You need to block Microsoft 365 Copilot for a specific security group in your tenant. The default setting enables Copilot for all licensed users, which may expose sensitive data to unintended groups. This article explains how to use the Microsoft 365 admin center to create a conditional access policy that disables Copilot access for a single security group. The method uses the Azure Active Directory (now Microsoft Entra ID) Conditional Access feature, not a direct toggle in the Copilot settings pane.
Key Takeaways: Disable Copilot for a Security Group
- Microsoft Entra admin center > Conditional Access > New policy: Creates a policy that blocks Copilot access for a selected security group.
- Cloud apps or actions > Include > Select apps > Microsoft Copilot: Target the Copilot service specifically without affecting other Microsoft 365 services.
- Access controls > Grant > Block access: Prevents the security group from accessing Copilot in any Microsoft 365 client.
Why You Cannot Disable Copilot Directly in the Security Group Settings
Microsoft 365 Copilot is a service-level feature tied to the user’s license, not to group membership. The Copilot configuration in the Microsoft 365 admin center (Copilot pane > Data sources or Plugins) controls data grounding and plugin behavior, not user access. To disable Copilot for a security group, you must use Conditional Access in Microsoft Entra ID. Conditional Access evaluates each sign-in request against rules you define, including the application being accessed. By creating a policy that targets the Copilot service and blocks access for a specific group, you effectively disable Copilot for those users.
This method works because Copilot in Microsoft 365 apps acts as a first-party application registered in Entra ID. When a user in the blocked group tries to open the Copilot pane in Word, Excel, or Teams, the Conditional Access policy intercepts the request and denies access. The user sees an error message indicating that access is blocked. This approach does not revoke the user’s license, so they retain access to other Microsoft 365 services.
Prerequisites for This Method
- You must have the Global Administrator or Conditional Access Administrator role in Microsoft Entra ID.
- The security group must exist in Microsoft Entra ID and contain the users you want to block.
- Copilot for Microsoft 365 licenses must be assigned to the users in the group. The policy blocks access regardless of license status, but the scenario assumes you want to block licensed users.
- Your tenant must have Microsoft Entra ID P1 or P2 licenses, which are required for Conditional Access policies.
Steps to Block Copilot for a Security Group Using Conditional Access
Follow these steps to create a Conditional Access policy that disables Copilot for a specific security group. The policy blocks access to the Copilot application in Microsoft 365.
- Sign in to the Microsoft Entra admin center
Go to entra.microsoft.com and sign in with an account that has the Global Administrator or Conditional Access Administrator role. - Navigate to Conditional Access
In the left navigation menu, click Protection, then click Conditional Access. The Conditional Access Policies page opens. - Create a new policy
Click + New policy from the top toolbar. The New Conditional Access policy page appears. - Name the policy
In the Name field, type a descriptive name, for example: Block Copilot for Sales Team. This name will appear in the policy list and in sign-in logs. - Assign the policy to the security group
Under Assignments, click Users or workload identities. On the Include tab, select Select users and groups, then check the Users and groups box. Click Select, search for your security group, select it, and click Select. - Target the Copilot cloud app
Under Cloud apps or actions, click Cloud apps. On the Include tab, select Select apps. Click Select, then in the search box type Microsoft Copilot. Select Microsoft Copilot from the list. Click Select. This targets the Copilot service across all Microsoft 365 clients. - Set conditions (optional)
Under Conditions, you can optionally restrict the policy to specific device platforms, locations, or client apps. For a simple block, leave conditions unconfigured. - Configure access controls to block
Under Access controls, click Grant. Select Block access. Click Select. - Enable the policy
Under Enable policy, select Report-only first to test the policy without blocking users. After testing, return to the policy, set Enable policy to On, and click Save.
If the Policy Does Not Block Copilot as Expected
Several factors can cause the Conditional Access policy to fail to block Copilot. Verify each of the following issues.
The Copilot app is not listed in the cloud apps picker
If you cannot find Microsoft Copilot in the cloud apps list, your tenant may not have the Copilot service registered yet. This can happen if no user has ever signed in to Copilot. Have one user in a test group open the Copilot pane in Word or Teams and perform a search. After that, the application appears in the list within 24 hours.
The policy applies to the wrong group
Double-check that the security group selected in step 5 contains the correct users. Use the Microsoft Entra admin center to view the group membership. If you added users after creating the policy, the policy applies to new members automatically. Wait up to 15 minutes for the policy to propagate.
Users access Copilot through a different client
The Conditional Access policy blocks Copilot in Microsoft 365 desktop apps, web apps, and mobile apps. However, Copilot in Bing or Windows is a separate service. To block Copilot in Bing, you must create a separate policy targeting the Bing cloud app. To block Copilot in Windows, use Group Policy or Intune to disable the Copilot button in Windows 11.
Conditional Access Block vs License Removal: Comparison
| Item | Conditional Access Block | License Removal |
|---|---|---|
| Effect on Copilot | Blocks access immediately, user sees error message | Removes Copilot from user’s available apps, no error shown |
| Effect on other Microsoft 365 services | No effect, user retains full access | No effect, user retains full access |
| Administration effort | One-time policy creation, applies to group | Requires license removal per user or group via PowerShell |
| Reversibility | Toggle policy off or remove group from policy | Reassign license to user |
| User notification | User sees a block message with policy name | Copilot button disappears silently |
You can now block Microsoft 365 Copilot for any security group in your tenant using a Conditional Access policy. Test the policy in report-only mode before enabling it. For a more granular approach, combine this method with license management: remove the Copilot license from users you do not want to have access at all, and use Conditional Access only for temporary blocks or compliance scenarios.