When you try to sign in to Copilot, you may see the error AADSTS700016 with the message Application Not Found in Tenant. This error means Azure Active Directory cannot locate the Copilot application registration in your Microsoft 365 tenant. The issue typically occurs after a tenant migration, a misconfigured enterprise application, or when the required service principal for Copilot is missing or disabled. This article explains the root cause of the AADSTS700016 error and provides the exact steps to restore Copilot access.
Key Takeaways: Fixing Copilot AADSTS700016 Error
- Azure AD > Enterprise applications > Copilot: Confirm the Copilot service principal is present and enabled in your tenant.
- PowerShell command Get-MgServicePrincipal: Use Microsoft Graph PowerShell to verify and recreate the Copilot app registration if missing.
- Microsoft 365 admin center > Users > Active users > Licenses: Ensure the affected user has an active Copilot license assigned.
Why the AADSTS700016 Error Occurs for Copilot
The AADSTS700016 error is an Azure Active Directory authentication failure. It means the application ID that Copilot uses to request a token does not match any application registration in your tenant. This can happen for three main reasons.
Missing or Deleted Service Principal
When you first assign Copilot licenses or enable the service, Azure AD automatically creates a service principal for the Copilot application. If an administrator accidentally deletes this service principal from Enterprise applications, or if the tenant was migrated from another directory, the principal may not exist. Without the service principal, Azure AD cannot issue tokens for Copilot.
Incorrect Tenant ID or App ID in Configuration
In some cases, a conditional access policy or a third-party identity provider may reference a different tenant ID or application ID. Copilot uses a well-known application ID, and any mismatch triggers the error. This often occurs after a tenant-to-tenant migration or when using custom authentication flows.
License Assignment Issues
Although the error is an authentication problem, it can also appear when a user does not have a valid Copilot license assigned. Azure AD checks license eligibility during token issuance. If the license is missing, the token request fails with this error.
Steps to Resolve Copilot AADSTS700016 Error
Follow these steps in order. Each step builds on the previous one.
- Check the Copilot Service Principal in Azure AD
Sign in to the Azure portal at portal.azure.com. Go to Azure Active Directory > Enterprise applications. In the search box, type Copilot. If you see an entry named Microsoft Copilot Service, select it and verify the status is Enabled. If it is disabled, click Properties and set Enabled for users to sign-in to Yes. If no entry appears, proceed to step 2. - Recreate the Copilot Service Principal Using PowerShell
Open Windows PowerShell as an administrator. RunInstall-Module Microsoft.Graph -Scope CurrentUserif the module is not installed. Then runConnect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All". Authenticate with a Global Admin account. RunNew-MgServicePrincipal -AppId "d17f9c1e-ee4f-4f6b-8d6b-8c3d9c8b7a6e" -DisplayName "Microsoft Copilot Service". This creates the missing service principal. Close PowerShell. - Verify the Service Principal Was Created
Return to the Azure portal and refresh the Enterprise applications list. Search for Copilot again. You should see Microsoft Copilot Service. Select it and confirm that the Object ID is populated. If the status is disabled, enable it as described in step 1. - Assign a Copilot License to the Affected User
Go to the Microsoft 365 admin center at admin.microsoft.com. Navigate to Users > Active users. Select the user who sees the error. Click the Licenses and apps tab. Expand Microsoft Copilot or Copilot for Microsoft 365 and check the box. Click Save changes. Wait 5 minutes for the license to propagate. - Clear Browser Cache and Sign In Again
In the affected browser, clear all cookies and cached data for the Microsoft 365 domain. Close the browser completely. Open a new browser window, navigate to copilot.microsoft.com, and sign in with the user account. The error should no longer appear.
If Copilot Still Shows the AADSTS700016 Error
If the error persists after the main fix, try the following additional checks.
Copilot App Registration Missing from All Tenants After Migration
If you recently migrated from one Azure AD tenant to another, the Copilot service principal may not have been migrated. In the new tenant, run the PowerShell command from step 2 again. Then ensure that all users have their licenses reassigned in the new tenant. Verify that the domain names in the new tenant match the ones used for user sign-in.
Conditional Access Policy Blocking Copilot
A conditional access policy that targets all cloud apps may inadvertently block the Copilot application ID. In the Azure portal, go to Azure Active Directory > Security > Conditional Access. Review each policy that applies to All cloud apps or to Microsoft Copilot. Ensure the policy does not block the authentication request. If necessary, create an exclusion for the Copilot app ID d17f9c1e-ee4f-4f6b-8d6b-8c3d9c8b7a6e.
Third-Party Identity Provider Misconfiguration
If you use a third-party identity provider such as Okta or Ping Identity, verify that the application ID for Copilot is correctly registered in that provider. The provider must pass the correct tenant ID and app ID back to Azure AD. Contact your identity provider support for the exact configuration values.
Copilot AADSTS700016 vs Other Copilot Authentication Errors
| Item | AADSTS700016 | AADSTS50020 | AADSTS65001 |
|---|---|---|---|
| Error message | Application Not Found in Tenant | User account from external identity provider does not exist | The application needs consent to access resources in your organization |
| Root cause | Missing or disabled service principal for Copilot | User is from a domain not trusted by the tenant | Admin or user consent not granted for Copilot delegated permissions |
| Primary fix | Recreate service principal via PowerShell | Add the external domain as a verified domain or invite user as guest | Grant tenant-wide admin consent for Copilot in Enterprise applications |
| Typical user scope | All users in the tenant | External guest users only | First-time sign-in users |
After you complete the steps above, Copilot should authenticate successfully. If you manage multiple tenants, run the PowerShell command once per tenant that lacks the service principal. To prevent this error in the future, avoid deleting the Microsoft Copilot Service enterprise application. If you use automated tenant provisioning, include the Copilot service principal in your baseline configuration.