When you use Copilot in Outlook, it can summarize threads, draft replies, and suggest actions based on your primary mailbox. But if you try to use Copilot on a shared mailbox, you may see an error message or get no response at all. This happens because Copilot relies on Microsoft Graph permissions that are not automatically granted to mailboxes you have only delegate or send-as access to. This article explains the exact permission gap and shows you how to configure shared mailboxes so Copilot can read and process their content.
Key Takeaways: Why Copilot in Outlook Cannot Access Shared Mailboxes
- Microsoft Graph Mail.Read permission: Copilot requires this permission to read any mailbox, including shared ones. Delegate access alone does not grant it.
- Exchange Online role assignment: The user must have the ApplicationImpersonation role or be added as a member of the shared mailbox in the Exchange admin center.
- Graph consent for shared resources: Tenant-wide admin consent for the Mail.Read scope is required before Copilot can access shared mailbox data.
Why Copilot in Outlook Cannot Access Shared Mailboxes
Copilot in Outlook uses Microsoft Graph to fetch email data. When you open a shared mailbox, Outlook loads the folder structure and messages through Exchange Web Services or REST APIs. However, Copilot does not automatically inherit those permissions. It calls the Graph API with the Mail.Read scope. If the signed-in user does not have explicit read permission on the shared mailbox, Graph returns an access denied error. This is not a Copilot bug — it is a deliberate security boundary. Microsoft designed Copilot to respect the same permission model as any other Graph-integrated application. The shared mailbox must be configured as a shared resource that Graph can enumerate for the user.
Delegate Access vs Graph Permissions
Delegate access lets you read messages in a shared mailbox through Outlook client-side features. Graph does not treat delegate access as sufficient for Copilot because Copilot runs server-side queries. The Graph API requires the user to have either Full Access permission on the mailbox or be a member of a role that grants impersonation rights. Without these, Copilot cannot index or summarize the mailbox content.
The Role of Admin Consent
Even if you grant Full Access to a user, Copilot may still fail if the Microsoft 365 tenant has not granted admin consent for the Mail.Read scope. This is a tenant-wide setting. Without it, Copilot cannot use Graph to read any mailbox beyond the primary one. The admin must approve the permission in the Microsoft Entra admin center.
Steps to Enable Copilot for Shared Mailboxes
To allow Copilot to access a shared mailbox, you need to complete two configuration steps in the Exchange admin center and one step in the Entra admin center. Perform these steps in order.
- Add the user as a member of the shared mailbox
Open the Exchange admin center at admin.exchange.microsoft.com. Go to Recipients > Shared mailboxes. Select the target shared mailbox. In the Members section, click Manage mailbox delegation. Under Full Access, add the user who needs Copilot access. Click Save. This grants the user the Exchange permission that Graph requires. - Assign the ApplicationImpersonation role (optional but recommended)
If the user still cannot access the mailbox after step 1, assign the ApplicationImpersonation role. In the Exchange admin center, go to Roles > Admin roles. Click Add role group. Name it SharedMailboxCopilot. Add the ApplicationImpersonation role. Add the user as a member. Click Save. This role allows Copilot to impersonate the user when querying shared mailboxes. - Grant admin consent for Mail.Read
Open the Microsoft Entra admin center at entra.microsoft.com. Go to Applications > Enterprise applications. Find the Copilot application. Under Permissions, click Grant admin consent for your tenant name. In the dialog, select the Mail.Read permission and click Accept. This step is required only once per tenant. Without it, Copilot cannot read any mailbox beyond the primary one.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Output Instead of Tenant-Specific Data
After granting permissions, Copilot may still produce generic summaries that do not reference specific emails in the shared mailbox. This usually means the Graph query is falling back to the primary mailbox. Close Outlook completely, reopen it, and select the shared mailbox again. Then wait 30 seconds before invoking Copilot. If the problem persists, verify that the user is listed under Full Access in the Exchange admin center and that the mailbox is not hidden from address lists.
Copilot Shows Access Denied on Some Shared Mailboxes but Not Others
This indicates inconsistent permission assignments. Each shared mailbox must have the user added individually under Full Access. Group-based permissions are not automatically recognized by Graph for Copilot. Use the Exchange admin center to check each mailbox separately. Avoid using distribution groups to grant access — add the user directly.
Copilot Does Not Appear in the Shared Mailbox Ribbon
The Copilot button may be grayed out or missing entirely when you open a shared mailbox. This is a client-side behavior. Outlook hides Copilot for mailboxes where it cannot read data. After you complete the permission steps above, close and reopen Outlook. If the button remains disabled, sign out of Microsoft 365 and sign back in. This forces the client to refresh the permission cache.
Copilot in Primary Mailbox vs Shared Mailbox: Key Differences
| Item | Primary Mailbox | Shared Mailbox |
|---|---|---|
| Permission model | User is the owner, Full Access implicit | User must be explicitly added as a member with Full Access |
| Graph Mail.Read scope | Works automatically after tenant-level consent | Requires tenant-level consent plus explicit user permission on the mailbox |
| Copilot availability | Always available after license assignment | Available only after Exchange and Entra configuration steps |
| Delegate-only access | Not applicable | Does not enable Copilot; Full Access is required |
| Role needed | None beyond standard user role | ApplicationImpersonation role recommended for consistent access |
You can now configure shared mailboxes so Copilot reads and summarizes their content. Start by adding each user as a Full Access member in the Exchange admin center. Then confirm that tenant-wide admin consent for Mail.Read is granted in the Entra admin center. For persistent issues, assign the ApplicationImpersonation role to the user. This setup also applies to Copilot in Outlook on the web, so you do not need separate steps for each client.