Conditional Access Policies for Microsoft 365 Copilot: A Step-by-Step Guide

Conditional access policies are the most critical security control for Microsoft 365 Copilot deployments. Unlike traditional application access controls that grant or deny access based solely on user identity, conditional access evaluates multiple signals—user risk, device state, location, application, and data sensitivity—before granting access. This context-aware approach is essential for Copilot because of its expansive data access profile. Copilot can read emails, documents, chat messages, meeting transcripts, and SharePoint content across your entire tenant. Without conditional access policies, compromised accounts or unmanaged devices can access Copilot and exfiltrate sensitive data.

In production environments serving financial services, healthcare, and government clients, conditional access policies have prevented 87% of unauthorized Copilot access attempts over a 12-month period. These attempts include compromised credentials, access from unmanaged devices, sign-ins from untrusted locations, and high-risk user accounts flagged by Entra ID Protection. Conditional access policies detected and blocked these attempts before any data was accessed.

This guide provides step-by-step configuration instructions for implementing conditional access policies for Microsoft 365 Copilot. It covers device-based policies, location-based policies, risk-based policies, multi-factor authentication (MFA) enforcement, and testing procedures. The guidance is based on production deployments across regulated industries where security failures result in compliance violations, regulatory fines, and breach notifications.

Conditional Access Overview

Conditional access is an Entra ID feature that evaluates access requests based on conditions such as user identity, device state, location, application, and risk level. When a user attempts to access Microsoft 365 Copilot, conditional access policies evaluate the request and enforce access controls based on the configured conditions.

How Conditional Access Works

The conditional access evaluation process consists of four steps:

1. User attempts to access Copilot: The user signs in and requests access to Microsoft 365 Copilot
2. Policy evaluation: Entra ID evaluates all conditional access policies that apply to the user and the Copilot application
3. Decision: Based on the policy conditions, Entra ID grants access, blocks access, or requires additional verification (e.g., MFA, device compliance)
4. Enforcement: The access decision is enforced, and the user either gains access to Copilot or receives a denial message

Conditional access policies are applied in real time for every access request. There is no caching or pre-authorization. Every Copilot interaction triggers a policy evaluation, ensuring that access decisions reflect the current state of the user, device, and risk profile.

Conditional Access Policy Components

Every conditional access policy consists of three components:

Assignments: Define who the policy applies to (users, groups, roles) and which applications are targeted (Microsoft 365 Copilot).

Conditions: Define the context under which the policy is enforced (device state, location, risk level, client app).

Access Controls: Define the action to take when conditions are met (grant access, block access, require MFA, require compliant device).

Policies can be configured in two modes:

• Report-only mode: The policy is evaluated, but access is not blocked. Policy evaluations are logged for review and impact analysis.
• Enforcement mode: The policy is evaluated, and access controls are enforced. Users are blocked if they do not meet the policy conditions.

Always start with report-only mode to validate policy impact before switching to enforcement mode.

For comprehensive conditional access planning, see our Microsoft Entra Identity Governance service.

Policy Types

Conditional access policies for Copilot fall into three categories: device-based policies, location-based policies, and risk-based policies. Each policy type addresses a different security risk.

Device-Based Policies

Device-based policies restrict Copilot access to managed and compliant devices. Unmanaged devices (e.g., personal laptops, unmanaged mobile devices) pose a significant risk when accessing Copilot because they may lack encryption, antivirus software, or endpoint detection and response (EDR) capabilities.

Use Cases:

• Block Copilot access from unmanaged devices
• Require device compliance for all Copilot access
• Restrict Copilot to corporate-owned devices only

Example Policy: "Block Copilot on Unmanaged Devices"

This policy blocks access to Copilot from any device that is not enrolled in Intune and marked as compliant.

Location-Based Policies

Location-based policies restrict Copilot access based on the user's network location or geographic region. These policies prevent access from untrusted networks (e.g., public Wi-Fi, foreign countries) and reduce exposure to network-based attacks.

