Managing Copilot across multiple Microsoft 365 tenants introduces unique challenges in data residency, licensing, and policy consistency. Each tenant operates as a separate security boundary, and Copilot respects these boundaries when accessing Microsoft Graph data for grounded responses. This article explains how to configure Copilot settings centrally, apply consistent data-source policies, and handle cross-tenant collaboration without exposing data from one tenant to another. You will learn the admin steps for each tenant and the limitations of multi-tenant Copilot configurations.
Key Takeaways: Multi-Tenant Copilot Configuration
- Microsoft 365 admin center > Copilot > Data sources: Controls which Microsoft Graph data Copilot can read for grounded responses per tenant.
- Cross-tenant access settings in Azure AD > External Identities: Enables or blocks Copilot from surfacing results from external tenant documents.
- PowerShell script for bulk policy deployment: Applies identical Copilot settings across all tenants using Microsoft Graph PowerShell cmdlets.
Understanding Copilot Data Boundaries in Multi-Tenant Deployments
Copilot in Microsoft 365 uses the Microsoft Graph to retrieve data from the user’s home tenant only. When a user signs into Copilot, the service authenticates against that specific tenant and cannot natively query data from another tenant. This behavior is by design to prevent accidental data leakage between organizations. Each tenant administrator must configure Copilot settings independently because there is no cross-tenant management pane in the Microsoft 365 admin center today.
If your organization operates multiple tenants for subsidiaries, regions, or test environments, you must apply identical settings manually or via automation. Common settings include data-source restrictions, plugin enablement, and sensitivity label enforcement. Without consistent configuration, users in different tenants may see different Copilot behaviors, which can cause confusion and support tickets.
How Copilot Handles Cross-Tenant Collaboration
When users from Tenant A share a document with users in Tenant B, Copilot in Tenant B can access that document only if the sharing link grants edit or view permissions and the document resides in the user’s own tenant. Copilot does not index content stored in external tenants. If a user in Tenant B tries to ask Copilot a question about a document stored in Tenant A, the service returns no results unless the document has been explicitly copied into Tenant B. This limitation is critical for compliance scenarios that require data to remain within a specific geographic or legal boundary.
Steps to Configure Copilot Settings Per Tenant
Follow these steps for each tenant in your environment. The process is identical for every tenant, but you must sign in to each admin center separately.
- Sign in to the Microsoft 365 admin center
Open a browser and go to admin.microsoft.com. Use a Global Admin or Copilot Admin account for the tenant you are configuring. - Navigate to Copilot settings
In the left navigation, expand Settings and select Copilot. If you do not see the Copilot entry, ensure the tenant has the required Copilot licenses assigned to at least one user. - Configure data sources
Under Data sources, select which Microsoft Graph data Copilot can use. Options include Files, SharePoint Online, Microsoft Teams chats, and Exchange Online mailboxes. Clear any checkboxes for data sources you want to exclude. For multi-tenant environments, restrict data sources to the minimum required to reduce cross-tenant confusion. - Set plugin permissions
Under Plugins, select Manage plugins. Disable third-party plugins that could expose data outside the tenant. Enable only the Microsoft-built plugins your users need, such as Planner or Forms. - Apply sensitivity label policies
Under Data protection, ensure Copilot respects Microsoft Purview sensitivity labels. Select Require labels on Copilot responses if your compliance policy demands that all generated content carry a label. This setting prevents unlabeled data from leaving the tenant. - Repeat for each tenant
Log out of the admin center, sign in with credentials for the next tenant, and repeat steps 1 through 5. Document each tenant’s configuration for audit purposes.
Using PowerShell to Apply Settings Across Tenants
To avoid manual repetition, use Microsoft Graph PowerShell to apply identical settings. The following cmdlet connects to a tenant and updates the Copilot data source policy. Run this script for each tenant in a loop.
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
$policy = @{
"dataSources" = @("Files", "SharePointOnline", "TeamsChats")
"pluginPermissions" = @("Microsoft")
}
Update-MgPolicyAuthorizationPolicy -BodyParameter $policy
Replace the data sources array with your preferred list. The cmdlet updates the tenant-level Copilot policy immediately. For a full list of parameters, run Get-Help Update-MgPolicyAuthorizationPolicy -Detailed.
Common Multi-Tenant Copilot Configuration Issues
Copilot Returns Results from the Wrong Tenant
If a user sees data from another tenant in their Copilot responses, the most likely cause is a misconfigured cross-tenant access policy in Azure AD. Go to Azure AD > External Identities > Cross-tenant access settings. Verify that inbound access from the other tenant is set to Block unless you explicitly need collaboration. Even with block enabled, Copilot does not index external tenant data, but shared links may appear in search if the user has cached permissions. Clear the user’s browser cache and sign out of all accounts to resolve this.
Copilot Settings Do Not Apply After Configuration
Changes to Copilot settings in the admin center can take up to 24 hours to propagate to all users. If you need immediate effect, run the following command in PowerShell to force a policy refresh for a specific user:
Update-MgUser -UserId user@domain.com -CopilotPolicyRefresh $true
This command triggers a background sync of the Copilot policy for that user. Wait five minutes and ask the user to restart their browser or Copilot pane.
Copilot Plugins Appear Disabled for Some Users
If plugin settings differ between tenants, users who collaborate across tenants may see inconsistent plugin availability. For example, a user in Tenant A might have the Planner plugin enabled, but when they access documents shared from Tenant B, the plugin is unavailable. To avoid this, keep plugin permissions identical across all tenants. Use the PowerShell script from the previous section to enforce the same plugin list everywhere.
| Item | Single Tenant | Multi-Tenant |
|---|---|---|
| Admin configuration | One admin center session | Separate session per tenant |
| Data source policy | Set once | Set per tenant, must match |
| Cross-tenant data access | Not applicable | Blocked by default, configurable via Azure AD |
| Plugin permissions | One policy | Must be identical across tenants |
| Compliance enforcement | Single label policy | Per-tenant label policy, no cross-tenant inheritance |
Now you can configure Copilot in a multi-tenant environment by applying consistent settings to each tenant manually or with PowerShell. Start by documenting your current data source and plugin policies for one tenant, then replicate them across all others. For advanced compliance, set up Microsoft Purview audit logs to monitor Copilot activity across tenants and detect any policy drift. Use the cross-tenant access settings in Azure AD to block unwanted data sharing between tenants.