When you try to use Copilot in Microsoft 365, you may see an error message containing the code AADSTS530005. This error indicates that a Conditional Access policy is blocking the application from accessing Microsoft Graph resources. The policy is usually set by your IT administrator to control which apps can access corporate data. This article explains why this error occurs and provides the steps to resolve it so you can use Copilot again.
Key Takeaways: Resolving the AADSTS530005 Conditional Access Error
- Microsoft Entra admin center > Conditional Access > Policies: IT admins must check which policy blocks Copilot and adjust the app filter.
- Microsoft 365 admin center > Settings > Org settings > Copilot: Verify that Copilot is enabled for users and that data sources are correctly configured.
- PowerShell script to test Conditional Access: Use the
Get-MgPolicyConditionalAccessPolicycmdlet to identify the exact policy causing the block.
Why the AADSTS530005 Error Appears in Copilot
The AADSTS530005 error is a Conditional Access error code. It means the application, Copilot, was denied access because it does not meet the conditions set by a Conditional Access policy. These policies are managed in Microsoft Entra ID formerly Azure Active Directory. They control which apps can access Microsoft Graph data, which is the data layer that Copilot uses to generate responses.
The most common cause is a Conditional Access policy that uses the App control condition. This condition allows only specific applications to access resources. If Copilot is not listed as an allowed app, the policy blocks it. Another cause is a policy that requires a specific device state, such as compliant or domain-joined, which Copilot does not meet when running in a web browser on an unmanaged device.
The error message usually appears as: AADSTS530005: Application with identifier ‘{app-id}’ was not found in the directory or does not have access to the resource. The app ID for Copilot in Microsoft 365 is d1ddf0e4-d672-4dae-b554-9d5bdfd93547. You can use this ID to search for the policy that is blocking it.
Conditional Access Policy Structure
A Conditional Access policy has three parts: assignments, conditions, and grant controls. Assignments define which users, groups, or roles the policy applies to. Conditions include the app filter, sign-in risk, device platform, and location. Grant controls specify the actions required, such as multi-factor authentication or device compliance. The AADSTS530005 error occurs when the app filter condition explicitly excludes Copilot or when the grant control requires a device state that Copilot cannot satisfy.
Steps to Identify and Fix the Blocking Conditional Access Policy
Only a global administrator or Conditional Access administrator can modify policies. If you are not an administrator, contact your IT support team and share the error code and the app ID. The steps below assume you have the necessary permissions.
- Open the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with a global administrator account. In the left navigation menu, select Protection then Conditional Access. - Review all policies for app filter conditions
In the Conditional Access pane, select Policies. Look for any policy that has a condition set for App control or Filter for apps. Click on each policy to open its details. In the Conditions section, check if the Filter for apps option is configured. If it is, note the filter rule. - Check if Copilot is included in the app filter
The filter rule uses a syntax likeappId -eq 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547'. If the rule explicitly excludes Copilot, for exampleappId -ne 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547', then the policy blocks it. To fix this, edit the policy and change the filter to include Copilot. You can add it by using theappId -inoperator and listing the Copilot app ID along with other allowed apps. - Verify device compliance requirements
In the same policy, check the Grant section. If the policy requires Require device to be marked as compliant or Require Hybrid Azure AD joined device, Copilot may fail because it runs in a browser session that does not carry a device token. To fix this, add a grant control that allows access from any device, or create an exception policy for Copilot that does not require device compliance. - Create an exception policy for Copilot
If you cannot modify the existing policy because it applies to many applications, create a new Conditional Access policy that targets only the Copilot app. Set the assignments to include all users who need Copilot. Set the conditions to exclude the Copilot app ID. Under Grant, select Grant access with no additional requirements. Set the policy to Report-only first to test, then enable it. - Test the fix
After making changes, sign out of Microsoft 365 and sign back in. Open Copilot in a supported app like Word or Teams. Try a simple query like “Summarize the last email from my manager.” If the error no longer appears, the fix is successful.
If Copilot Still Shows the AADSTS530005 Error
Another Conditional Access policy is still blocking
There may be multiple Conditional Access policies. Check each policy that targets the same user group. Use the What If tool in the Conditional Access pane. Select the Copilot app ID, the user account, and the sign-in context. The tool shows which policies would apply and whether they grant or block access. If a policy shows Block, adjust that policy using the steps above.
The app filter uses a different attribute
Some policies filter by App display name instead of app ID. The display name for Copilot is “Microsoft Copilot Service.” If the filter uses a name match, ensure the name is spelled exactly. The filter rule might be appDisplayName -eq 'Microsoft Copilot Service'. If the rule uses a -notContains operator, it can accidentally exclude Copilot. Change the operator to -contains or add Copilot to an allowed list.
Conditional Access policy is in report-only mode
A policy set to Report-only does not block access, but it can still produce the error if another policy with the same conditions is active. Check the sign-in logs in Microsoft Entra admin center. Go to Monitoring > Sign-in logs. Filter by the Copilot app ID. Look for the event with error code 530005. The log shows which policy caused the block. Adjust that policy accordingly.
Copilot Conditional Access Error: App Control vs Device Control Policies
| Item | App Control Policy | Device Control Policy |
|---|---|---|
| Description | Blocks or allows apps based on app ID or display name | Blocks or allows access based on device compliance or domain join status |
| Typical filter | Filter for apps using appId or appDisplayName | Grant control requiring compliant device or hybrid Azure AD join |
| Error cause | Copilot app ID is not in the allowed list | Copilot runs in a browser without a device token |
| Fix approach | Add Copilot app ID to the filter or create an exception policy | Remove device requirement for Copilot or use a managed browser |
| Applies to | Copilot in all Microsoft 365 apps and web | Copilot in web browser on unmanaged devices |
Both policy types can cause the same AADSTS530005 error. The sign-in logs show which policy type triggered the block. Use the app ID d1ddf0e4-d672-4dae-b554-9d5bdfd93547 to locate the exact policy.
After resolving the Conditional Access policy, you can use Copilot normally. Test by asking Copilot to create a document from a SharePoint file. If the error returns, run the What If tool again to check for new policies. For ongoing monitoring, set up alerts in Microsoft Entra admin center for sign-in failures with error code 530005.