You need Copilot to summarize or draft replies in an Outlook thread that contains S/MIME signed messages. S/MIME signing applies cryptographic protection, which can block Copilot from reading the email body content. This article explains why S/MIME signed threads cause Copilot to fail and how to configure Outlook and Microsoft 365 to let Copilot process those messages. You will learn the exact settings to adjust and the limitations that remain after configuration.
Key Takeaways: Using Copilot with S/MIME Signed Emails
- Outlook > File > Options > Trust Center > Trust Center Settings > Email Security > Encrypted email: Clear the option “Do not allow message content to be read by Copilot in Microsoft 365 apps” to enable Copilot processing of signed messages.
- Microsoft 365 admin center > Settings > Copilot > Data security: Ensure S/MIME signed message processing is allowed for your tenant to override the default block.
- Outlook on the web > Settings > Mail > S/MIME: Toggle “Allow Copilot to read signed message content” to enable Copilot in browser-based Outlook.
Why Copilot Cannot Read S/MIME Signed Email Threads
S/MIME digital signing adds a cryptographic signature to each outgoing message. This signature verifies the sender identity and ensures the message body has not been tampered with. Microsoft 365 treats S/MIME signed messages as protected data by default. Copilot, which relies on reading email content to generate summaries, suggested replies, or draft responses, is blocked from accessing the body of any message that carries an S/MIME signature. The block applies to both the signed message itself and the entire thread if any message in the conversation is signed.
The technical root cause is a security policy in Exchange Online that restricts Copilot from reading message content that has been cryptographically signed. This policy is controlled by two settings: an Outlook client-side option and a tenant-level admin policy. Both must be configured to allow Copilot access. Even after enabling these settings, Copilot still cannot read messages that are S/MIME encrypted, as opposed to merely signed. Encryption provides a higher level of protection that Copilot cannot bypass by design.
Steps to Enable Copilot for S/MIME Signed Threads
Complete these steps in order. The first step modifies the Outlook client setting. The second step requires an admin to adjust the tenant policy. The third step covers Outlook on the web if your organization uses browser-based email.
Step 1: Change the Outlook Desktop Client Setting
- Open Outlook and go to File > Options
In the Outlook desktop app, click the File tab in the ribbon. Select Options from the left navigation pane. - Navigate to Trust Center
In the Outlook Options window, click Trust Center on the left menu. Then click the Trust Center Settings button on the right. - Open Email Security settings
In the Trust Center, click Email Security on the left. Under the Encrypted email section, locate the checkbox labeled “Do not allow message content to be read by Copilot in Microsoft 365 apps”. - Clear the checkbox and save
Uncheck the box. Click OK to close the Trust Center. Click OK again to close Outlook Options. Restart Outlook for the change to take effect.
Step 2: Admin Configures the Tenant Policy
This step must be performed by a Microsoft 365 global admin or Exchange admin. The setting is located in the Microsoft 365 admin center.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an admin account. - Navigate to Copilot settings
In the left navigation, expand Settings and click Org settings. On the Settings page, scroll to find Copilot and click it. - Open Data security
In the Copilot settings panel, click the Data security tab. Look for the option labeled “Allow Copilot to process S/MIME signed message content”. - Enable the option and save
Toggle the switch to On. Click Save. The change applies to all users in the tenant within a few minutes.
Step 3: Enable Copilot for S/MIME in Outlook on the Web
If you use Outlook on the web OWA, a separate setting controls Copilot access for signed messages in the browser.
- Open Outlook on the web and go to Settings
In your browser, go to outlook.office.com. Click the gear icon in the top-right corner to open Settings. - Navigate to Mail > S/MIME
In the Settings pane, click Mail on the left. Then click S/MIME under the Mail section. - Toggle the Copilot setting
Find the option “Allow Copilot to read signed message content”. Set it to On. Close the Settings pane. The change applies immediately.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Output Instead of Tenant-Specific Data
After enabling the settings, Copilot may still fail to read the body of a signed message. This usually happens when the message was signed before the policy changes took effect. Copilot cannot retroactively read content that was already blocked. Ask the sender to forward the signed message as a plain reply without signing, or recreate the thread after the policy is enabled.
Copilot Shows an Error That S/MIME Content Is Unavailable
If the error persists, verify that the message is only signed and not encrypted. Copilot cannot read encrypted S/MIME messages regardless of the settings above. Encryption provides end-to-end content protection that Microsoft 365 cannot decrypt. Check the message properties in Outlook to confirm the encryption status. Look for a message property that says Encrypted with S/MIME. If encryption is present, Copilot will not work on that thread.
Copilot Works in the Desktop App but Not in Outlook on the Web
This discrepancy is caused by the separate OWA setting. Follow Step 3 again and confirm the toggle is set to On. Also check that the tenant policy in Step 2 is enabled. The OWA setting depends on the tenant policy being active. If the tenant policy is off, the OWA toggle has no effect.
Copilot in Outlook with S/MIME Signed Threads vs Encrypted Threads
| Item | S/MIME Signed Threads | S/MIME Encrypted Threads |
|---|---|---|
| Content protection | Digital signature only, body readable | Full encryption, body unreadable |
| Copilot access after configuration | Yes, with client and tenant settings enabled | No, Copilot cannot decrypt the content |
| Admin policy required | Yes, in Microsoft 365 admin center | Not applicable |
| User setting in Outlook desktop | Clear the Copilot block checkbox | No setting available |
| User setting in Outlook on the web | Toggle Allow Copilot to read signed message content | No setting available |
The table shows that signed threads can be made accessible to Copilot with the correct configuration. Encrypted threads remain permanently inaccessible. If your organization relies on encryption, Copilot cannot assist with those conversations. Consider using a separate unencrypted channel for Copilot interactions or ask participants to send plain text versions of encrypted replies.
You now know how to configure Outlook desktop, Outlook on the web, and the Microsoft 365 admin tenant to allow Copilot to process S/MIME signed email threads. Start by clearing the Copilot block checkbox in Outlook desktop options. Then ask your admin to enable the tenant-level policy. If you use Outlook on the web, toggle the S/MIME Copilot setting in Mail settings. Remember that Copilot cannot read S/MIME encrypted messages, so verify that your threads are signed only. For a deeper security review, examine your organization’s message encryption policy in the Exchange admin center to see which users are allowed to send encrypted mail.