You want to let external business partners use Copilot in your Microsoft 365 tenant without exposing internal data they should not see. By default, Copilot blocks guest users, and enabling it requires careful configuration of cross-tenant access and sensitivity labels. This article explains how to enable Copilot for B2B guest users while keeping your tenant secure.
B2B guest users are external collaborators invited into your Microsoft Entra ID directory. When you enable Copilot for them, Copilot can ground responses using files and messages shared with those guests. Without proper controls, a guest could accidentally access data beyond what you intended.
This guide covers the prerequisite setup in Microsoft Entra ID, the required Copilot settings in the Microsoft 365 admin center, and the labeling policies that prevent data oversharing.
Key Takeaways: Enabling Copilot for B2B Guest Users
- Microsoft Entra admin center > External Identities > Cross-tenant access settings: Controls inbound and outbound trust for B2B collaboration.
- Microsoft 365 admin center > Settings > Org settings > Copilot: The toggle that enables or disables Copilot for guest users tenant-wide.
- Microsoft Purview compliance portal > Information protection > Sensitivity labels: Labels restrict Copilot from reading files with specific sensitivity levels when accessed by guests.
What Happens When You Enable Copilot for B2B Guests
Copilot uses Microsoft Graph to access data across Exchange, SharePoint, Teams, and OneDrive. For guest users, Copilot can only read content that the guest already has permission to view. Enabling Copilot for guests does not grant new data access. Instead, it allows Copilot to generate responses based on the same data the guest can already see through normal Microsoft 365 tools.
The key risk is not Copilot itself. The risk is that your cross-tenant access settings or sharing policies might give guests broader access than you realize. For example, if you allow guests to see all files in a SharePoint site, Copilot will surface content from that entire site. You must review and restrict guest access at the data layer before enabling Copilot.
Prerequisites for Enabling Copilot for B2B Guests
Before you start, confirm the following:
- Your tenant has Copilot for Microsoft 365 licenses assigned to the users who will interact with guests.
- You have at least the Global Administrator role or the Security Administrator role in Microsoft Entra ID.
- You have the Compliance Administrator role in Microsoft Purview to create and apply sensitivity labels.
- Your tenant has cross-tenant access policies configured for the guest user’s home tenant.
Steps to Enable Copilot for B2B Guest Users
Follow these steps in order. Do not skip the prerequisite checks in Steps 1 and 2.
- Review cross-tenant access settings in Microsoft Entra ID
Go to the Microsoft Entra admin center. Select External Identities > Cross-tenant access settings. For each external tenant you collaborate with, select the Inbound access tab. Under B2B collaboration, verify that the trust settings do not automatically grant guests access to all internal apps. Set the trust type to "Allow users to be invited" only. Do not enable automatic redemption unless you have a specific need. - Restrict guest access to SharePoint and OneDrive
In the SharePoint admin center, go to Policies > Sharing. Under External sharing, set SharePoint and OneDrive to "Existing guests" or "Specific people." Do not use "Anyone" or "New and existing guests." This prevents guests from discovering sites or files that were not explicitly shared with them. - Create a sensitivity label for guest-restricted content
In Microsoft Purview, go to Information protection > Labels. Create a new label called "Guest Restricted." Under Auto-labeling, configure the label to apply to files containing PII or confidential data. Under Encryption, set the encryption to "Assign permissions now" and remove the "Guest" group from the list of users who can decrypt. Publish this label to all users. - Enable Copilot for guest users in the Microsoft 365 admin center
Go to the Microsoft 365 admin center. Select Settings > Org settings > Copilot. Under Guest access, toggle the setting to "Allow Copilot for guest users." Click Save. This setting applies to all guest users across the tenant. - Test Copilot access with a guest account
Invite a test guest user from a non-production tenant. Sign in as that guest. Open a Word document that is shared with the guest. Use Copilot to summarize the document. Verify that Copilot responds correctly. Then, try to access a file that has the "Guest Restricted" label. Copilot should return an error or refuse to read the content. - Monitor Copilot usage for guest users
In the Microsoft 365 admin center, go to Reports > Usage > Copilot for Microsoft 365. Filter by user type "Guest." Review the activity logs for unusual queries. Set up an alert in Microsoft Defender for Cloud Apps for any Copilot query that attempts to access labeled content without permission.
Common Issues After Enabling Copilot for B2B Guests
Even with correct configuration, you may encounter problems. Below are the most frequent issues and how to resolve them.
Copilot Returns No Data for Guest Users
If a guest user sees "Copilot cannot find relevant information" when they query data they should have access to, check the cross-tenant access settings. The guest user’s home tenant must have outbound access enabled for Microsoft 365 services. In Microsoft Entra ID, go to Cross-tenant access settings > Outbound access for the guest’s tenant. Verify that the "Microsoft 365" service is set to "Allow."
Copilot Returns Data from the Wrong Tenant
A guest user might see results from their own home tenant instead of your tenant. This happens when the guest is signed in with their home account and Copilot defaults to their home environment. Instruct guests to sign in explicitly with the guest account in the format guest@yourtenant.onmicrosoft.com. You can also configure a custom domain for guest access to make the distinction clearer.
Sensitivity Labels Block Legitimate Guest Access
If you apply a "Guest Restricted" label too broadly, guests cannot use Copilot on any file. Review the label’s auto-labeling rules. Ensure the label only applies to files that truly contain confidential information. For shared project files, create a separate label like "Project Shared" that allows guest read access.
Copilot for B2B Guests vs Copilot for Internal Users: Key Differences
| Item | Copilot for B2B Guests | Copilot for Internal Users |
|---|---|---|
| Data scope | Only content explicitly shared with the guest | All content the user has permission to see in the tenant |
| Cross-tenant access required | Yes, configured in Microsoft Entra ID | No |
| Sensitivity label enforcement | Labels can block Copilot from reading labeled files | Labels can restrict actions but rarely block reading |
| License requirement | Guest does not need a Copilot license; the inviting user’s license covers the interaction | Each user needs a Copilot for Microsoft 365 license |
| Admin controls | Tenant-wide toggle plus cross-tenant settings | Per-user license assignment plus org-wide settings |
Conclusion
You can now enable Copilot for B2B guest users by configuring cross-tenant access, restricting SharePoint sharing, and applying sensitivity labels. Test the setup with a guest account before rolling out to external partners. For ongoing safety, monitor Copilot usage reports weekly and adjust sensitivity labels as your collaboration needs change. A specific advanced tip: use Microsoft Entra ID Conditional Access policies to require multi-factor authentication for any guest user who accesses Copilot, adding an extra layer of security.