When you try to use Microsoft Copilot in a tenant where you are a guest user, you may see error AADSTS90072. This error means Azure Active Directory cannot authenticate your account because the user belongs to an external tenant. The message typically reads: “User from external Azure Active Directory tenant is not supported.” This article explains why the error occurs and provides step-by-step methods to resolve it so you can access Copilot in your organization.
Key Takeaways: Fixing the AADSTS90072 Cross-Tenant Error for Copilot
- Microsoft Entra admin center > External Identities > Cross-tenant access settings: Configure inbound and outbound trust settings to allow guest users to use Copilot.
- Conditional Access policy > Grant > Require multifactor authentication: Ensure the guest user satisfies all conditional access requirements before Copilot can authenticate.
- PowerShell Set-MgPolicyCrossTenantAccessPolicyPartner: Use Microsoft Graph PowerShell to automate cross-tenant trust configuration for large organizations.
Why the AADSTS90072 Error Appears for Copilot
The AADSTS90072 error indicates that Azure Active Directory recognizes the user as belonging to an external tenant. Copilot, like other Microsoft 365 services, requires the user’s identity to be either native to the tenant or explicitly trusted through cross-tenant access settings. When a guest user attempts to authenticate, Azure AD checks the home tenant and the resource tenant. If the resource tenant does not have a cross-tenant trust policy that accepts the guest user’s home tenant, authentication fails with this error. This is a security measure to prevent unauthorized external access to organizational data through Copilot.
Cross-tenant access policies are the root cause
By default, Microsoft Entra ID blocks inbound access from external tenants for services like Copilot unless an administrator explicitly configures cross-tenant access settings. The error is not a Copilot bug. It is an identity policy enforcement that prevents guest users from reaching Copilot’s backend services.
Guest user license assignment does not fix the error
Assigning a Copilot license to a guest user in the resource tenant does not bypass the cross-tenant authentication check. The error occurs before Copilot evaluates licensing. You must resolve the identity trust first.
Steps to Configure Cross-Tenant Access for Copilot
Follow these steps in the Microsoft Entra admin center to allow guest users from a specific external tenant to authenticate for Copilot.
- Open Microsoft Entra admin center
Go tohttps://entra.microsoft.comand sign in as a Global Administrator or Security Administrator. In the left navigation, select External Identities then Cross-tenant access settings. - Add the external tenant as an organizational partner
Under Organizational settings, click Add organization. Enter the tenant ID or domain name of the external tenant where the guest user’s account resides. Click Add. - Configure inbound access trust
Select the newly added tenant row. In the Inbound access tab, set Trust settings to Allow users and groups. Under Application access, enable Allow all applications or specifically select Microsoft Copilot and Microsoft 365 Suite. - Configure outbound access trust
In the same tenant settings, switch to the Outbound access tab. Set Trust settings to Allow users and groups. This ensures the guest user can present their home tenant claims to the resource tenant. - Save and wait for replication
Click Save. The policy change may take up to 15 minutes to replicate across all Microsoft Entra ID services. After replication, ask the guest user to sign out and sign back in to Microsoft 365.
Verify the guest user’s conditional access policies
If the error persists after configuring cross-tenant access, check the resource tenant’s Conditional Access policies. The guest user must meet all conditions such as multifactor authentication or device compliance. To verify:
- Open Conditional Access policies
In Microsoft Entra admin center, go to Protection > Conditional Access > Policies. - Locate policies that include the guest user
Filter by Users and groups. Look for policies that apply to All guests and external users or the specific guest user. - Ensure the user can satisfy grant controls
If the policy requires multifactor authentication, confirm the guest user has registered for MFA in their home tenant. If the policy requires a compliant device, the guest user must join or register their device in the resource tenant.
If Copilot Still Has Issues After the Main Fix
Error persists even after cross-tenant access is configured
Clear the user’s cached tokens. Open a private browser window, sign in to https://login.microsoftonline.com, and then navigate to https://copilot.microsoft.com. If the error appears again, run the Microsoft Graph PowerShell script below to verify the cross-tenant policy was applied correctly.
Guest user cannot see Copilot in the Microsoft 365 app launcher
Ensure the guest user has a Copilot license assigned in the resource tenant. Go to Microsoft 365 admin center > Users > Active users, select the guest user, and assign a Copilot license under the Licenses and apps tab. The license does not fix authentication but is required after authentication succeeds.
PowerShell verification script
Run the following in Microsoft Graph PowerShell to confirm cross-tenant policy is active. Replace ExternalTenantId with the actual tenant ID.
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyConfigurationPartnerId "ExternalTenantId" | Format-ListIf the output shows InboundTrust and OutboundTrust as True, the policy is active. If not, run Set-MgPolicyCrossTenantAccessPolicyPartner to apply the trust settings.
| Item | Guest user with cross-tenant trust | Guest user without cross-tenant trust |
|---|---|---|
| Authentication to Copilot | Succeeds after policy replication | Fails with AADSTS90072 |
| License requirement | Copilot license must be assigned | License assignment irrelevant |
| Conditional Access enforcement | Guest user must satisfy resource tenant policies | Policies never evaluated because authentication fails |
| Admin configuration needed | Cross-tenant access settings in Entra ID | None |
You can now resolve the AADSTS90072 error for Copilot by configuring cross-tenant access in Microsoft Entra admin center. Start with the organizational settings for the external tenant and verify that Conditional Access policies do not block the guest user. For faster deployment in large environments, use Microsoft Graph PowerShell to apply trust policies across multiple partner tenants. After the fix, test Copilot access from a private browser session to confirm the authentication flow completes.