You need to limit which users in your Microsoft 365 tenant can interact with a specific Copilot Studio agent. By default, agents published from Copilot Studio are available to all users in the tenant who have a Copilot license. This can expose sensitive data or business logic to the wrong audience. This article explains how to restrict agent access by configuring user groups in the Copilot Studio admin settings and the Microsoft 365 admin center.
Key Takeaways: Restricting Copilot Studio Agents to Specific User Groups
- Copilot Studio > Settings > Security > User access: Controls which Microsoft Entra ID groups can access a published agent.
- Microsoft Entra admin center > Groups: Create and manage the user groups that serve as the access boundary for each agent.
- Copilot Studio > Publish > Channels > Custom website: Enables token-based authentication to enforce group membership at runtime.
How Copilot Studio Agent Access Works
Copilot Studio agents are published as custom engines within the Microsoft 365 ecosystem. When you publish an agent, it becomes available through the Copilot interface, Microsoft Teams, or a custom website. Without access restrictions, any licensed user in the tenant can discover and use the agent. This is controlled by two layers: the Microsoft Entra ID group membership and the agent's security settings in Copilot Studio. The group membership defines who is allowed to see the agent, and the agent settings enforce that boundary at runtime. You must have the Copilot Studio admin role or the Microsoft Entra ID Group Administrator role to complete these steps.
Steps to Restrict Agent Access by User Group
- Create a Microsoft Entra ID group for the target users
Open the Microsoft Entra admin center at entra.microsoft.com. Go to Groups > All groups > New group. Select Security as the group type. Give the group a descriptive name such as “Copilot Agent Legal Team.” Add the users or nested groups that should have access to the agent. Click Create. - Open the agent in Copilot Studio
Sign in to Copilot Studio at copilotstudio.microsoft.com. Select the agent you want to restrict from the Agents list. If you do not see the agent, ensure you are in the correct environment using the environment selector at the top right. - Navigate to the Security settings
In the agent editor, click Settings in the top navigation bar. Then select Security from the left menu. The Security page shows the User access section. - Enable user access restrictions
Under User access, toggle the switch to On for the option named Restrict access to this agent by group. A text box appears labeled Group object ID. - Enter the group object ID
Go back to the Microsoft Entra admin center. Open the group you created in step 1. Copy the Object ID from the Overview page. Return to Copilot Studio and paste the Object ID into the Group object ID text box. You can add multiple group IDs by separating them with semicolons. - Save and republish the agent
Click Save at the bottom of the Security page. Then go to Publish in the top navigation bar and click Publish to apply the changes. The agent now only appears for users who are members of the specified groups.
If the Agent Is Published to a Custom Website
When you publish the agent to a custom website channel, you must also enable token-based authentication to enforce group restrictions. In Copilot Studio, go to Settings > Channels > Custom website. Under Authentication, select the option Require authentication. This forces the website to pass a Microsoft Entra ID token for each user. The agent then validates the user's group membership before allowing access. If you skip this step, users who are not in the group can still reach the agent through the website URL.
Common Issues and Things to Avoid
Users outside the group can still see the agent in Copilot
The group restriction only applies after the agent is republished. If you changed the group but did not republish, the old settings remain active. Always click Publish after updating the Security settings. Also, verify that the group Object ID is entered correctly. A single incorrect character blocks all access.
Group membership changes take time to propagate
Microsoft Entra ID group membership changes can take up to 30 minutes to propagate to Copilot Studio. If you add a user to the group and they still cannot see the agent, wait 30 minutes and ask the user to refresh their Copilot session by signing out and signing back in.
Nested groups do not work
Copilot Studio currently does not support nested groups. You must enter the Object ID of a group that contains direct user members. If you enter a group that contains other groups as members, the agent will not recognize those nested members as authorized.
The agent is not visible in the Copilot interface
If a user is in the correct group but still does not see the agent, check that the agent is published to the Copilot channel. Go to Settings > Channels > Copilot and confirm the toggle is On. Also confirm that the user has an active Copilot for Microsoft 365 license assigned.
| Item | Group-Based Restriction | No Restriction (Default) |
|---|---|---|
| Visibility in Copilot | Only group members see the agent | All licensed users see the agent |
| Custom website access | Requires token authentication | Anyone with the URL can access |
| Management overhead | Requires group creation and ID entry | No additional setup required |
| Best for | Sensitive data or departmental agents | General-purpose agents for the whole tenant |
You can now restrict any Copilot Studio agent to specific Microsoft Entra ID groups using the Security settings and the Publish workflow. Start by creating the appropriate groups in the Microsoft Entra admin center, then apply the group Object IDs in Copilot Studio. For agents on custom websites, enable token authentication to enforce the same restrictions. As a next step, test the restricted agent with a user who is not in the group to confirm the block works. For advanced control, consider using multiple agents with different group restrictions for different departments.