You need to control which employees can use Copilot agents in your Microsoft 365 tenant. Without restrictions, every licensed user can create, share, and run agents. This can lead to security gaps, data leaks, and unapproved automation. This article explains how to use Microsoft Entra ID groups and conditional access policies to restrict Copilot agent use to specific license groups.
Key Takeaways: Restricting Copilot Agents via License Groups
- Microsoft Entra ID > Groups > New group: Create a security group that will contain the users allowed to use Copilot agents.
- Microsoft 365 admin center > Billing > Licenses > Assign license: Assign the Copilot license only to members of the security group.
- Conditional Access policy > Grant > Require group membership: Block access to Copilot agent features for users outside the security group.
Why License Group Restrictions Matter for Copilot Agents
Copilot agents in Microsoft 365 can access sensitive company data through Microsoft Graph. When a user creates an agent, that agent can read emails, files, calendars, and Teams messages that the user has permission to see. If every licensed user can build agents, the risk of accidental data exposure increases. Restricting agent use by license group ensures that only trained or approved employees can create and run agents. This also simplifies auditing because you can track agent activity to a known set of users.
Prerequisites for Restricting Copilot Agent Use
Before you apply restrictions, confirm these requirements:
- You must have a Microsoft Entra ID P1 or P2 license for conditional access policies.
- You must be a Global Administrator or Conditional Access Administrator.
- All users in the target group must already have a Copilot for Microsoft 365 license assigned.
- Users outside the group must not have a Copilot license assigned.
Steps to Create a Security Group and Assign Copilot Licenses
- Create a security group in Microsoft Entra ID
Go to the Microsoft Entra admin center. Select Groups then New group. Choose Security as the group type. Give the group a name like “Copilot Agent Users”. Add the users who are allowed to create and use Copilot agents. Click Create. - Assign Copilot licenses to the group
Open the Microsoft 365 admin center. Go to Billing then Licenses. Select the Copilot for Microsoft 365 product. Click Assign licenses. Choose the security group you created. Confirm the assignment. Only members of this group will have a Copilot license. - Remove Copilot licenses from users outside the group
If any users outside the group already have a Copilot license, go to Licenses in the admin center. Select the user and click Unassign license. Repeat for all non-group users.
Steps to Block Non-Group Users from Using Copilot Agents
Even without a license, a user might try to access Copilot agent features through a web app or Teams. Use a conditional access policy to block access.
- Create a conditional access policy
In the Microsoft Entra admin center, select Protection then Conditional Access. Click New policy. - Name the policy
Enter a name like “Block Copilot Agents for Non-Licensed Users”. - Select users and groups
Under Assignments > Users, choose All users. Under Exclude, select the security group you created earlier. This ensures the policy applies to everyone except the allowed group. - Select cloud apps
Under Cloud apps or actions, choose All cloud apps. This covers Copilot agents running in Teams, Copilot Studio, and other Microsoft 365 services. - Set conditions
Under Conditions, configure Client apps to include Browser and Mobile apps and desktop clients. This blocks access from all devices. - Configure grant controls
Under Grant, select Block access. Click Select. - Enable the policy
Set Enable policy to On. Click Create. The policy takes effect within minutes.
If Users Outside the Group Still Access Copilot Agents
Policy Not Applied Because of Browser Cache
Users might see cached content from a previous session. Instruct them to clear browser cookies and cache, then sign out and sign back in. The conditional access policy will then evaluate their session and block access.
User Has a Copilot License from Another Group
If a user is a member of multiple groups and one of those groups has a Copilot license assigned, the user retains access. Review all group memberships and license assignments. Remove the Copilot license from any group that should not have access.
Conditional Access Policy Is in Report-Only Mode
A conditional access policy set to Report-only does not block access. In the Microsoft Entra admin center, open the policy and change the Enable policy setting to On. Confirm that the policy is not set to Report-only under the policy configuration.
Copilot Agent Access by License Group: Policy Options
| Item | License Assignment Only | License Assignment + Conditional Access |
|---|---|---|
| Description | Assign Copilot licenses only to the security group | Assign licenses to the group and block other users with conditional access |
| Protection level | Medium – users without a license cannot activate Copilot | High – blocks access even if a user somehow obtains a license |
| Administration effort | Low – one-time group and license setup | Medium – requires conditional access policy creation and testing |
| User impact | Only group members can use Copilot agents | Only group members can use Copilot agents; others see a block message |
You can now restrict Copilot agent use to a specific license group. First, create a security group and assign Copilot licenses only to its members. Then apply a conditional access policy to block all other users. Test the policy with a non-group user to confirm the block works. For tighter control, also restrict which Microsoft Graph data Copilot agents can access by configuring data source policies in the Microsoft 365 admin center.