You need to block a Copilot connector for a specific user or group without affecting the rest of the organization. Copilot connectors give Microsoft 365 Copilot access to external data sources like ServiceNow, Jira, or Salesforce. When a connector is enabled globally, every licensed user can query that data. This article explains how to use Microsoft Entra ID group policies and conditional access to disable a single connector for selected users or groups.
Key Takeaways: Disabling a Copilot Connector Per User or Group
- Microsoft 365 admin center > Copilot > Connectors: View all configured connectors and their current assignment scope.
- Microsoft Entra ID > Groups > Dynamic group rule: Create a group that excludes the target user or group from connector access.
- Conditional Access policy > Grant > Block access: Block the Copilot connector app for a specific Microsoft Entra ID group.
Why You Need Per-User Connector Control
Copilot connectors are data gateways between Microsoft 365 and third-party services. When you add a connector in the Microsoft 365 admin center, it is enabled for all users with Copilot licenses by default. The connector itself does not have a built-in toggle to disable it for individual users. This creates a problem if a specific team should not see data from a connected system. For example, the finance team might use a ServiceNow connector, but the marketing team should not query ServiceNow records. The only way to achieve per-user or per-group control is through Microsoft Entra ID group membership and conditional access policies.
Steps to Disable a Copilot Connector for One User or Group
Follow these steps to block a connector for a specific user or group. You need Global Administrator or Conditional Access Administrator permissions in Microsoft Entra ID.
- Identify the connector app registration
Open the Microsoft Entra admin center at entra.microsoft.com. Go to Identity > Applications > Enterprise applications. In the search box, type the name of the connector, for example “ServiceNow” or “Jira”. Each Copilot connector registers as an enterprise application in your tenant. Note the exact display name. - Create a Microsoft Entra ID group for exclusion
Go to Identity > Groups > All groups > New group. Set Group type to Security. Give it a name like “Copilot-ServiceNow-Blocked”. Add the user or group you want to block as members. Click Create. - Create a conditional access policy
Go to Identity > Protection > Conditional Access > Policies > New policy. Give the policy a name like “Block ServiceNow Connector for Marketing”. Under Assignments > Users, select Specific users included and choose the group you created in step 2. Under Target resources > Cloud apps, select Select apps, search for the connector app name, and check the box next to it. Under Grant, select Block access. Set Enable policy to On. Click Create. - Test the policy
Sign in as a user who is a member of the blocked group. Open Copilot in Microsoft Teams or copilot.microsoft.com. Ask a question that requires data from the blocked connector. Copilot should return an error or a message saying the data source is unavailable. Users not in the blocked group should still see connector data.
If the Connector Still Appears for Blocked Users
Copilot caches connector permissions for up to 24 hours
Conditional access policies apply to new authentication requests. If the user had an active Copilot session before the policy was enabled, they might still see connector data until the session token expires. Wait 24 hours or ask the user to sign out and sign back in to force a new authentication.
The connector app name is not visible in enterprise applications
Some older connectors do not register as separate enterprise apps. In that case, you cannot use conditional access. The only option is to remove the connector from the Microsoft 365 admin center and recreate it with a different scope. Alternatively, contact Microsoft Support to request a new connector registration for your tenant.
Policy conflicts with existing conditional access rules
If your tenant already has conditional access policies that grant access to all Copilot apps, the block policy might be overridden. Check the Results tab in the conditional access policy to see if another policy applies. Reorder policies so the block policy has higher priority.
| Item | Conditional Access Block | Group-Based Licensing |
|---|---|---|
| Description | Blocks authentication to the connector app for selected users | Removes the Copilot license from selected users |
| Effect on other features | Only the connector is blocked; Copilot still works | All Copilot features are removed for the user |
| Setup time | 15 minutes | 10 minutes |
| Granularity | Per connector | Per service plan |
Now you can disable a specific Copilot connector for one user or group without affecting the rest of the organization. Start by identifying the connector app in enterprise applications, then create a security group and apply a conditional access block policy. Test the policy with a blocked user to confirm the connector data is hidden. If you need to block multiple connectors, repeat the process for each app registration.