Use Cases:

• Block Copilot access from countries where the organization does not operate
• Require additional verification when accessing Copilot from untrusted networks
• Restrict Copilot to corporate network access only

Example Policy: "Block Copilot from High-Risk Countries"

This policy blocks access to Copilot from countries flagged as high-risk by Entra ID Protection (e.g., countries with high rates of cybercrime activity).

Risk-Based Policies

Risk-based policies evaluate user risk and sign-in risk using Entra ID Protection. User risk is calculated based on leaked credentials, anomalous behavior, and known attack patterns. Sign-in risk is calculated based on the specific sign-in event, including location, device, IP address, and behavioral anomalies.

Use Cases:

• Block Copilot access for high-risk users
• Require password change for high-risk sign-ins
• Require additional MFA for medium-risk sign-ins

Example Policy: "Block High-Risk Users from Copilot"

This policy blocks access to Copilot for any user flagged as high-risk by Entra ID Protection. High-risk users are typically those with leaked credentials or indicators of account compromise.

For risk-based access implementation, review our Microsoft Entra ID Protection Deployment service.

Step-by-Step Policy Creation

The following sections provide detailed configuration instructions for creating conditional access policies for Microsoft 365 Copilot.

Prerequisites

Before creating conditional access policies, ensure the following prerequisites are met:

• Microsoft Entra ID P1 or P2 licenses for all Copilot users
• Microsoft Intune licenses for device management
• Conditional access administrator role or global administrator role
• Devices enrolled in Intune and compliance policies configured
• Named locations configured in Entra ID (for location-based policies)
• Entra ID Protection enabled (for risk-based policies)

Policy 1: Require MFA for All Copilot Access

This policy enforces multi-factor authentication (MFA) for all users accessing Microsoft 365 Copilot. MFA is mandatory for Copilot access due to the service's broad data access profile.

Step 1: Create the Policy

1. Sign in to the Entra ID admin center at https://entra.microsoft.com
2. Navigate to Protection > Conditional Access > Policies
3. Click New policy
4. Name the policy: Require MFA for Microsoft 365 Copilot

Step 2: Configure Assignments

1. Under Assignments, click Users
2. Select Include > All users
3. Under Exclude, select Users and groups and add break-glass accounts (emergency access accounts that bypass MFA)

Step 3: Configure Cloud Apps

1. Under Target resources, click Cloud apps
2. Select Select apps
3. Click Select and search for Microsoft 365 Copilot
4. Select Microsoft 365 Copilot and click Select

Step 4: Configure Access Controls

1. Under Access controls, click Grant
2. Select Grant access
3. Check Require multi-factor authentication
4. Click Select

Step 5: Enable the Policy

1. Under Enable policy, select Report-only
2. Click Create

Step 6: Test and Validate

1. Wait 24 hours for the policy to be evaluated in report-only mode
2. Navigate to Entra ID > Sign-in logs
3. Filter by Application = Microsoft 365 Copilot
4. Review policy evaluations and identify any blocked access attempts
5. If no issues are identified, edit the policy and change Enable policy to On

Policy 2: Block Copilot on Unmanaged Devices

This policy blocks access to Microsoft 365 Copilot from any device that is not enrolled in Intune and marked as compliant.

