When you open Microsoft 365 Chat and try to send a prompt, Copilot may return an HTTP 403 Forbidden error. This error means your request was blocked before it reached the Copilot service. The most common cause is a missing or expired license assignment for Copilot. In some cases, a Conditional Access policy or an IP restriction in your tenant blocks the connection. This article explains the root cause of the 403 error and provides step-by-step fixes to restore access.
Key Takeaways: Fixing HTTP 403 Forbidden in Copilot Chat
- Microsoft 365 admin center > Billing > Licenses: Verify the user has an active Copilot for Microsoft 365 license assigned.
- Microsoft Entra admin center > Conditional Access: Check if a policy blocks Copilot traffic, especially if it requires a compliant device or specific location.
- Microsoft 365 admin center > Copilot > Settings: Ensure the Copilot service is enabled for your tenant and not restricted by data source policies.
Why Copilot in Microsoft 365 Chat Returns HTTP 403 Forbidden
The HTTP 403 Forbidden error is an access-denied response from the server. When Copilot sends a request to the Microsoft 365 Chat backend, the server checks three things before processing the prompt: the user’s license, the tenant’s service configuration, and any security policies that apply to the user or device. If any of these checks fail, the server returns 403 without processing the request.
The most frequent root cause is an expired or unassigned Copilot license. Each user must have an active Copilot for Microsoft 365 subscription assigned to their account. Without it, the backend rejects the request. Another common cause is a Conditional Access policy that requires a managed device or a specific network location. If the user is on a personal device or outside the corporate network, the policy can block Copilot traffic. Finally, an IP restriction set in the Microsoft 365 tenant firewall or a third-party security tool can also produce a 403 error.
License Expiration or Incorrect Assignment
Copilot for Microsoft 365 licenses are per-user subscriptions. If the license expires or is removed from the user, the service stops responding. The admin must check the license assignment in the Microsoft 365 admin center.
Conditional Access Policy Blocking Copilot
Conditional Access policies in Microsoft Entra ID can block access to cloud apps based on user, device, location, or risk level. A policy that requires a compliant device or a specific IP range may block Copilot if the user does not meet the conditions.
Tenant-Level Service Restriction
In some tenants, an admin may disable Copilot for the entire organization or restrict it to specific security groups. If the user is not in the allowed group, the request returns 403.
Steps to Resolve HTTP 403 Forbidden in Microsoft 365 Chat
Follow these steps in order. Each step addresses one possible cause. After each step, test Copilot in Microsoft 365 Chat before moving to the next step.
Step 1: Verify the Copilot License Assignment
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin or Billing Admin account. - Navigate to Billing > Licenses
In the left navigation, select Billing then Licenses. - Select the Copilot for Microsoft 365 license product
Click on the product name that includes “Copilot for Microsoft 365.” If you do not see this product, the tenant does not have any Copilot licenses assigned. - Check the assigned users list
Scroll to the Assigned users section. Find the affected user in the list. If the user is not listed, click Assign licenses and add the user. - Confirm the license is active
Check the Status column. It should show Active. If it shows Expired or Suspended, renew the subscription.
Step 2: Review Conditional Access Policies
- Open the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with a Global Admin or Conditional Access Admin account. - Navigate to Protection > Conditional Access
In the left navigation, select Protection then Conditional Access. - Review policies that apply to all cloud apps or Microsoft 365 Chat
Click each policy that targets All cloud apps or the Microsoft 365 Chat app. Look for policies that require a compliant device, a specific location, or multi-factor authentication. - Test the policy in What If mode
Click What If at the top of the Conditional Access page. Enter the affected user’s account and the app Microsoft 365 Chat. Review which policies apply. If a policy blocks access, work with your security team to create an exception for the Copilot app.
Step 3: Enable Copilot in the Tenant Settings
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin account. - Navigate to Settings > Org settings
In the left navigation, select Settings then Org settings. - Select the Copilot service
Find the Copilot entry in the list and click it. If you do not see it, your tenant may be on a plan that does not support Copilot. - Verify Copilot is enabled for all users or the affected user’s group
Under Who can use Copilot, ensure the user’s group is selected. If the setting is Turn on for everyone, no further change is needed. If it is restricted to specific groups, add the user to that group.
Step 4: Check IP and Network Restrictions
- Review your tenant’s network allowlist
If your organization uses a firewall or a third-party security tool, confirm that the IP ranges for Microsoft 365 Chat are allowed. Microsoft publishes the current IP ranges at Microsoft 365 URLs and IP address ranges. - Check the Microsoft 365 admin center for IP restrictions
Go to Settings > Org settings > Security & privacy. Look for any IP-based access policies. If an IP restriction is active, add the user’s public IP to the allowlist.
If Copilot Still Returns 403 After the Main Fix
Copilot Returns 403 Only on Mobile Devices
If the 403 error appears only when using the Microsoft 365 mobile app, the cause is likely a Conditional Access policy that requires a compliant device. The mobile app may not report device compliance correctly. Install the Microsoft Authenticator app and register the device in Microsoft Entra ID. Then retry Copilot in the mobile app.
Copilot Returns 403 for Guest Users
Guest users from other tenants may not have a Copilot license assigned. Guest accounts require their own Copilot for Microsoft 365 license. Assign the license to the guest user in the Microsoft 365 admin center under Users > Active users. Select the guest user and go to Licenses and apps.
Copilot Returns 403 After a Recent Tenant Migration
If your tenant recently migrated from one Microsoft 365 plan to another, the Copilot service may not have been re-enabled. Go to Settings > Org settings > Copilot and toggle the service back on. Wait 15 minutes for the change to propagate.
Copilot License Plans: Pro vs Microsoft 365 for Chat Access
| Item | Copilot Pro | Copilot for Microsoft 365 |
|---|---|---|
| Description | Consumer subscription for individual use in Word, Excel, PowerPoint, and Outlook on the web | Enterprise subscription for business users with access to Microsoft 365 Chat and Graph-grounded data |
| Microsoft 365 Chat access | Not included | Full access with tenant data grounding |
| License cost | $20 per user per month | $30 per user per month |
| Conditional Access support | No | Yes, policies apply to Copilot traffic |
| Admin control | No tenant-level settings | Full control via Microsoft 365 admin center |
If a user reports HTTP 403 in Microsoft 365 Chat, confirm they have a Copilot for Microsoft 365 license, not a Copilot Pro license. Copilot Pro does not include access to the Microsoft 365 Chat service.
After completing the steps above, most users regain access to Copilot in Microsoft 365 Chat. Start with the license check because it is the fastest test. If the license is valid, move to Conditional Access policies and tenant settings. For persistent issues, check the Microsoft 365 service health dashboard in the admin center under Health > Service health for any active advisories.