Microsoft Copilot Vision is a feature that lets Copilot see and interact with content on your screen. By default, Copilot Vision can analyze any app or browser tab you have open. This creates a security concern for organizations that want to restrict which applications Copilot can observe. The solution is to configure an allowlist of approved apps and exclude all others. This article explains how the Copilot Vision allowlist works, why it matters, and how to set it up in your Microsoft 365 environment.
Key Takeaways: Configuring Copilot Vision App Allowlist
- Microsoft 365 admin center > Copilot > Vision settings: Central location to manage which apps Copilot Vision can access
- Allowlist vs exclude list: An allowlist blocks all apps except those you explicitly approve while an exclude list blocks only specific apps
- App package family name (PFN): The identifier you must use to add an app to the Copilot Vision allowlist
How Copilot Vision App Access Works
Copilot Vision uses the display capture API to read content from windows and tabs currently on your screen. When you activate Copilot Vision, it takes a snapshot of the active window and analyzes the text, images, and UI elements visible. This allows Copilot to answer questions about what you see without you having to describe it manually.
The security model for Copilot Vision has two modes. In the default mode, Copilot Vision can access any app or browser tab. In the restricted mode, which is controlled by IT administrators, Copilot Vision can only access apps that appear on an approved allowlist. Any app not on the list is excluded and Copilot Vision cannot read its content.
The allowlist is managed through a configuration policy in the Microsoft 365 admin center. The policy uses the AppLocker or Windows Defender Application Control framework to identify apps by their package family name or executable file path. You must know the exact identifier for each app you want to allow.
Why Use an Allowlist Instead of an Exclude List
An allowlist provides a more secure configuration than an exclude list. With an exclude list, you block specific apps but allow all others. This approach leaves gaps because new or unknown apps are automatically permitted. With an allowlist, only the apps you explicitly approve are accessible. All other apps are blocked by default. For organizations that handle sensitive data, an allowlist is the recommended approach.
Steps to Configure the Copilot Vision Allowlist
The configuration requires global admin or security admin permissions in Microsoft Entra ID. You will use the Microsoft 365 admin center and the Microsoft 365 Apps admin center to apply the policy. Follow these steps:
- Sign in to the Microsoft 365 admin center
Go tohttps://admin.microsoft.comand sign in with an account that has Global Administrator or Security Administrator role. - Navigate to Copilot settings
In the left navigation, select Settings then Org settings. On the Org settings page, find and select Copilot from the list of services. - Open Vision settings
Inside the Copilot settings page, select the Vision tab. This tab contains all options related to Copilot Vision permissions and app restrictions. - Enable the allowlist mode
Under the section labeled App access control, select Allow only specified apps. This changes the access mode from default to allowlist. - Add an app to the allowlist
Click Add an app. In the dialog that appears, enter the Package Family Name (PFN) or the full executable path of the app. For example, to allow Microsoft Edge, enterMicrosoft.MicrosoftEdge_8wekyb3d8bbwe. For a Win32 app like Notepad, enterC:\Windows\System32\notepad.exe. - Repeat for each app you want to allow
Add all apps that your users need to use with Copilot Vision. Common apps include Microsoft Edge, Google Chrome, Microsoft Word, and Microsoft Excel. Each app requires its own entry. - Review and save the policy
After adding all apps, review the list to make sure no critical app is missing. Click Save to apply the policy. The change may take up to 24 hours to propagate to all users in the organization. - Verify the configuration on a test device
Sign in to a test Windows device with a user account in your tenant. Open Copilot and activate Copilot Vision. Try switching to an app that is not on the allowlist. You should see a message saying Copilot Vision cannot access that app.
Finding the Package Family Name for an App
If you do not know the PFN for an app, use PowerShell on a Windows device where the app is installed. Open PowerShell as an administrator and run the command Get-AppxPackage | Select Name, PackageFamilyName. This lists all installed Microsoft Store apps and their PFN values. For Win32 apps, use the full path to the executable file.
Common Allowlist Configuration Mistakes
Copilot Vision Still Shows All Apps After Configuring the Allowlist
The policy change can take up to 24 hours to apply. If you see no change after saving, check the policy status in the Microsoft 365 Apps admin center. Go to Health > Policy status and look for the Copilot Vision policy. If the status shows Pending, wait and check again. If the status shows Failed, review the policy syntax. A missing or incorrect PFN can cause the policy to fail.
Users Cannot Access a Legitimate App After Allowlist Is Applied
This happens when an app was not added to the allowlist before the policy was saved. Return to the Copilot Vision settings in the admin center and add the missing app. You do not need to re-save the entire policy; just add the new entry and click Save. The update will propagate to users within the same 24-hour window.
Copilot Vision Fails to Start After Policy Is Applied
A misconfigured allowlist can block Copilot Vision from initializing. This occurs if the Copilot Vision service itself is not on the allowlist. The Copilot Vision service runs under the system account and does not require a PFN entry. If the service fails, verify that the policy does not block system processes. In the admin center, check that the policy scope is set to User and not Device. A device-scoped policy can interfere with system services.
Copilot Vision Default Mode vs Allowlist Mode
| Item | Default Mode | Allowlist Mode |
|---|---|---|
| App access | All apps and browser tabs | Only apps on the allowlist |
| Configuration effort | None | Requires admin to add each app |
| Security level | Low | High |
| Policy propagation time | Immediate | Up to 24 hours |
| Best for | Personal or low-risk environments | Enterprise or regulated environments |
The allowlist mode gives you precise control over which apps Copilot Vision can analyze. Default mode is simpler but offers no app-level restrictions. For most business environments, allowlist mode is the safer choice.
You can now configure the Copilot Vision allowlist to restrict which apps Copilot can see on user screens. Start by collecting the package family names for the apps your team uses daily. Test the policy on a small group of users before rolling it out organization-wide. For advanced control, combine the allowlist with Conditional Access policies in Microsoft Entra ID to require that Copilot Vision only activates on managed devices.