMapping. Remove the group-based permission and assign Full Access with AutoMapping to each user individually. Use Add-MailboxPermission with the specific user UPN, not a group name.
Copilot reads the shared mailbox but returns outdated or incomplete results
Microsoft Graph caches mailbox permissions for up to 24 hours after a change. If you recently updated permissions, wait 24 hours and test again. To force a refresh, remove the shared mailbox from the user’s Outlook profile, close Outlook, run Remove-MailboxPermission and Add-MailboxPermission again with AutoMapping True, then reopen Outlook. This clears the Graph cache for that user’s mailbox access.
Copilot in Outlook with Shared Mailboxes vs Personal Mailboxes: Key Differences
| Item | Shared Mailbox | Personal Mailbox |
|---|---|---|
| Permission model | Requires explicit Full Access with AutoMapping or Send-As | Inherits from user license and Exchange Online service plan |
| AutoMapping requirement | Required for Copilot to discover the mailbox in Microsoft Graph | Not applicable; personal mailbox is always mapped |
| PowerShell configuration | Must use Add-MailboxPermission with -AutoMapping $true | No additional configuration needed |
| Copilot data source | Controlled by Microsoft Graph data setting in admin center | Controlled by same setting but always enabled for personal mailbox |
| Cache refresh time | Up to 24 hours after permission change | Instant after license assignment |
| Multi-user access | Each user needs individual permission entry with AutoMapping | Not applicable; single user only |
Copilot in Outlook with shared mailboxes depends on permission inheritance through Microsoft Graph. The key enabler is the AutoMapping attribute on the Full Access permission. Without it, Copilot cannot see the shared mailbox even though the user can open it in Outlook. Use the Exchange Online PowerShell cmdlets to verify and correct permissions. Test with a simple summarization prompt after making changes. If results are delayed, wait up to 24 hours for Graph cache to update. For troubleshooting, check the mailbox type and remove group-based delegation in favor of individual user assignments.