Microsoft Copilot integrates with Microsoft 365 services that are protected by Conditional Access policies. Many administrators struggle to apply app protection controls to Copilot because it is not a single application but a service that spans multiple clients and data sources. The core challenge is that Conditional Access evaluates Copilot requests based on the underlying Microsoft 365 app, the client platform, and the data being accessed. This article explains the three main app protection patterns for Copilot: device-based, app-based, and data-level controls. It covers how each pattern works, what prerequisites are needed, and how to configure them in the Microsoft Entra admin center.
Key Takeaways: Conditional Access Patterns for Copilot
- Microsoft Entra admin center > Protection > Conditional Access > Policies: Create separate policies for the Copilot service principal and the underlying Microsoft 365 app registrations.
- Grant control > Require device to be marked as compliant: Blocks Copilot access from unmanaged or non-compliant devices.
- Grant control > Require app protection policy: Enforces data loss prevention controls on mobile clients accessing Copilot.
How Conditional Access Applies to Copilot
Conditional Access policies in Microsoft Entra ID evaluate access requests before granting tokens to applications. When a user interacts with Copilot, the request is routed through one of several Microsoft 365 service principals. The specific principal depends on the client: Copilot in Microsoft Teams uses the Teams service principal, Copilot in Word uses the Office service principal, and the standalone Copilot app uses the Copilot service principal. Each of these principals can be targeted individually in a policy.
The app protection pattern you choose depends on the risk profile of the client device and the sensitivity of the data Copilot can access. There are three distinct patterns:
Device-Based Protection
This pattern uses device compliance and device state conditions. It requires the client device to be either domain-joined, hybrid-joined, or enrolled in Microsoft Intune and marked as compliant. The policy is applied to all cloud apps that Copilot uses, such as Office 365, Microsoft Teams, and the Copilot service principal. This pattern is the simplest to configure and works for all Copilot clients including desktop, web, and mobile.
App-Based Protection
This pattern uses app protection policies from Microsoft Intune, also known as MAM policies. It targets mobile clients running on iOS and Android. The grant control requires the client app to have an app protection policy applied. This pattern does not require device enrollment. It is ideal for bring-your-own-device scenarios where you want to prevent data leakage from Copilot without managing the whole device.
Data-Level Protection
This pattern uses sensitivity labels and Microsoft Purview Data Loss Prevention to control what data Copilot can access and how it can be used. Conditional Access policies can be combined with session controls that block download, copy, or print actions. This pattern is the most granular but requires additional licensing for Microsoft Purview. It is recommended for organizations that handle highly regulated data such as financial records or healthcare information.
Steps to Configure Device-Based Protection for Copilot
- Sign in to the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with an account that has the Conditional Access Administrator role. - Create a new Conditional Access policy
Navigate to Protection > Conditional Access > Policies. Click New policy. - Define the policy name and assignments
Enter a name like “Copilot Device Compliance”. Under Assignments > Users, select the users or groups that will use Copilot. Under Cloud apps or actions, click Select apps and add the following:
– Office 365
– Microsoft Teams
– Copilot service principal (search for “Copilot”) - Configure conditions for device state
Under Conditions > Device state, set Configure to Yes. Check All device state and set the filter to Device is marked as compliant. Optionally, exclude Device hybrid Azure AD joined if you trust domain-joined devices. - Set grant controls
Under Grant, select Require device to be marked as compliant. Check Require all the selected controls. - Enable the policy
Set Enable policy to Report-only initially. Test the policy with a pilot group. After validation, change to On.
Steps to Configure App-Based Protection for Copilot on Mobile
- Create an app protection policy in Microsoft Intune
Go to https://intune.microsoft.com and navigate to Apps > App protection policies. Click Create policy and choose iOS/iPadOS or Android. - Target the Microsoft 365 apps used by Copilot
In the policy, under Targeted app types, select Managed apps. Add the following apps:
– Microsoft Teams
– Microsoft Office
– Microsoft Copilot - Configure data protection settings
Set Data transfer > Allow app to transfer data to other apps to Policy managed apps only. Set Data transfer > Allow app to receive data from other apps to Policy managed apps only. Enable Save copies of org data to Block. - Create a Conditional Access policy for app protection
In the Microsoft Entra admin center, create a new policy. Under Cloud apps, select the same apps as in step 2 of the device-based pattern. Under Grant, select Require app protection policy. Set Enable policy to On. - Assign the Intune policy to users
In the Intune app protection policy, under Assignments, select the same user groups used in the Conditional Access policy. Save the policy.
Common Issues With Copilot App Protection Patterns
Copilot Still Works on Unmanaged Devices After Policy Is Enabled
This typically happens when the Conditional Access policy does not include the correct cloud apps. Copilot requests may be routed through the Office 365 service principal even when using the standalone Copilot app. Ensure that the policy targets both Office 365 and Copilot service principal. Use the sign-in logs in Microsoft Entra to verify which service principal is being used for each Copilot session.
Mobile Users Cannot Access Copilot After App Protection Policy Is Applied
The most common cause is that the Intune app protection policy is not assigned to the user or the policy is not targeting the correct app version. Verify that the user is in the assigned group. Also confirm that the mobile device has the latest version of the Microsoft 365 app installed. The Copilot feature requires app version 16.0.16731 or later on iOS and Android.
Data Loss Prevention Controls Do Not Apply to Copilot Responses
Data-level protection for Copilot responses requires Microsoft Purview Data Loss Prevention policies that are scoped to Exchange Online and SharePoint Online. Copilot generates responses by grounding on user data stored in these services. Create a Purview DLP policy that targets Exchange and SharePoint content. Set the action to block sharing or copying of sensitive information. This policy will apply when Copilot attempts to access or return that data.
Copilot Conditional Access Patterns: Comparison
| Item | Device-Based Protection | App-Based Protection |
|---|---|---|
| Client platforms supported | Windows, macOS, iOS, Android, web | iOS, Android |
| Requires device enrollment | Yes, Intune or domain join required | No, only app enrollment required |
| Grant control type | Require device to be marked as compliant | Require app protection policy |
| Data loss prevention built-in | No, relies on device compliance | Yes, via Intune app protection policy settings |
| License requirement | Microsoft Entra ID P1, Intune | Microsoft Entra ID P1, Intune |
Both patterns can be combined. For example, you can require device compliance for Windows clients and app protection policy for mobile clients. Use separate Conditional Access policies for each platform by adding the Device platform condition in the policy assignments.
You can now configure Conditional Access policies that protect Copilot across all client platforms. Start by enabling the device-based pattern for corporate-managed Windows devices. Then add the app-based pattern for mobile users. For the most sensitive data, layer Microsoft Purview DLP policies on top. Use the sign-in logs and the Conditional Access insights workbook in Microsoft Entra to monitor policy effectiveness and adjust as needed.