When you open the Microsoft 365 admin center to configure Copilot, you may see a red error banner that reads “Service Principal Not Found.” This error prevents you from enabling Copilot features or managing data source permissions for your tenant. The root cause is a missing or misconfigured service principal object in Microsoft Entra ID, which Copilot requires to authenticate and access Microsoft Graph data. This article explains why the service principal goes missing and provides a step-by-step method to recreate it using PowerShell and the admin center.
Key Takeaways: Recreating the Missing Copilot Service Principal
- Microsoft Entra admin center > Enterprise applications > Copilot: Verify the service principal exists; if missing, the admin center shows the error.
- PowerShell cmdlet New-MgServicePrincipal: Creates the missing service principal for Copilot in your tenant.
- Microsoft 365 admin center > Copilot > Data sources: Confirm the service principal is present before configuring SharePoint and OneDrive grounding.
Why the Copilot Service Principal Goes Missing
The Copilot service principal is an enterprise application object in Microsoft Entra ID that represents the Copilot service in your tenant. Microsoft 365 automatically provisions this object when you first activate a Copilot license or enable the Copilot preview. Several scenarios can cause the object to be deleted or never created.
Tenant Cleanup Scripts
Administrators often run automated scripts to remove unused or orphaned enterprise applications. If the script targets all applications without an explicit exclusion list, it can delete the Copilot service principal along with other Microsoft first-party apps. The script may filter by creation date or last sign-in activity, and Copilot’s principal may appear inactive if no users have signed in yet.
Conditional Access Policy Conflicts
A Conditional Access policy that blocks all non-admin access to enterprise applications can prevent the Copilot service principal from being provisioned. When the provisioning process attempts to create the principal, the policy blocks the creation, leaving the tenant without the required object. The admin center then shows the error because it cannot find the principal to read its configuration.
Cross-Tenant Migration or Domain Changes
If your organization recently migrated to a new Microsoft 365 tenant, changed the primary domain, or performed a tenant-to-tenant migration, the service principal may not carry over. The migration process moves user objects and licenses but does not always recreate first-party service principals. The admin center expects the principal to exist based on the tenant ID, but the object is absent.
Steps to Recreate the Copilot Service Principal
You can recreate the missing service principal using the Microsoft Graph PowerShell SDK. This method does not require a support ticket and completes in under 10 minutes. Before you start, ensure you have the Global Administrator role in Microsoft Entra ID.
- Install the Microsoft Graph PowerShell module
Open Windows PowerShell as an administrator. Run the commandInstall-Module Microsoft.Graph -Scope CurrentUser. Press Y to confirm the installation from PSGallery. This module contains the cmdlets needed to create enterprise applications. - Connect to Microsoft Graph with admin consent
RunConnect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All". A browser window opens. Sign in with your Global Administrator account. Approve the requested permissions. The PowerShell session now has permission to create service principals. - Create the Copilot service principal object
Run the following command:New-MgServicePrincipal -AppId "d6ab1262-0f0c-4c1b-a0b9-3f1e7f1b1c1d" -DisplayName "Copilot". The AppId value is the fixed application identifier for Copilot. The cmdlet returns a new service principal object ID. Copy this ID for verification. - Verify the service principal in Microsoft Entra admin center
Go to https://entra.microsoft.com. Navigate to Identity > Applications > Enterprise applications. Search for “Copilot” in the search box. The application should appear with the display name you provided. Click the application to view its properties. - Confirm the error is resolved in the Microsoft 365 admin center
Open the Microsoft 365 admin center at https://admin.microsoft.com. Go to Settings > Org settings > Copilot. The red error banner should no longer appear. You can now configure data sources and other Copilot settings.
If Copilot Still Shows the Error After Recreating the Principal
The Service Principal Exists But the Admin Center Still Reports an Error
The admin center caches the service principal status for up to 15 minutes. Wait 15 minutes and refresh the Copilot settings page. If the error persists, sign out of the admin center and sign back in. A fresh authentication token forces the admin center to re-read the service principal list from Microsoft Entra ID.
PowerShell Returns “Access Denied” When Creating the Service Principal
Your account lacks the required permissions. Confirm you hold the Global Administrator role. If you use Privileged Identity Management, activate the role for at least 30 minutes before running the cmdlet. You can also ask another Global Administrator to run the command.
The Service Principal Is Deleted Again After a Few Days
A recurring cleanup script is deleting the principal. Review your automated scripts that target enterprise applications. Add an exclusion rule for the Copilot service principal using its AppId d6ab1262-0f0c-4c1b-a0b9-3f1e7f1b1c1d. Also check any third-party identity governance tools that may be removing unused applications.
| Item | Before Fix | After Fix |
|---|---|---|
| Admin center Copilot page | Red error banner: “Service Principal Not Found” | No error; settings are editable |
| Enterprise applications list | Copilot application missing | Copilot application present with AppId |
| PowerShell connection | Not applicable | New-MgServicePrincipal succeeds |
| Data source configuration | Blocked by missing principal | SharePoint and OneDrive grounding available |
The “Service Principal Not Found” error in the Copilot admin center occurs when the Copilot enterprise application object is missing from Microsoft Entra ID. You can recreate it with the New-MgServicePrincipal PowerShell cmdlet using the fixed AppId for Copilot. After creating the principal, wait 15 minutes for the admin center cache to update. To prevent the issue from recurring, add the Copilot service principal to your enterprise application exclusion list in any cleanup scripts or identity governance policies.