You need to give Copilot to some employees but not others. Microsoft 365 does not let you block Copilot through a simple on-off switch per person. Instead, you control access by assigning or removing licenses for specific user groups. This article explains how to use the Microsoft 365 admin center and Azure AD group-based licensing to restrict Copilot access by user group. You will learn the exact steps to set up a licensed group, remove licenses from unlicensed groups, and verify that the restriction is working.
Key Takeaways: Restricting Copilot by User Group
- Microsoft 365 admin center > Billing > Licenses: Assign Copilot licenses to a security group instead of individual users.
- Azure AD group-based licensing: Automatically applies or removes licenses when users are added to or removed from a group.
- PowerShell cmdlet Get-MgGroupMember: Verify which users in a group have the Copilot license assigned.
Why License Assignment Controls Copilot Access
Copilot for Microsoft 365 is a per-user add-on license. When a user does not have this license, the Copilot features in Microsoft 365 apps like Word, Excel, and Teams do not appear or remain inactive. The license is the gatekeeper. You cannot disable Copilot through a tenant-wide toggle or a policy setting in the Microsoft 365 admin center. The only supported method to restrict access is to control who gets the license.
Group-Based Licensing vs Individual Assignment
Assigning licenses to each user one by one works for small teams but does not scale. Group-based licensing in Azure Active Directory lets you link a license to a security group. When a user is added to that group, the system automatically assigns the Copilot license. When a user is removed, the system removes the license. This method reduces manual work and prevents errors from forgotten assignments or removals.
Prerequisites for Group-Based Licensing
Before you start, confirm you have the following:
- Global admin or License administrator role in Microsoft 365.
- An Azure AD tenant with at least one security group that contains the users who should get Copilot.
- Enough available Copilot for Microsoft 365 licenses in your tenant. Check this in the Microsoft 365 admin center under Billing > Licenses.
- A clear list of users who should not have Copilot. They must not be members of the licensed group.
Steps to Restrict Copilot Access by User Group
Follow these steps to set up group-based licensing for Copilot. The process has three parts: creating or identifying the security group, assigning the Copilot license to the group, and removing licenses from users who should not have access.
Part 1: Prepare the Security Group
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with your Global admin or License administrator account. - Navigate to Groups
In the left navigation, select Teams & groups and then Active teams & groups. - Create a new security group or use an existing one
Click Add a group. Choose Security as the group type. Give the group a name like Copilot Licensed Users. Add a description. Set the owner and members. If you already have a group that contains the correct users, you can skip creation and use that group. - Verify group membership
Open the group and click Members. Confirm that only the users who should receive Copilot are listed. Remove any user who should not have access.
Part 2: Assign the Copilot License to the Group
- Go to Azure Active Directory
In the Microsoft 365 admin center, select Admin centers and then Azure Active Directory. Alternatively, go directly to https://portal.azure.com and navigate to Azure Active Directory. - Open group-based licensing
In Azure AD, select Licenses from the left menu. Then click All products. - Select the Copilot product
Find Copilot for Microsoft 365 in the list. If you have multiple Copilot SKUs, pick the one that matches your subscription plan. Click the product name. - Assign the license to the group
Click Assign. In the Users and groups section, click Add and search for the security group you prepared. Select the group. In the Assignment options, ensure the Copilot service plan is enabled. Review the settings and click Assign. The system will process the assignment. This can take up to 30 minutes for all users to receive the license.
Part 3: Remove Licenses from Users Who Should Not Have Access
- Identify users with direct licenses
Some users may have received the Copilot license through direct assignment rather than group membership. To find them, go to Azure AD > Licenses > All products and click Copilot for Microsoft 365. Under the Licensed users tab, look for users who are not members of your licensed group. - Remove direct licenses
Select each user who should not have Copilot. Click Remove license and confirm. If a user is a member of the licensed group, removing the direct license will not affect them because the group license remains. Only remove licenses from users who are not in the group. - Use PowerShell for bulk removal
If you have many users to process, use the Microsoft Graph PowerShell SDK. RunConnect-MgGraph -Scopes "User.ReadWrite.All", "Organization.Read.All". Then use theSet-MgUserLicensecmdlet to remove the Copilot SKU. For example:Set-MgUserLicense -UserId "user@domain.com" -AddLicenses @() -RemoveLicenses @("SKU_ID"). ReplaceSKU_IDwith the Copilot product SKU for your tenant.
Common Issues When Restricting Copilot Access
Users Still See Copilot After License Removal
Copilot features may remain visible for up to 72 hours after the license is removed. This is because Microsoft 365 apps cache license information. To force a refresh, ask the user to sign out of all Microsoft 365 apps and sign back in. Alternatively, run a Sign out of all sessions action from the Microsoft 365 admin center on the user account.
Group License Assignment Shows Errors
If the group has more members than available licenses, the assignment will fail for some users. Check the number of available licenses under Billing > Licenses. If you do not have enough, purchase additional Copilot licenses. If you cannot purchase more, remove some users from the group to stay within the license count.
Users in Multiple Groups Get Conflicting Licenses
If a user belongs to two groups, one with the Copilot license and one without, the user will still get the license because group-based licensing is additive. To prevent this, ensure that users who should not have Copilot are not members of any group that has the Copilot license assigned. Audit group memberships regularly.
Group-Based Licensing vs Direct License Assignment
| Item | Group-Based Licensing | Direct License Assignment |
|---|---|---|
| Administration effort | Low after initial setup | High for large organizations |
| Scalability | Scales to thousands of users | Does not scale beyond a few dozen |
| Error risk | Low because automated | High due to manual entry |
| Audit trail | Azure AD logs group changes | No centralized audit |
| License removal on user offboarding | Automatic when user leaves group | Must be manually removed |
Group-based licensing is the recommended method for organizations with more than 20 users. Direct assignment works for small teams where you can track each license manually.
Conclusion
You can now restrict Copilot access by user group using Azure AD group-based licensing. Create a security group, assign the Copilot for Microsoft 365 license to that group, and remove any direct licenses from users outside the group. Check the Licensed users tab in Azure AD to verify the assignment. For ongoing management, automate group membership with dynamic groups based on department or job title. This approach ensures that only the correct users have Copilot without manual license tracking.