When you connect to your corporate VPN and try to use Copilot in Microsoft 365, you may see a red error banner that says “Network Unreachable.” This happens because Copilot requires direct HTTPS access to specific Microsoft endpoints, and many corporate VPNs route traffic through restrictive proxies or block certain domains. The error can appear in Microsoft Teams, Word, Excel, or the standalone Copilot app. This article explains why the error occurs and provides exact steps to fix it without compromising your VPN security.
Key Takeaways: Fixing Copilot Network Unreachable on VPN
- Copilot endpoint allowlist in VPN configuration: Add copilot.microsoft.com and api.copilot.microsoft.com to your VPN or proxy bypass list to restore connectivity.
- Windows 11 or 10 proxy settings: Disable automatic proxy detection or configure an explicit proxy exception for Copilot domains to prevent the error.
- Microsoft 365 admin center > Copilot > Network connectivity test: Run the built-in diagnostic tool to confirm which endpoints are blocked and verify the fix.
Why Copilot Shows Network Unreachable on a Corporate VPN
Copilot communicates with Microsoft servers using HTTPS on port 443. Corporate VPNs often apply deep packet inspection, SSL decryption, or traffic filtering that interferes with this connection. The most common root causes are:
- VPN split tunneling is disabled, forcing all traffic through the corporate network where Copilot endpoints are not allowed.
- A corporate proxy or firewall blocks the required Microsoft URLs or IP ranges.
- SSL certificate inspection breaks the encrypted connection Copilot needs.
- The VPN client uses a DNS resolver that cannot resolve Copilot domain names correctly.
Copilot does not cache data locally for offline use. It requires a live connection to Microsoft servers for every request. When the VPN blocks or misroutes that traffic, the app reports “Network Unreachable” instead of returning a response.
Steps to Fix Copilot Network Unreachable on Corporate VPN
Follow these steps in order. Each step addresses a specific cause. Test Copilot after each step to see if the error clears.
Step 1: Allow Copilot Endpoints in VPN Split Tunneling
- Open your VPN client settings
If you use a company-managed VPN like Cisco AnyConnect, Palo Alto GlobalProtect, or Zscaler, open the client application and sign in with your corporate credentials. - Enable split tunneling for Copilot domains
Navigate to the split tunneling or route configuration section. Add these domains to the list that bypasses the VPN tunnel: copilot.microsoft.com, api.copilot.microsoft.com, login.microsoftonline.com, and microsoft.com. Your IT department may need to push this change through group policy or MDM. - Apply and reconnect
Save the settings. Disconnect and reconnect the VPN. Open Copilot in Microsoft Teams or the web app and test the connection.
Step 2: Configure Proxy Exceptions for Copilot
- Open Windows proxy settings
Press Windows key, type “proxy settings,” and select Proxy settings from the results. - Add Copilot domains to the exception list
Under Manual proxy setup, locate the text box labeled Exceptions. Enter: copilot.microsoft.com;api.copilot.microsoft.com;login.microsoftonline.com;microsoft.com. Click Save. - Disable automatic proxy detection
In the same window, turn off Automatically detect settings. This prevents Windows from overriding your manual exceptions with a PAC file that may block Copilot.
Step 3: Verify DNS Resolution for Copilot Endpoints
- Open Command Prompt as administrator
Press Windows key, type “cmd,” right-click Command Prompt, and select Run as administrator. - Test DNS resolution
Run the command: nslookup copilot.microsoft.com. If the response shows a non-authoritative answer with an IP address, DNS is working. If you see “server failed” or “can’t find,” your VPN DNS is blocking the domain. - Flush DNS cache
Run: ipconfig /flushdns. Then run: ipconfig /registerdns. Reconnect the VPN and test Copilot again.
Step 4: Run the Microsoft 365 Network Connectivity Test
- Open a browser and navigate to the test tool
Go to connectivity.microsoft.com. Sign in with your Microsoft 365 work or school account. - Run the Copilot connectivity test
On the dashboard, select the Copilot test tile. The tool checks access to copilot.microsoft.com, api.copilot.microsoft.com, and required Microsoft Graph endpoints. Wait for the test to complete. - Review the results
If any endpoint shows as blocked, copy the IP address or URL and provide it to your IT team. Ask them to allow that endpoint in the firewall and proxy.
Step 5: Disable SSL Inspection for Copilot Traffic (IT Admin Required)
- Identify the SSL inspection appliance
Common appliances include Zscaler Internet Access, Palo Alto Networks Next-Generation Firewall, or Symantec Web Security Service. Open the admin console. - Create an SSL bypass rule for Copilot domains
Add copilot.microsoft.com and api.copilot.microsoft.com to the SSL inspection bypass list. Do not decrypt traffic to these domains. Apply and commit the change. - Test on a client machine
Reconnect the VPN and open Copilot. If the error disappears, SSL inspection was the cause. Keep the bypass rule in place permanently.
If Copilot Still Shows Network Unreachable After the Main Fix
Some issues require deeper investigation or a different approach. Here are additional failure patterns and their fixes.
Copilot Works on a Non-VPN Connection but Fails on VPN
This confirms the VPN itself is blocking traffic. Ask your IT team to enable split tunneling for the specific Copilot endpoints listed in Step 1. If split tunneling is not allowed due to security policy, request a dedicated VPN profile for Microsoft 365 traffic that does not route through the proxy.
Copilot Error Appears Only in the Desktop App but Not in the Browser
The desktop app uses a different network stack than the browser. Clear the Microsoft 365 app cache. Press Windows key + R, type %localappdata%\Microsoft\Teams\Cache, and delete all files. Restart the app. If the error persists, reinstall the Microsoft 365 desktop suite from the Microsoft 365 admin center.
Copilot Returns “Network Unreachable” Intermittently Throughout the Day
Intermittent errors often point to proxy load balancing or DNS timeouts. Ask your IT team to increase the TCP connection timeout for Copilot endpoints to 30 seconds. Also check if the VPN client is set to reconnect on network changes. Enable the reconnect feature in the VPN client settings.
Copilot Pro vs Copilot for Microsoft 365: Network Requirements on VPN
| Item | Copilot Pro | Copilot for Microsoft 365 |
|---|---|---|
| Primary endpoints | copilot.microsoft.com, api.copilot.microsoft.com | Same plus graph.microsoft.com, sharepoint.com, onedrive.com |
| Authentication | Personal Microsoft account via login.live.com | Work or school account via login.microsoftonline.com |
| Proxy bypass requirement | Same as basic Copilot | Must also allow Microsoft Graph and SharePoint endpoints |
| SSL inspection impact | Breaks connection to api.copilot.microsoft.com | Breaks connection to all endpoints listed above |
This article has walked you through five specific fixes for the Copilot Network Unreachable error on a corporate VPN. Start with split tunneling configuration and proxy exceptions, then verify with the Microsoft 365 connectivity test. If the error persists, ask your IT team to disable SSL inspection for Copilot domains. For ongoing reliability, keep the bypass rules in place and run the connectivity test monthly.