When you attempt to share a Copilot Studio agent with a Microsoft Entra ID security group, the share operation may fail with an error message or the group simply does not appear in the sharing picker. This problem occurs because Copilot Studio uses the Microsoft Graph API to resolve security groups, and the service principal for Copilot Studio must have the correct permissions to read group memberships. Additionally, the group must be mail-enabled or security-enabled with a mail nickname assigned, otherwise the API returns no results. This article explains the root cause of this sharing failure and provides a step-by-step fix to restore the ability to share agents with security groups.
Key Takeaways: Restoring Security Group Sharing in Copilot Studio
- Microsoft Entra admin center > Enterprise applications > Copilot Studio > Permissions: Grant the GroupMember.Read.All delegated permission to allow the service principal to read security group members.
- Microsoft Entra admin center > Groups > Properties: Assign a mail nickname to the security group so that the Microsoft Graph API can resolve it during the share operation.
- Copilot Studio > Share > Manage access > Add people or groups: After permissions are fixed, type the group name exactly as it appears in Entra ID to share the agent with the entire security group.
Why Copilot Studio Cannot Share an Agent With a Security Group
Copilot Studio relies on the Microsoft Graph API to search for and validate security groups when you attempt to share an agent. The share dialog sends a query to https://graph.microsoft.com/v1.0/groups with a filter on the display name or mail nickname. If the service principal for Copilot Studio does not have the GroupMember.Read.All permission, the Graph API returns a 403 Forbidden error, and the group list remains empty.
A second common cause is that the security group lacks a mail nickname. The Microsoft Graph API, by default, returns only groups that have a mailNickname property set. Security groups created without a mail nickname will not appear in the search results, even though they exist in Microsoft Entra ID.
A third cause involves group membership limits. Copilot Studio shares the agent with the group object, not with individual members. However, the Graph API may fail if the group has more than 100,000 members or if the group is a dynamic membership group that cannot be resolved synchronously.
Steps to Fix the Security Group Sharing Issue in Copilot Studio
- Grant GroupMember.Read.All permission to Copilot Studio
Sign in to the Microsoft Entra admin center as a Global Administrator. Navigate to Identity > Applications > Enterprise applications. Search for Copilot Studio and select it. Go to Permissions and click Grant admin consent for [your tenant]. In the list of API permissions, add Microsoft Graph > Delegated permissions > GroupMember.Read.All. Click Grant admin consent again to save. This permission allows Copilot Studio to read the members of any security group in your tenant. - Assign a mail nickname to the security group
In the Microsoft Entra admin center, go to Identity > Groups > All groups. Find the security group you want to share with and open its Properties page. Locate the Mail nickname field. Enter a unique nickname such asITSupportGroup. The nickname must be unique across all mail-enabled objects in your tenant. Click Save. Wait up to five minutes for the change to propagate. - Verify the group is not a dynamic or oversized group
Open the group’s Membership type property. If it says Dynamic User, the group cannot be used for sharing in Copilot Studio. Create a new assigned security group instead. If the group has more than 100,000 members, reduce the membership or create a smaller subgroup for sharing purposes. - Share the Copilot Studio agent with the security group
Open Copilot Studio and select the agent you want to share. Click Share in the top menu bar. In the Manage access panel, click Add people or groups. Type the display name or mail nickname of the security group. Select the group from the search results. Choose the permission level Co-owner or User. Click Share. The agent is now accessible to all members of the security group. - Test access from a member account
Sign in to Copilot Studio with a user account that is a member of the security group but not an owner of the agent. Confirm that the shared agent appears in the user’s agent list and that the user can open it with the assigned permission level.
If Copilot Studio Still Cannot Share With the Security Group
Copilot Studio shows “No results found” for the group name
This symptom indicates that the Graph API query returned zero groups. Open the browser developer tools F12 and inspect the network request to https://graph.microsoft.com/v1.0/groups. If the response contains a 403 error, repeat step 1 and verify that the admin consent was applied. If the response returns an empty value array, verify that the group has a mail nickname and that you are typing the correct display name.
Sharing succeeds but group members cannot access the agent
This issue occurs when the group is a nested group. Copilot Studio does not resolve nested group memberships. Only direct members of the security group will inherit access. If your organization uses nested groups, add users directly to the parent security group rather than using a child group.
“Access denied” error when the group owner tries to share
The user sharing the agent must have the Co-owner role on the agent. Only co-owners can share agents with security groups. If you are the owner of the agent but not a co-owner, ask another co-owner to grant you co-owner access first.
| Item | Security Group Sharing | Individual User Sharing |
|---|---|---|
| Permission required for sharing | GroupMember.Read.All delegated permission on Copilot Studio service principal | No additional Graph permissions needed |
| Group type supported | Assigned security groups with mail nickname | Not applicable |
| Maximum members | 100,000 | Not applicable |
| Nested groups supported | No | Not applicable |
| Dynamic membership groups supported | No | Not applicable |
| Time to propagate after sharing | Up to 30 minutes | Up to 5 minutes |
After completing the steps above, you can share Copilot Studio agents with security groups reliably. To avoid future issues, create a dedicated security group for each agent and assign a mail nickname at the time of group creation. For large organizations, use the GroupMember.Read.All permission at the tenant level rather than per-application to reduce administrative overhead.