You may need to disable Copilot in Outlook for certain mailboxes to meet data compliance rules or to reduce unnecessary AI suggestions for shared mailboxes. Copilot in Outlook is powered by Microsoft Graph and Microsoft 365 services. When enabled, it can read email content to generate replies, summarize threads, and draft messages. This article explains how to disable Copilot for specific mailboxes using PowerShell and Microsoft 365 admin policies. You will learn the exact commands and settings needed to restrict Copilot access without affecting other mailboxes in your tenant.
Key Takeaways: Disable Copilot in Outlook for Specific Mailboxes
- Exchange Online PowerShell cmdlet Set-CASMailbox -EwsEnabled $false: Disables Exchange Web Services for a mailbox, which blocks Copilot from reading email data.
- Microsoft 365 admin center > Copilot > Data sources > Outlook: Tenant-level toggle that controls whether Copilot can access Outlook data at all.
- Microsoft 365 admin center > Mailbox > Mailbox features > Exchange Web Services: Per-mailbox setting to allow or block EWS access, directly affecting Copilot functionality.
Why Copilot in Outlook Reads Mailbox Data
Copilot in Outlook uses Exchange Web Services to access email content, calendar items, and contact data. When you ask Copilot to summarize an email thread or draft a reply, it sends the relevant message content to Microsoft 365 services for processing. This data retrieval happens through EWS, which is enabled by default for every mailbox in Exchange Online.
The root cause of Copilot appearing in a specific mailbox is that the mailbox has EWS enabled and the user has a Copilot license. If you want to disable Copilot for a specific mailbox, you must block EWS access for that mailbox. This prevents Copilot from reading any data in that mailbox while keeping Copilot active for all other licensed users.
Another factor is the tenant-level Copilot data source setting. If you disable the Outlook data source at the tenant level, Copilot stops working for all mailboxes. For granular control, you need per-mailbox EWS management.
Steps to Disable Copilot for a Specific Mailbox Using PowerShell
- Connect to Exchange Online PowerShell
Open Windows PowerShell as administrator. Run the commandConnect-ExchangeOnlineand sign in with a Global Admin or Exchange Admin account. - Identify the target mailbox
RunGet-Mailbox -Identity "user@domain.com" | Format-List Name,DisplayName,RecipientTypeDetailsto confirm the mailbox exists and is a user mailbox. - Check current EWS status
RunGet-CASMailbox -Identity "user@domain.com" | Format-List EwsEnabled,EwsAllowOutlook,EwsAllowMacOutlook,EwsAllowEntourage. IfEwsEnabledshows$true, Copilot can access this mailbox. - Disable EWS for the mailbox
RunSet-CASMailbox -Identity "user@domain.com" -EwsEnabled $false. This blocks all EWS access, including Copilot, Outlook for the web, and third-party apps that rely on EWS. - Verify the change
RunGet-CASMailbox -Identity "user@domain.com" | Format-List EwsEnabled. The output should showEwsEnabled : False. - Test Copilot in Outlook
Sign in to Outlook desktop or web as the affected user. Open a message and click the Copilot icon. You should see an error or no response, confirming Copilot cannot read data from this mailbox.
Steps to Disable Copilot for a Specific Mailbox Using the Admin Center
- Open Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in as a Global Admin or Exchange Admin. - Navigate to the mailbox settings
Go to Users > Active users, select the target user, then click Mail tab. - Open Mailbox features
Under Email apps, click Manage email apps. - Disable Exchange Web Services
Uncheck the box for Exchange Web Services. Click Save changes. This blocks Copilot from accessing mailbox data. - Confirm the change
Go back to the user’s Mail tab and verify that Exchange Web Services shows as Disabled.
If Copilot Still Works After Disabling EWS
Copilot uses Graph API instead of EWS
In some Microsoft 365 tenants, Copilot may fall back to Microsoft Graph API to read mailbox data. To block Graph API access, you must use a Conditional Access policy. Create a policy that targets the Microsoft Graph app and blocks access for the specific user or group. This is an advanced step and may affect other Microsoft 365 services that rely on Graph.
Copilot license is assigned to a shared mailbox
Shared mailboxes cannot have Copilot licenses assigned directly. If a shared mailbox appears to have Copilot, it is because a licensed user has delegate access. Remove delegate permissions or block EWS for the shared mailbox using the same PowerShell cmdlet: Set-CASMailbox -Identity "sharedmailbox@domain.com" -EwsEnabled $false.
Copilot is enabled at the tenant level for Outlook data source
If you disable EWS per mailbox but the tenant-level Copilot data source for Outlook remains active, Copilot may still attempt to access data through other channels. Verify the tenant setting by going to Microsoft 365 admin center > Copilot > Data sources and ensure Outlook is set to On only for the groups you intend. For granular control, use the per-mailbox EWS method as the primary approach.
| Item | Disable via PowerShell | Disable via Admin Center |
|---|---|---|
| Method | Set-CASMailbox cmdlet | Mailbox features > EWS toggle |
| Scope | Single mailbox or bulk via script | One mailbox at a time |
| Effect on user | Blocks all EWS apps, including Copilot | Same as PowerShell |
| Requires admin role | Exchange Admin or Global Admin | Exchange Admin or Global Admin |
| Reversibility | Set-EwsEnabled $true | Re-enable EWS in admin center |
You can now disable Copilot for specific mailboxes by blocking Exchange Web Services access via PowerShell or the admin center. This gives you per-mailbox control without affecting other users. For shared mailboxes, always use the PowerShell method to ensure EWS is fully disabled. If you need to block Copilot for a group of mailboxes, create a CSV list of identities and run the Set-CASMailbox cmdlet in a loop for efficient bulk management.