When you use Copilot in Microsoft 365, you may see an HTTP 451 error. This error means Copilot cannot access certain data because of legal or policy restrictions. The number 451 refers to the HTTP status code for content blocked by law. This article explains why this error occurs and how to resolve it for your organization.
The HTTP 451 error in Copilot is typically caused by data governance policies, region-specific laws, or tenant configurations that restrict data access. It is not a sign of a broken service or a bug. Instead, it reflects a deliberate block on content that your organization or a government has deemed legally restricted. This article covers the root causes, step-by-step fixes for admins and users, and related error patterns.
You will learn how to check Microsoft 365 data residency settings, review compliance policies, and adjust Copilot configuration so the service can access the data it needs without violating legal requirements.
Key Takeaways: Resolving Copilot HTTP 451 Errors
- Microsoft 365 admin center > Settings > Org settings > Copilot > Data sources: Check that the data sources Copilot needs are not blocked by legal hold or compliance policies.
- Microsoft Purview compliance portal > Data classification > Sensitive info types: Review and adjust sensitivity labels that may block Copilot from reading legal-restricted content.
- Microsoft 365 admin center > Health > Service health > Copilot: Verify no tenant-wide data residency or geo-restriction policy is causing the 451 error.
Why Copilot Returns HTTP 451 Unavailable for Legal Reasons
The HTTP 451 status code is defined in RFC 7725. It means the server has refused to serve content due to a legal demand. In the context of Copilot, this error appears when the service attempts to access data that is subject to a legal hold, a data residency restriction, or a compliance policy that blocks access based on jurisdiction.
Data Residency and Geo-Restrictions
Microsoft 365 tenants can be configured to store data only in specific geographic regions. If Copilot tries to read data that resides in a region where your tenant does not have a data processing agreement, the service returns a 451 error. For example, a tenant set to store data only in the European Union may block Copilot from accessing data stored in the United States.
Legal Hold and eDiscovery Policies
When an organization places a legal hold on a user’s mailbox or SharePoint site, that content becomes locked. Copilot cannot index or summarize content under active legal hold. If the service attempts to do so, it receives a 451 response from the underlying data store.
Sensitivity Labels and Conditional Access
Microsoft Purview sensitivity labels can restrict access to content based on user permissions, device compliance, or geographic location. If Copilot, acting under the signed-in user’s identity, tries to access content that the user does not have permission to read due to a label policy, the 451 error occurs.
Steps to Fix HTTP 451 Errors for Copilot in Microsoft 365
These steps require either a global admin, compliance admin, or Copilot admin role. Start with the most common cause and move to more specific checks.
- Check Copilot service health for data residency issues
Open the Microsoft 365 admin center at admin.microsoft.com. Go to Health > Service health. Find Copilot in the list. Look for any advisory about data residency or geo-restrictions. If an advisory exists, follow the resolution steps provided by Microsoft. This often involves updating your tenant’s data location policy. - Review Copilot data sources in tenant settings
In the admin center, go to Settings > Org settings > Copilot. Select Data sources. Ensure that the data sources Copilot needs are not excluded. If you see a warning about legal restrictions, remove the exclusion or modify the policy that caused it. - Remove or adjust legal holds on affected content
Go to the Microsoft Purview compliance portal. Navigate to eDiscovery > Legal holds. Identify any holds that target the data Copilot is trying to access. If the legal hold is no longer required, remove it. If it is still active, you cannot use Copilot on that content. Consider using a different data source for Copilot queries. - Check sensitivity labels applied to the content
In the Purview compliance portal, go to Information protection > Sensitivity labels. Find the label applied to the document or site that triggers the error. Edit the label’s settings. Under Access control, ensure that the label does not block Copilot from reading the content. For example, set the label to allow full access to the user who is using Copilot. - Verify conditional access policies
In the Microsoft Entra admin center, go to Protection > Conditional Access. Review policies that include conditions like location or device platform. If a policy blocks access from a specific region, Copilot may receive a 451 error when that policy is enforced. Adjust the policy to allow Copilot traffic from the user’s location. - Test with a different user account
Have a user with global admin rights sign into Copilot and attempt the same query. If the error does not appear, the issue is tied to the original user’s permissions or legal holds. Review the original user’s assigned licenses and group memberships in the Microsoft 365 admin center.
If Copilot Still Shows HTTP 451 After the Main Fix
Copilot Returns 451 Only for Specific SharePoint Sites
If the error occurs only when accessing a particular SharePoint site, that site likely has a unique retention policy or legal hold. Go to the SharePoint admin center. Select the site. Under Policies, check for retention labels or holds. Remove the hold or adjust the retention period. Then wait up to 24 hours for the change to propagate.
Copilot Returns 451 for OneDrive Files but Not SharePoint
OneDrive files may be subject to a user-level legal hold. In the Purview compliance portal, go to eDiscovery > Legal holds. Search for the user’s OneDrive URL. If a hold exists, remove it or note that Copilot cannot access those files until the hold is lifted. Use a different file location for Copilot queries.
Copilot Returns 451 in a Multi-Geo Tenant
Multi-geo tenants have data stored in multiple regions. If Copilot tries to read data from a region where the user does not have a data processing agreement, the 451 error appears. In the Microsoft 365 admin center, go to Settings > Org settings > Organization profile > Data location. Ensure that the user’s preferred data location matches the region of the data they are querying. If not, assign the user a license for the correct region.
Copilot 451 Error vs Other Blocked Content Errors
| Item | HTTP 451 Unavailable for Legal Reasons | HTTP 403 Forbidden |
|---|---|---|
| Description | Content blocked by law, legal hold, or compliance policy | Content blocked by user permissions or access control lists |
| Common cause | Data residency restrictions, eDiscovery holds, sensitivity labels with access control | Missing SharePoint permissions, incorrect group membership, expired user license |
| Fix location | Microsoft Purview compliance portal, legal holds, data location settings | SharePoint permissions, Microsoft Entra group membership, license assignment |
| User impact | Cannot read or summarize the content at all | May see partial content or error only for specific files |
The HTTP 451 error is rarer than a 403 error. It indicates a legal or regulatory block rather than a simple permission issue. If you see 451, focus on compliance and legal hold tools first. If you see 403, check user permissions and access rights.
You can now identify why Copilot returns HTTP 451 and resolve it by checking data residency, legal holds, sensitivity labels, and conditional access policies. Start with the Copilot service health page to rule out tenant-wide issues. If the error persists, use the specific steps for SharePoint, OneDrive, or multi-geo configurations. As an advanced tip, enable auditing in the Purview compliance portal to track when a 451 error is triggered and which policy caused it.