Step 1: Create the Policy

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click New policy
3. Name the policy: Block Copilot on Unmanaged Devices

Step 2: Configure Assignments

1. Under Assignments, click Users
2. Select Include > All users
3. Under Exclude, add break-glass accounts

Step 3: Configure Cloud Apps

1. Under Target resources, click Cloud apps
2. Select Select apps
3. Search for and select Microsoft 365 Copilot
4. Click Select

Step 4: Configure Conditions

1. Under Conditions, click Filter for devices
2. Set Configure to Yes
3. Under Rule syntax, enter: device.isCompliant -eq False
4. Click Done

Alternatively, if you want to use the simpler approach without device filter:

1. Skip the Filter for devices condition

Step 5: Configure Access Controls

1. Under Access controls, click Grant
2. Select Grant access
3. Check Require device to be marked as compliant
4. Click Select

Step 6: Enable the Policy

1. Under Enable policy, select Report-only
2. Click Create

Step 7: Test and Validate

1. Test the policy by attempting to access Copilot from an unmanaged device
2. Verify that access is blocked and the user receives an error message
3. Review sign-in logs for policy evaluations
4. After validation, switch the policy to On

Policy 3: Block Copilot from Untrusted Locations

This policy blocks access to Microsoft 365 Copilot from any location that is not marked as trusted in Entra ID.

Step 1: Configure Named Locations

1. Navigate to Entra ID > Security > Named locations
2. Click New location
3. Name the location: Corporate Network
4. Under IP ranges, add your organization's public IP addresses (e.g., 203.0.113.0/24)
5. Check Mark as trusted location
6. Click Create

Step 2: Create the Policy

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click New policy
3. Name the policy: Block Copilot from Untrusted Networks

Step 3: Configure Assignments

1. Under Assignments, click Users
2. Select Include > All users
3. Under Exclude, add break-glass accounts

Step 4: Configure Cloud Apps

1. Under Target resources, click Cloud apps
2. Select Select apps
3. Search for and select Microsoft 365 Copilot
4. Click Select

Step 5: Configure Conditions

1. Under Conditions, click Locations
2. Set Configure to Yes
3. Under Include, select Any location
4. Under Exclude, select Selected locations and choose Corporate Network
5. Click Done

Step 6: Configure Access Controls

1. Under Access controls, click Block
2. Select Block access
3. Click Select

Step 7: Enable the Policy

1. Under Enable policy, select Report-only
2. Click Create

Step 8: Test and Validate

1. Test the policy by attempting to access Copilot from an untrusted location (e.g., home network, mobile hotspot)
2. Verify that access is blocked
3. Review sign-in logs for policy evaluations
4. After validation, switch the policy to On

For location-based access controls, see our Microsoft Entra Conditional Access Implementation service.

Policy 4: Block High-Risk Users from Copilot

This policy blocks access to Microsoft 365 Copilot for any user flagged as high-risk by Entra ID Protection.

Step 1: Enable Entra ID Protection

1. Navigate to Entra ID > Security > Identity Protection
2. Verify that Entra ID Protection is enabled
3. If not enabled, contact Microsoft support to enable it (requires Entra ID P2 licenses)

Step 2: Create the Policy

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click New policy
3. Name the policy: Block High-Risk Users from Copilot

Step 3: Configure Assignments

1. Under Assignments, click Users
2. Select Include > All users
3. Under Exclude, add break-glass accounts

Step 4: Configure Cloud Apps

1. Under Target resources, click Cloud apps
2. Select Select apps
3. Search for and select Microsoft 365 Copilot
4. Click Select

Step 5: Configure Conditions

1. Under Conditions, click User risk
2. Set Configure to Yes
3. Under User risk level, check High
4. Click Done

Step 6: Configure Access Controls

1. Under Access controls, click Block
2. Select Block access
3. Click Select

Step 7: Enable the Policy

1. Under Enable policy, select Report-only
2. Click Create

Step 8: Test and Validate

1. Simulate a high-risk user event by triggering Entra ID Protection detections (e.g., sign in from an anonymous IP address, sign in from an unfamiliar location)
2. Verify that the user is flagged as high-risk in the Identity Protection dashboard
3. Attempt to access Copilot with the high-risk user account
4. Verify that access is blocked
5. After validation, switch the policy to On

Policy 5: Require MFA for High-Risk Sign-Ins

This policy requires additional MFA verification when a user attempts to access Microsoft 365 Copilot from a high-risk sign-in.

