When you try to sign in to Copilot in Microsoft 365, you may see an error message that reads AADSTS500011: The resource principal named was not found in the tenant. This error means Azure Active Directory cannot locate the service principal for the Copilot application in your tenant. The root cause is usually a missing or misconfigured service principal for the Microsoft Copilot app registration. This article explains why the error occurs and provides step-by-step fixes to resolve it.
Key Takeaways: Fixing the AADSTS500011 Error for Copilot
- Azure AD admin center > Enterprise applications > Microsoft Copilot: Verify the service principal exists and is enabled for sign-in.
- PowerShell command New-MgServicePrincipal: Creates the missing service principal for the Copilot app ID 26f2a0c1-0a1c-4b0b-9c1a-2b3c4d5e6f7a.
- Microsoft 365 admin center > Roles > Cloud app administrator: Assign this role to the admin who will run the service principal creation commands.
Why the AADSTS500011 Error Occurs for Copilot
The AADSTS500011 error is an Azure Active Directory authentication failure. It means the service principal object that represents the Copilot application in your tenant does not exist or is disabled. Every Microsoft cloud application must have a corresponding service principal in Azure AD to handle authentication and authorization. When Copilot attempts to sign in, Azure AD looks up this service principal. If the principal is missing, authentication fails with the AADSTS500011 error.
Common reasons the service principal is missing include:
- The tenant was provisioned before Copilot was released, and the service principal was never created automatically.
- An admin deleted the service principal manually from the Enterprise applications list.
- Conditional access policies or tenant restrictions block the creation of the service principal.
- The service principal exists but is disabled for user sign-in.
The fix requires creating or re-enabling the service principal for the Copilot application. The Copilot application ID is 26f2a0c1-0a1c-4b0b-9c1a-2b3c4d5e6f7a. You need global admin or cloud app admin privileges to complete the steps.
Steps to Create the Missing Copilot Service Principal
Use one of the following methods to resolve the error. Method 1 uses the Azure AD admin center. Method 2 uses Microsoft Graph PowerShell for a faster approach when the admin center does not work.
Method 1: Use the Azure AD Admin Center
- Sign in to the Azure AD admin center
Open a browser and go to https://aad.portal.azure.com. Sign in with an account that has the Global administrator or Cloud application administrator role. - Navigate to Enterprise applications
In the left menu, select Enterprise applications. Then select All applications. - Search for the Copilot application
In the search box, type Microsoft Copilot or the application ID 26f2a0c1-0a1c-4b0b-9c1a-2b3c4d5e6f7a. If the application appears, select it. If it does not appear, skip to Method 2. - Enable user sign-in
In the left menu of the application page, select Properties. Set Enabled for users to sign-in? to Yes. Select Save. - Test Copilot sign-in
Close the browser and reopen Copilot. Sign in again. If the error persists, continue with Method 2.
Method 2: Use Microsoft Graph PowerShell
This method creates the service principal directly. You need the Microsoft Graph PowerShell module installed.
- Open PowerShell as administrator
Right-click the Start button and select Windows PowerShell (Admin) or Terminal (Admin). - Install the Microsoft Graph module if missing
Run:Install-Module Microsoft.Graph -Scope CurrentUser. Press Y to confirm if prompted. - Connect to Microsoft Graph
Run:Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All". Sign in with your admin account when prompted. - Create the service principal for Copilot
Run:New-MgServicePrincipal -AppId "26f2a0c1-0a1c-4b0b-9c1a-2b3c4d5e6f7a". The command returns a service principal object with an Id property. Note the Id value. - Verify the service principal was created
Run:Get-MgServicePrincipal -Filter "AppId eq '26f2a0c1-0a1c-4b0b-9c1a-2b3c4d5e6f7a'". Confirm the output shows an Id. - Disconnect the session
Run:Disconnect-MgGraph. - Test Copilot sign-in
Close all browser windows. Open Copilot again and sign in. The error should no longer appear.
If Copilot Still Shows the AADSTS500011 Error After the Fix
In some cases, the service principal exists but is blocked by other configurations. Check the following scenarios.
The service principal is disabled by a conditional access policy
A conditional access policy may block the Copilot service principal. Sign in to the Azure AD admin center. Go to Security > Conditional Access > Policies. Review each policy that targets cloud apps. If a policy includes Microsoft Copilot or All cloud apps and blocks access, create an exclusion for the Copilot app. Test sign-in again.
Tenant restrictions block the service principal creation
If your tenant uses tenant restrictions to limit external apps, the Copilot service principal may not auto-provision. Work with your security team to add the Copilot app ID 26f2a0c1-0a1c-4b0b-9c1a-2b3c4d5e6f7a to the allowed list in the tenant restrictions policy. Then run Method 2 again.
The service principal exists but is in a different tenant
If you are a guest user from another tenant, Copilot may try to authenticate against your home tenant instead of the resource tenant. Sign out of all accounts. Sign in to the resource tenant directly using an account that belongs to that tenant. Then try Copilot again.
Copilot Service Principal Missing vs Disabled: Key Differences
| Item | Missing Service Principal | Disabled Service Principal |
|---|---|---|
| Description | The service principal object does not exist in the tenant | The service principal exists but is blocked from user sign-in |
| Error message | AADSTS500011 with resource principal not found | AADSTS500011 or AADSTS700016 with disabled app |
| Azure AD admin center appearance | Application does not appear in Enterprise applications list | Application appears but Properties show sign-in set to No |
| Fix | Create the service principal using PowerShell or consent flow | Enable sign-in in the application Properties page |
The AADSTS500011 error for Copilot is caused by a missing or disabled service principal in your Azure AD tenant. You can resolve it by creating the service principal using Microsoft Graph PowerShell or by enabling sign-in in the Azure AD admin center. After the fix, verify that no conditional access policies or tenant restrictions block the Copilot app. If you manage multiple tenants, check each tenant separately for the service principal. To prevent this error in the future, avoid deleting service principals for Microsoft first-party applications.