You need to deploy Microsoft Copilot agents only to certain teams or departments, not to your entire organization. Microsoft 365 admin center lets you target agent assignments using Azure AD security groups. This article explains how to create or select a security group, assign Copilot agent licenses, and verify that only group members can use the agent.
Key Takeaways: Rolling Out Copilot Agents by Security Group
- Microsoft 365 admin center > Billing > Licenses > Groups: Assign Copilot licenses to a security group instead of individual users.
- Azure AD > Groups > New group: Create a dynamic or assigned security group that matches your rollout criteria, such as department or location.
- Microsoft 365 admin center > Copilot > Agent policies: Configure which agents are available and enforce targeting to the selected security group.
Understanding Copilot Agent Rollout with Security Groups
Microsoft Copilot agents are AI-powered tools that automate tasks in Microsoft 365. By default, agents are available to all licensed users. To restrict access, you use Azure AD security groups combined with license assignment and agent policy configuration. The core mechanism is group-based licensing: you assign a Copilot license to a security group, and only members of that group receive the license. Agent policies then control which specific agents those licensed users can see and launch. This two-layer approach prevents unauthorized users from even seeing the agent in their Microsoft 365 apps.
Prerequisites include a Microsoft 365 tenant with Copilot for Microsoft 365 licenses, Global Admin or License Admin permissions, and the ability to create or modify Azure AD security groups. You do not need PowerShell for basic rollout, but PowerShell can automate large-scale deployments.
Key Components for Targeting
Three components work together:
- Security group: Contains the users who should access Copilot agents. Groups can be assigned or dynamic based on user attributes.
- Group-based license assignment: Assigns the Copilot for Microsoft 365 license to the security group. Only group members get the license.
- Agent policy: Defines which agents are available and to which groups they are published. You set the policy in the Microsoft 365 admin center under Copilot settings.
Steps to Roll Out Copilot Agents to a Specific Security Group
Follow these steps to restrict Copilot agent access to a single security group. The process assumes you already have a security group. If not, create one first.
- Create or select a security group in Azure AD
Go to the Azure AD admin center. Navigate to Groups > All groups > New group. Choose Security as the group type. For dynamic groups, set Membership type to Dynamic User and add a rule such asuser.department -eq "Sales". For assigned groups, add users manually. Note the group Object ID. - Assign the Copilot license to the security group
In the Microsoft 365 admin center, go to Billing > Licenses > All products. Select your Copilot for Microsoft 365 license. Click Assign licenses. Under Assign to, choose Groups. Search for your security group and select it. Click Assign. The license is provisioned to all current and future group members. - Create an agent policy targeting the security group
In the Microsoft 365 admin center, go to Copilot > Agent policies. Click Add policy. Give the policy a name such as “Sales Agent Access.” Under Agents, select the agents you want to roll out. Under Assignments, choose Selected groups and add your security group. Click Save. - Verify license assignment for a test user
Add a test user to the security group. Wait up to 30 minutes for license provisioning. In the Microsoft 365 admin center, go to Users > Active users, select the test user, and check the Licenses tab. Confirm Copilot for Microsoft 365 appears. - Test agent visibility in Microsoft 365 apps
Sign in as the test user. Open Microsoft Teams or Copilot in Microsoft 365. The agents defined in the policy should appear. Sign in as a user not in the group. The agents should not appear or should be disabled.
Common Mistakes and Limitations When Targeting Security Groups
License does not appear for group members
Group-based license assignment can take up to 30 minutes. If the license does not appear, check the group membership in Azure AD. The user must be a direct member; nested groups are not supported for license assignment. Also verify that the group has not exceeded the license count available in your tenant.
Agents still visible to users outside the group
This happens when the agent policy is set to All users instead of Selected groups. Edit the policy and change the assignment to your specific security group. Also confirm that no other policy grants access to the same agents. Agent policies are additive; a user will see an agent if any policy grants access.
Dynamic group rule does not include expected users
Dynamic groups evaluate user attributes such as department, job title, or country. If a user does not match the rule, they are excluded. Check the user’s profile in Azure AD to confirm the attribute value. Use the Effective group membership feature in Azure AD to test the rule before assigning licenses.
Group-Based Licensing vs Individual Licensing for Copilot Agents
| Item | Group-Based Licensing | Individual Licensing |
|---|---|---|
| Administration effort | Low after initial setup; automatic for new members | High; manual assignment per user |
| Scalability | Works for thousands of users in one group | Impractical beyond a few dozen users |
| Agent policy targeting | Same group can be used for license and policy | Must create separate group for policy |
| Error handling | Automatic retry on license assignment failure | Manual retry required |
Group-based licensing is the recommended method for rolling out Copilot agents to specific security groups. It reduces manual work and ensures new hires in the group automatically receive access. Individual licensing is only suitable for temporary or test scenarios.
You can now roll out Copilot agents to a single security group using group-based licensing and agent policies. Start by creating a dynamic security group based on department or location to keep membership current without manual updates. For advanced control, combine multiple security groups in agent policies using the exclusion option in the Microsoft 365 admin center.