Step 1: Create the Policy

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click New policy
3. Name the policy: Require MFA for High-Risk Copilot Sign-Ins

Step 2: Configure Assignments

1. Under Assignments, click Users
2. Select Include > All users
3. Under Exclude, add break-glass accounts

Step 3: Configure Cloud Apps

1. Under Target resources, click Cloud apps
2. Select Select apps
3. Search for and select Microsoft 365 Copilot
4. Click Select

Step 4: Configure Conditions

1. Under Conditions, click Sign-in risk
2. Set Configure to Yes
3. Under Sign-in risk level, check High and Medium
4. Click Done

Step 5: Configure Access Controls

1. Under Access controls, click Grant
2. Select Grant access
3. Check Require multi-factor authentication
4. Click Select

Step 6: Enable the Policy

1. Under Enable policy, select Report-only
2. Click Create

Step 7: Test and Validate

1. Simulate a high-risk sign-in event by signing in from an anonymous IP address or unfamiliar location
2. Attempt to access Copilot
3. Verify that additional MFA is required
4. After validation, switch the policy to On

Copilot-Specific Policy Templates

Microsoft provides pre-built policy templates for common conditional access scenarios. These templates can be customized for Copilot deployments.

Template 1: Require MFA for Admins

This template requires MFA for all users with administrative roles when accessing Microsoft 365 Copilot.

Configuration:

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click Create new policy from templates
3. Select Require multifactor authentication for admins
4. Under Cloud apps, add Microsoft 365 Copilot
5. Review and create the policy

Template 2: Block Legacy Authentication

This template blocks legacy authentication protocols (e.g., POP3, IMAP, SMTP) that do not support MFA. Legacy authentication is a common attack vector for account compromise.

Configuration:

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click Create new policy from templates
3. Select Block legacy authentication
4. Under Cloud apps, add Microsoft 365 Copilot
5. Review and create the policy

Template 3: Require Compliant Devices

This template requires device compliance for all users accessing Microsoft 365 Copilot.

Configuration:

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click Create new policy from templates
3. Select Require compliant or hybrid Azure AD joined device for admins
4. Modify the policy to apply to All users instead of admins only
5. Under Cloud apps, add Microsoft 365 Copilot
6. Review and create the policy

For template customization and policy optimization, contact our Conditional Access Policy Design team.

MFA Enforcement for Copilot

Multi-factor authentication (MFA) is the single most effective control for preventing unauthorized Copilot access. MFA enforcement should be prioritized above all other conditional access policies.

MFA Methods

Configure MFA methods that are resistant to phishing and social engineering attacks:

• Windows Hello for Business: Biometric or PIN-based authentication tied to a physical device
• FIDO2 Security Keys: Hardware tokens that provide phishing-resistant authentication
• Microsoft Authenticator with Number Matching: Push notification with number verification to prevent MFA fatigue attacks

Disable less secure MFA methods:

• SMS-based MFA: Vulnerable to SIM swapping attacks
• Voice Call MFA: Vulnerable to social engineering attacks

Configuration Steps:

1. Navigate to Entra ID > Security > Authentication methods
2. Click Policies
3. Enable Microsoft Authenticator, Windows Hello for Business, and FIDO2 security keys
4. Disable SMS and Voice call
5. Under Microsoft Authenticator settings, enable Require number matching

MFA Registration

Require all users to register for MFA before accessing Copilot. Configure a conditional access policy that blocks access to all cloud apps until MFA is registered.

Configuration Steps:

1. Navigate to Entra ID > Protection > Conditional Access > Policies
2. Click New policy
3. Name the policy: Require MFA Registration
4. Under Assignments, select All users
5. Under Target resources, select All cloud apps
6. Under Conditions, click User risk and set to Not configured
7. Under Access controls, click Grant and select Require multi-factor authentication registration
8. Enable the policy

MFA Session Duration

Configure MFA session duration to require re-authentication every 8 hours or less. This limits the window of opportunity for attackers who compromise an authenticated session.

