You try to open Copilot on your iPhone or Android device and see an error message saying access is blocked. This usually happens because your organization uses Conditional Access policies in Microsoft Entra ID to control which apps and devices can reach Copilot. These policies can block mobile access even when the desktop version works fine. This article explains the root cause of this block and provides step-by-step diagnostic steps to identify and resolve the issue.
Key Takeaways: Diagnosing Copilot Conditional Access Blocks on Mobile
- Microsoft Entra admin center > Identity > Monitoring & health > Sign-in logs: Shows the exact policy and reason for the block.
- Conditional Access policy > Grant > Require approved client app: Mobile access requires this setting to be enabled for Copilot.
- Device platform condition in Conditional Access: Must include iOS and Android if mobile access is intended.
Why Conditional Access Blocks Copilot on Mobile
Conditional Access policies evaluate the sign-in context before granting access to cloud apps like Copilot. On mobile devices, the evaluation checks the device platform (iOS or Android), the app client ID, and whether the device is compliant or joined to Microsoft Entra ID. A block occurs when one of these checks fails. Common triggers include:
The policy requires a compliant device but the mobile device is not enrolled in Microsoft Intune. The policy requires an approved client app but the Copilot mobile app does not match the client ID expected by the policy. The policy excludes mobile platforms but the user is signing in from a phone. The sign-in log in Microsoft Entra ID records the exact failure reason. Reviewing this log is the first diagnostic step.
Common Policy Settings That Cause Mobile Blocks
Three policy configurations frequently block mobile access. First, Device compliance — if the policy requires devices to be marked as compliant and the phone is not enrolled in Intune, access is denied. Second, Approved client app requirement — this setting restricts access to apps that Microsoft has designated as approved. The Copilot mobile app must be listed as an approved client. Third, Location-based policies — if the policy blocks sign-ins from certain geographic regions or IP ranges common to mobile carriers, the block occurs.
Diagnostic Steps to Identify the Blocking Policy
Follow these steps to find the exact Conditional Access policy that is blocking Copilot on your mobile device. You need Global Reader or Security Reader permissions in Microsoft Entra ID to view sign-in logs.
- Open the Microsoft Entra admin center
Go to entra.microsoft.com and sign in with your work or school account. In the left navigation menu, select Identity. - Navigate to sign-in logs
Under Monitoring & health, select Sign-in logs. This page lists every sign-in attempt for your tenant. - Filter for Copilot sign-ins
Click Add filter and choose Application. In the value field, type Copilot and select it from the list. Click Apply. - Locate the failed mobile sign-in
Look for a sign-in with Status set to Failure. The Date column shows when the block happened. Click that row to open the sign-in details. - Review the Conditional Access tab
In the sign-in details pane, select the Conditional Access tab. This tab shows every policy that was evaluated for this sign-in. Find the policy with a status of Failure or Not applied with a block result. The Policy name column tells you which policy caused the block. - Check the device info
In the same sign-in details, scroll to the Device info section. Note the OS field — it shows iOS or Android. The Is compliant field shows whether the device was marked as compliant at the time of sign-in.
After you have the policy name and the failure reason, proceed to the next section to adjust the policy.
How to Adjust the Conditional Access Policy for Mobile Access
You need Conditional Access Administrator or Global Administrator permissions to edit policies. Do not modify policies without understanding the security impact.
- Open the Conditional Access policies page
In the Microsoft Entra admin center, go to Identity > Protection > Conditional Access. A list of all policies appears. - Select the blocking policy
Find the policy name you identified from the sign-in log. Click the policy to open its settings. - Review the Assignments section
Under Assignments, check Users and groups to confirm the policy applies to the correct users. Then check Cloud apps or actions to see if Copilot is included. - Check the Conditions section
Expand Conditions and click Device platforms. Ensure iOS and Android are selected if you want to allow mobile access. If they are excluded, remove the exclusion or add them to the included list. - Review the Grant section
Under Access controls > Grant, look at the settings. If Require device to be marked as compliant is selected, the mobile device must be enrolled in Intune and compliant. If Require approved client app is selected, the Copilot mobile app must be on the approved list. You can add a second control like Require multifactor authentication to allow access without device compliance. - Save and test
Click Save. Ask the user to sign in again on the mobile device. If the block persists, repeat the sign-in log review to check for additional policies.
If Copilot Still Has Issues After the Main Fix
Copilot mobile app shows a generic error instead of a block message
A generic error can mean the sign-in succeeded but the Copilot service itself is blocked by a different policy. Check the sign-in log for the Copilot service principal. Go to Sign-in logs and filter by Application set to Microsoft Copilot Service. Look for failures with the error code 53003 which indicates a Conditional Access block.
Conditional Access policy requires a compliant device but the device is not enrolled
Enroll the mobile device in Microsoft Intune. On iOS, download the Company Portal app and follow the enrollment prompts. On Android, use the Intune Company Portal or the Microsoft Authenticator app. After enrollment, the device must be marked as compliant by an Intune compliance policy. Work with your device management team to assign the correct compliance policy.
Conditional Access policy uses a location condition that blocks mobile carrier IPs
Mobile carriers use IP ranges that may not match your organization’s trusted locations. In the policy, under Conditions > Locations, check the Include and Exclude tabs. If the policy includes all locations and excludes a specific named location, ask your network team to add the mobile carrier IP ranges to the trusted location. Alternatively, add a second policy that allows access from mobile platforms with MFA as a compensating control.
Copilot Conditional Access on Mobile vs Desktop: Key Differences
| Item | Mobile Access | Desktop Access |
|---|---|---|
| Client app type | Mobile app (iOS/Android) | Browser or desktop app (Windows/Mac) |
| Device platform condition | iOS or Android must be explicitly included | Windows or macOS must be explicitly included |
| Approved client app requirement | Copilot mobile app must be on the approved client list | Browser or desktop app must be on the approved client list |
| Device compliance | Requires Intune enrollment and compliance policy | Can use hybrid Azure AD join or Intune enrollment |
| Typical block reason | Device not compliant or platform excluded | Location or browser version mismatch |
You can now identify the exact Conditional Access policy blocking Copilot on mobile devices by reviewing sign-in logs. Adjust the policy conditions for device platform, approved client app, or device compliance to restore access. For persistent issues, check the Copilot Service sign-in log and consider adding a compensating control like multifactor authentication instead of requiring a compliant device.