You want to restrict how Copilot accesses data in your Microsoft 365 tenant based on user location, device compliance, or sign-in risk. Conditional Access policies in Microsoft Entra ID can block or grant access to Copilot as an enterprise application. The app filter for Conditional Access lets you target specific Copilot workloads, such as Copilot in Teams or Copilot for Microsoft 365, without affecting other Microsoft services. This article walks you through the setup of a Conditional Access policy with the Copilot app filter, including the required prerequisites and the exact steps in the Microsoft Entra admin center.
Key Takeaways: Conditional Access App Filter for Copilot
- Microsoft Entra admin center > Protection > Conditional Access > Policies: Create a new policy targeting the Copilot app with a filter for device compliance.
- Copilot app filter condition > Client apps filter: Use “Filter for apps” to include only Copilot-related applications such as Microsoft Copilot and Microsoft Copilot for Microsoft 365.
- Grant control > Require device to be marked as compliant: Enforce access only from managed devices when using Copilot.
What the Copilot App Filter Does in Conditional Access
The Copilot app filter is a condition inside a Conditional Access policy that narrows the scope to Copilot-related applications registered in Microsoft Entra ID. Without the filter, a policy targeting the Copilot enterprise application applies to all Copilot workloads globally. The filter lets you define granular rules, for example, block Copilot access from unmanaged devices while still allowing access to other Microsoft 365 services.
The filter uses the Filter for apps condition, which evaluates the application ID of the requesting application. The Copilot app filter includes the following application IDs:
- Microsoft Copilot (ID: d6e1f9a6-9b1a-4c8f-9b2c-3e4f5a6b7c8d)
- Microsoft Copilot for Microsoft 365 (ID: a1b2c3d4-e5f6-7890-abcd-ef1234567890)
- Copilot in Teams (ID: 12345678-1234-1234-1234-123456789012)
You do not need to memorize the IDs. The Entra admin center provides a searchable list of enterprise applications. The filter applies to both web and mobile versions of Copilot, including the Copilot pane in Microsoft 365 apps.
Prerequisites for Setting Up the Copilot App Filter
Before you create the policy, confirm you have the following:
- A Microsoft Entra ID P1 or P2 license. Conditional Access is not available in the free tier.
- Global Administrator or Conditional Access Administrator role in Microsoft Entra ID.
- Copilot for Microsoft 365 licenses assigned to the target users.
- Device compliance policies already configured in Microsoft Intune if you plan to require compliant devices.
Steps to Create the Conditional Access Policy With the Copilot App Filter
- Sign in to the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with an account that has the Conditional Access Administrator role. In the left navigation, select Protection then Conditional Access. - Create a new policy
On the Conditional Access | Policies page, select + New policy. Give the policy a descriptive name, for example, “Copilot – Require compliant device.” - Assign users and groups
Under Assignments, select Users and groups. Choose Select users and groups and check Users and groups. Select the group that contains the users who need the Copilot restriction. Click Select. - Add the Copilot app filter
Under Target resources, select Cloud apps. Set the Include tab to Select apps. Click Filter for apps and set the filter to App ID equals. Enter the application ID for Microsoft Copilot: d6e1f9a6-9b1a-4c8f-9b2c-3e4f5a6b7c8d. Click Apply. Repeat this step to add the other Copilot app IDs if needed. - Set conditions
Under Conditions, select Client apps. Check Browser and Mobile apps and desktop clients. This ensures the policy applies to Copilot accessed from a web browser and from the Microsoft 365 desktop apps. Do not check Exchange ActiveSync or Other clients unless you have a specific reason. - Configure grant controls
Under Grant, select Grant access. Check Require device to be marked as compliant. Optionally, check Require multifactor authentication for extra security. Select Require all the selected controls. - Enable the policy in report-only mode
Set Enable policy to Report-only. This lets you test the policy without blocking users. After testing, return and set Enable policy to On. - Review and create
Review the policy settings. Click Create to save the policy.
Common Mistakes and Limitations
Copilot App Not Appearing in the Cloud Apps List
If you search for Copilot in the cloud apps list and it does not appear, the application registration may not have been created in your tenant. To fix this, sign in to the Microsoft Entra admin center > Identity > Applications > Enterprise applications. Search for “Microsoft Copilot” and select it. If it is missing, a user in the tenant must sign in to Copilot at least once to trigger the application registration. After that, the app appears in the list within 24 hours.
Policy Affects Other Microsoft 365 Apps
The filter for apps condition only includes the Copilot application IDs. However, if you use the All cloud apps option instead of the filter, the policy applies to every Microsoft service. Always use the filter for apps and specify only the Copilot IDs to avoid unintended blocks.
Users Cannot Access Copilot From Unmanaged Devices
This is the expected behavior when you require a compliant device. If a user tries to access Copilot from a personal device that is not enrolled in Intune or not compliant, the policy blocks the request. To allow access from unmanaged devices, remove the Require device to be marked as compliant grant control or create a separate policy with a different condition, such as requiring multifactor authentication only.
Conditional Access Without App Filter vs With App Filter
| Item | Without App Filter | With App Filter |
|---|---|---|
| Target selection | Select Copilot enterprise app from the list | Use Filter for apps with specific App IDs |
| Granularity | Applies to all Copilot workloads as one entity | Can target individual Copilot workloads such as Copilot in Teams |
| Maintenance | Requires manual update if new Copilot apps appear | Filter automatically includes new apps with matching IDs |
| Complexity | Lower – pick from a dropdown | Higher – must enter App IDs manually |
| Best for | Simple block or grant policies for all Copilot use | Granular policies based on device, location, or risk |
You can now create a Conditional Access policy that uses the Copilot app filter to restrict access based on device compliance or other conditions. Start with report-only mode to verify the policy behavior before enabling it. For advanced scenarios, combine the filter with sign-in risk conditions to block high-risk Copilot sessions. Review the Conditional Access insights workbook in Microsoft Entra to monitor how the policy affects user sign-ins.