Microsoft Copilot for Microsoft 365 can now integrate with Microsoft Entra ID Governance to provide access review recommendations. This feature helps administrators identify which users should retain or lose access to sensitive resources. The integration uses Copilot’s natural language processing to analyze user activity, role assignments, and sign-in patterns. This article explains how the integration works, what prerequisites are required, and how to configure access reviews with Copilot recommendations.
Key Takeaways: Access Reviews with Copilot and Entra ID Governance
- Microsoft Entra admin center > Identity Governance > Access reviews: Create and manage access reviews for groups, applications, and roles.
- Copilot recommendation generation: Uses user sign-in frequency, resource usage, and risk signals to suggest keep or remove decisions.
- Reviewer workflow: Reviewers see Copilot-generated recommendations in the Azure portal or via email, then approve or reject with one click.
How Copilot Integration With Entra ID Governance Works
Microsoft Copilot for Microsoft 365 can read and analyze data from Microsoft Entra ID Governance when it has the appropriate permissions. The Copilot system accesses user activity logs, group membership changes, application usage statistics, and sign-in risk events stored in Entra ID. It then generates a natural language recommendation for each access review decision. The recommendation appears as a sentence in the access review interface, such as “Based on low sign-in frequency and no recent resource access, remove access.”
The integration does not store review decisions permanently. It reads data from Entra ID at the time of review generation. The Copilot recommendation is a suggestion only. The reviewer retains full authority to accept or override the recommendation. The feature requires an active Microsoft Copilot for Microsoft 365 license assigned to the reviewer, not to the users being reviewed.
Prerequisites for Using Copilot With Access Reviews
Before you can use Copilot recommendations in access reviews, you must meet the following requirements:
- A Microsoft Entra ID P2 license for the tenant
- Microsoft Copilot for Microsoft 365 license assigned to each reviewer
- Global Administrator or Identity Governance Administrator role to configure access review settings
- Microsoft Graph permission consent for the Copilot service principal: User.Read.All, AuditLog.Read.All, and Directory.Read.All
- Access reviews must be scoped to groups, applications, or Azure AD roles
What Data Copilot Uses to Generate Recommendations
Copilot analyzes the following data sources when building a recommendation:
- User sign-in frequency over the last 90 days
- Last time the user accessed the resource being reviewed
- Group membership changes in the last 30 days
- Risk detections from Entra ID Identity Protection
- Application usage events logged in Entra ID
Copilot does not access user mailbox content, Teams chat, or SharePoint files for this feature. It only reads identity and access metadata.
Steps to Enable Copilot Recommendations in Access Reviews
Follow these steps to configure access reviews that include Copilot-generated recommendations.
- Open the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with an account that has the Global Administrator or Identity Governance Administrator role. - Navigate to Identity Governance
In the left navigation pane, select Identity Governance. Then select Access reviews under the Governance section. - Create a new access review
Click New access review. Choose the review type: Teams + Groups, Applications, or Azure AD roles. Select the specific resource to review. - Configure scope and reviewers
Under Scope, select All users or a specific group. Under Reviewers, choose Users assigned to the resource or Managers. The reviewer must have a Copilot for Microsoft 365 license. - Enable Copilot recommendations
Under Settings, locate the Copilot section. Toggle Show Copilot recommendations to reviewers to On. A confirmation dialog appears. Click Save. - Set review schedule and completion settings
Configure the review frequency, duration, and auto-apply settings. For example, set a review to run every 90 days and auto-apply decisions after 30 days if reviewers do not respond. - Review and create
Click Review + create. Verify the settings on the summary page. Click Create to start the access review.
How Reviewers See and Use Copilot Recommendations
When a reviewer opens an access review, they see each user or group member with a recommendation label. The label displays a green checkmark for “Keep access” or a red X for “Remove access.” Below the label, Copilot shows a one- or two-sentence explanation.
The reviewer can click Approve or Deny for each user. If the reviewer disagrees with the Copilot recommendation, they can select the opposite action and optionally add a comment. The Copilot recommendation does not change the reviewer’s workflow. It only provides a starting point for faster decision-making.
Accessing Recommendations via Email
Reviewers who receive email notifications for access reviews also see the Copilot recommendation in the email body. The email includes a direct link to the review portal. The reviewer can approve or deny directly from the email if the tenant has mobile email access enabled.
Common Issues and Limitations
Copilot Recommendation Does Not Appear
If a reviewer does not see a Copilot recommendation, verify that the reviewer has a Microsoft Copilot for Microsoft 365 license assigned. Also confirm that the access review was created after the Copilot integration was enabled. Existing reviews do not retroactively receive recommendations. Create a new review after enabling the toggle.
Recommendation Reads “Insufficient Data”
Copilot may show “Insufficient data to generate a recommendation” for users who have no sign-in activity or resource access in the last 90 days. This is expected behavior. The reviewer must decide manually based on other available information.
Copilot Recommendation Is Inaccurate
Copilot recommendations are based on available metadata and may not reflect recent changes. For example, a user who just started a new role may have low sign-in frequency but should retain access. Reviewers should always verify recommendations before acting. The recommendation is a suggestion, not an automated decision.
Feature Not Available in Government Clouds
Copilot integration with Entra ID Governance access reviews is currently not available in Microsoft 365 Government Community Cloud GCC, GCC High, or DoD environments. The feature is limited to commercial tenants.
Copilot Recommendations vs Manual Review Decisions
| Item | Copilot Recommendation | Manual Review Decision |
|---|---|---|
| Data source | Entra ID sign-in logs, usage events, risk detections | Reviewer’s knowledge and external context |
| Time to decide per user | Less than 5 seconds | 30 seconds to 2 minutes |
| Accuracy for inactive users | High for users with no activity | Variable, depends on reviewer familiarity |
| Accuracy for new users | Low, often shows insufficient data | High if reviewer knows the user’s role |
| Override capability | Reviewer can always reject | |
| License requirement | Copilot for Microsoft 365 per reviewer | No additional license needed |
Copilot recommendations reduce decision time for high-volume reviews. Manual decisions remain necessary for edge cases where Copilot lacks sufficient data. Most organizations use a hybrid approach: Copilot handles users with clear inactivity signals, and reviewers focus on ambiguous cases.
You can now configure access reviews with Copilot recommendations to speed up identity governance processes. Start by enabling the toggle in a single review for a test group. Review the Copilot explanations to understand how the system judges access needs. For best results, combine Copilot recommendations with a regular review cadence of 90 days or less and train reviewers to override recommendations when context demands it.