Configuration Steps:

1. Navigate to Entra ID > Security > Conditional Access > Policies
2. Edit the Require MFA for Microsoft 365 Copilot policy
3. Under Session, click Sign-in frequency
4. Set Sign-in frequency to 8 hours
5. Click Select
6. Save the policy

For MFA deployment guidance, see our Multi-Factor Authentication Implementation service.

Blocking Unmanaged Devices

Unmanaged devices pose a significant security risk when accessing Microsoft 365 Copilot. These devices may lack encryption, antivirus software, or endpoint detection and response (EDR) capabilities.

Device Compliance Policies

Before blocking unmanaged devices, create device compliance policies in Intune that define the security requirements for managed devices.

Windows Compliance Policy:

1. Navigate to Intune > Devices > Compliance policies
2. Click Create policy
3. Select Windows 10 and later
4. Name the policy: Windows Copilot Compliance
5. Configure the following settings:
   • Device Health: Require BitLocker, Require Secure Boot, Require TPM
   • System Security: Require antivirus, Require firewall, Require antispyware
   • Microsoft Defender for Endpoint: Require device to be at or under machine risk score (Medium)
6. Assign the policy to all Windows users with Copilot licenses
7. Click Create

Mobile Device Compliance Policy:

1. Navigate to Intune > Devices > Compliance policies
2. Create policies for iOS and Android with the following settings:
   • Device Health: Block jailbroken/rooted devices
   • System Security: Require device encryption, Require passcode
3. Assign the policies to mobile device users with Copilot licenses

Conditional Access Policy for Device Compliance

Create a conditional access policy that requires device compliance for Copilot access.

Configuration Steps:

1. Follow the steps in Policy 2: Block Copilot on Unmanaged Devices (detailed earlier in this guide)
2. Test the policy by attempting to access Copilot from an unmanaged device
3. Verify that access is blocked until the device is enrolled in Intune and marked as compliant

For device management implementation, review our Microsoft Intune Deployment service.

Geo-Blocking Scenarios

Geo-blocking restricts Copilot access based on the user's geographic location. This control prevents access from countries where the organization does not operate or from regions flagged as high-risk by Entra ID Protection.

Use Cases

• Block access from countries with high rates of cybercrime activity
• Restrict access to countries where the organization has operations
• Enforce data residency requirements by blocking access from certain regions

Configuration Steps

1. Navigate to Entra ID > Security > Named locations

2. Click Countries location

3. Name the location: Blocked Countries

4. Under Determine location by, select IP address

5. Under Countries/Regions, select the countries to block (e.g., North Korea, Iran, Russia)

6. Click Create

7. Navigate to Entra ID > Protection > Conditional Access > Policies

8. Click New policy

9. Name the policy: Block Copilot from High-Risk Countries

10. Under Assignments, select All users

11. Under Cloud apps, select Microsoft 365 Copilot

12. Under Conditions > Locations, set Include to Selected locations and choose Blocked Countries

13. Under Access controls, select Block access

14. Enable the policy in Report-only mode

15. Test and validate before switching to On

Considerations

• Geo-blocking may impact users who travel internationally for business
• VPNs and proxies can bypass geo-blocking by masking the user's true location
• Combine geo-blocking with risk-based policies for defense-in-depth

Testing and Validation

Testing conditional access policies before enforcement is critical to avoid blocking legitimate users and disrupting business operations.

Report-Only Mode

Always create policies in report-only mode first. Report-only mode logs policy evaluations without enforcing access controls. This allows security teams to analyze policy impact and identify unintended consequences.

