You want to roll out Microsoft Copilot to a small test group before a company-wide launch. Without proper access controls, all licensed users can immediately use Copilot features. This creates risks with unverified behavior, data exposure, and support load. This article explains how to use Microsoft 365 admin center settings, Azure AD group management, and license assignment to restrict Copilot access to a pilot user group only.
Key Takeaways: Restrict Copilot to a Pilot Group
- Microsoft 365 admin center > Billing > Licenses: Assign Copilot licenses only to pilot group members to prevent broad activation.
- Azure AD > Groups > New group: Create a security group that defines who can use Copilot features during the pilot phase.
- Microsoft 365 admin center > Settings > Copilot > Data sources: Restrict Copilot grounded responses to selected SharePoint sites and OneDrive folders for the pilot group.
Why Access Control Matters for a Copilot Pilot
Microsoft Copilot connects to Microsoft Graph data including emails, files, meetings, and chats. When you assign a Copilot license to a user, that user can trigger Copilot in Word, Excel, PowerPoint, Teams, and Outlook. Without a pilot group restriction, every licensed user can experiment with Copilot simultaneously. This can cause unexpected network load, inconsistent user experience, and data leakage if Copilot surfaces sensitive content. By limiting Copilot to a pilot group, you control who can generate AI responses, test grounded data sources, and provide feedback before a wider rollout.
The primary mechanism for limiting access is license assignment. Only users who hold a Copilot for Microsoft 365 license can use Copilot features. However, license assignment alone does not prevent users from seeing Copilot entry points in the interface. To hide Copilot from non-pilot users, you must also configure user-level policies in the Microsoft 365 admin center and, in some cases, use Azure AD conditional access policies. The steps below cover both license-based restriction and interface-level hiding.
Steps to Create a Pilot Group and Assign Copilot Licenses
Follow these steps to set up a dedicated pilot security group and assign Copilot licenses only to its members.
- Create a security group in Azure AD
Sign in to the Microsoft Entra admin center. Go to Groups > All groups > New group. Select Security as the group type. Enter a name like “Copilot Pilot Users”. Set the membership type to Assigned. Click Create. - Add pilot users to the group
Open the newly created group. Go to Members > Add members. Search for and select each pilot user. Click Select to confirm. - Assign Copilot licenses to the group
Go to the Microsoft 365 admin center at admin.microsoft.com. Navigate to Billing > Licenses. Select the Copilot for Microsoft 365 product. Click Assign licenses. Choose the group you created. Click Assign. This applies the Copilot license to every member of that group. - Verify license assignment
Go to Users > Active users. Select a pilot user. Under the Licenses and apps tab, confirm Copilot for Microsoft 365 shows as Assigned. Repeat for a non-pilot user to confirm the license is not present.
Steps to Hide Copilot from Non-Pilot Users
License assignment stops non-pilot users from generating AI responses, but they may still see Copilot icons and entry points. To hide Copilot for non-pilot users, configure service plans and user policies.
- Disable Copilot service plan for non-pilot users
In the Microsoft 365 admin center, go to Users > Active users. Select a non-pilot user. Click the Licenses and apps tab. Expand Copilot for Microsoft 365. Uncheck the Copilot service plan. Click Save changes. Repeat for all non-pilot users or use a PowerShell script to batch disable the service plan. - Use a PowerShell script to disable Copilot for multiple users
Open PowerShell as an administrator. Install the Microsoft Graph module withInstall-Module Microsoft.Graph -Scope CurrentUser. Connect to Microsoft Graph withConnect-MgGraph -Scopes User.ReadWrite.All, Organization.Read.All. Run the following script to disable the Copilot service plan for all users not in the pilot group. Replace “Copilot Pilot Users” with your group name.
$pilotGroup = Get-MgGroup -Filter "displayName eq 'Copilot Pilot Users'"
$pilotMembers = Get-MgGroupMember -GroupId $pilotGroup.Id
$pilotUserIds = $pilotMembers | ForEach-Object { $_.Id }
$allUsers = Get-MgUser -All
foreach ($user in $allUsers) {
if ($user.Id -notin $pilotUserIds) {
$license = Get-MgUserLicenseDetail -UserId $user.Id | Where-Object { $_.SkuPartNumber -eq "COPILOT_M365" }
if ($license) {
$disabledPlans = $license.ServicePlans | Where-Object { $_.ServicePlanName -eq "COPILOT_M365" } | ForEach-Object { $_.ServicePlanId }
$body = @{
addLicenses = @(
@{
disabledPlans = $disabledPlans
skuId = $license.SkuId
}
)
removeLicenses = @()
}
Set-MgUserLicense -UserId $user.Id -BodyParameter $body
}
}
}
- Configure Copilot data source restrictions for the pilot group
In the Microsoft 365 admin center, go to Settings > Copilot. Under Data sources, select Limit grounded responses to selected SharePoint sites and OneDrive folders. Add only the sites and folders that the pilot group needs. Click Save. This ensures Copilot does not surface data from unapproved locations for pilot users.
Common Pilot Access Issues and How to Avoid Them
Non-pilot users still see Copilot in Microsoft 365 apps
If a user has a Copilot license assigned but is not in the pilot group, they will see Copilot entry points. Remove the license directly from that user or disable the Copilot service plan as shown in the steps above. Verify by checking the user’s license details in the admin center.
Pilot users cannot access Copilot in certain apps
Copilot features depend on the app version and update channel. Ensure pilot users are on the Current Channel or Monthly Enterprise Channel for Microsoft 365 apps. In the admin center, go to Software download > Office apps. Select the correct channel and assign it to the pilot group via a group policy or Intune profile.
Copilot returns generic output instead of tenant-specific data
This happens when data source restrictions are too broad or too narrow. In Settings > Copilot > Data sources, verify that the selected SharePoint sites and OneDrive folders contain the content pilot users need. Test with a simple prompt like “Summarize the latest sales report” to confirm Copilot accesses the correct files.
Copilot License Options for Pilot vs Full Rollout
| Item | Pilot Phase | Full Rollout |
|---|---|---|
| License assignment | Assign only to a security group of 5 to 50 users | Assign to all users via group or direct assignment |
| Data source restriction | Limit to 1-3 SharePoint sites and specific OneDrive folders | Allow all SharePoint sites and OneDrive folders |
| User training requirement | Provide training to pilot group before access | Provide company-wide training and documentation |
| Support model | Dedicated IT support channel for pilot feedback | Standard help desk with Copilot-specific knowledge base |
| Monitoring and logging | Enable audit logging for Copilot interactions in the Microsoft 365 Purview compliance portal | Maintain audit logging and add automated alerts for unusual activity |
You can now restrict Copilot access to a pilot user group using Azure AD security groups, license assignment, and service plan configuration. Start by creating the group and assigning licenses. Then disable the Copilot service plan for all other users. Test with a few pilot users before expanding. For a smoother rollout, use the PowerShell script to batch disable Copilot for non-pilot users and configure data source restrictions to limit the content Copilot can access. This approach reduces risk and gives your team controlled feedback before a company-wide deployment.