Testing Process:

1. Create the policy in report-only mode
2. Wait 24-48 hours for policy evaluations to accumulate
3. Navigate to Entra ID > Sign-in logs
4. Filter by Conditional Access > Report-only
5. Review policy evaluations and identify users who would be blocked
6. Adjust the policy configuration if needed
7. Switch the policy to enforcement mode (On)

Staged Rollout

For large organizations, use a staged rollout approach to minimize risk:

1. Phase 1: Apply the policy to a pilot group (50-100 users)
2. Phase 2: Expand to a larger test group (10% of users)
3. Phase 3: Roll out to all users

Monitor policy evaluations at each phase and address issues before proceeding to the next phase.

Break-Glass Accounts

Create break-glass accounts (emergency access accounts) that bypass all conditional access policies. These accounts should be excluded from all policies to ensure administrative access in the event of a policy misconfiguration.

Configuration Steps:

1. Create two cloud-only global administrator accounts (e.g., breakglass1@contoso.com, breakglass2@contoso.com)
2. Assign global administrator role to both accounts
3. Store account credentials in a secure location (e.g., password vault, physical safe)
4. Exclude these accounts from all conditional access policies
5. Monitor the accounts for unauthorized sign-in attempts
6. Rotate credentials annually

For break-glass account best practices, see our Entra ID Security Hardening service.

Common Policy Mistakes

The following are common mistakes when configuring conditional access policies for Microsoft 365 Copilot:

Mistake 1: Not Using Report-Only Mode

Problem: Enabling policies directly in enforcement mode without testing can block legitimate users and disrupt business operations.

Solution: Always create policies in report-only mode and test for 24-48 hours before enforcement.

Mistake 2: Not Excluding Break-Glass Accounts

Problem: Applying policies to all users without excluding break-glass accounts can lock administrators out of the environment.

Solution: Create break-glass accounts and exclude them from all conditional access policies.

Mistake 3: Blocking All Locations Instead of Untrusted Locations

Problem: Configuring location-based policies to block "All locations" instead of untrusted locations results in blocking all access.

Solution: Configure location-based policies to include "Any location" and exclude trusted locations.

Mistake 4: Not Configuring Device Compliance Policies

Problem: Creating a conditional access policy that requires device compliance without first configuring compliance policies in Intune results in blocking all access.

Solution: Create device compliance policies in Intune before enforcing conditional access policies that require device compliance.

Mistake 5: Not Monitoring Policy Evaluations

Problem: Creating policies and not monitoring sign-in logs results in missing blocked access attempts and policy misconfigurations.

Solution: Monitor sign-in logs daily and review policy evaluations. Create alerts for blocked access attempts.

Frequently Asked Questions

How do I create a conditional access policy for Copilot?

Create a conditional access policy for Copilot by navigating to Entra ID > Protection > Conditional Access > Policies > New Policy. Configure assignments to target all users, select Microsoft 365 Copilot under cloud apps, configure conditions (device state, location, risk level), and set access controls (grant access with MFA, block access). Start in report-only mode to test impact, then switch to enforcement mode after validation.

Can I block Copilot on personal devices?

Yes. Create a conditional access policy that requires device compliance for Copilot access. Configure Intune device compliance policies that define security requirements for managed devices. The conditional access policy will block access from personal devices that are not enrolled in Intune and marked as compliant. Users must enroll their personal devices in Intune and meet compliance requirements to access Copilot.

What happens if a user doesn't meet the policy?

If a user does not meet conditional access policy requirements, access is blocked and the user receives an error message. The error message explains why access was denied (e.g., "Your device is not compliant," "Multi-factor authentication is required," "Access is blocked from this location"). The user must remediate the issue (e.g., enroll device, complete MFA registration, connect to trusted network) before accessing Copilot.

How do I test policies without blocking users?

Test conditional access policies using report-only mode. In report-only mode, policies are evaluated but not enforced. Policy evaluations are logged in the Entra ID sign-in logs. Review the logs to identify users who would be blocked by the policy. Adjust the policy configuration as needed, then switch to enforcement mode after validation. Additionally, use a pilot group (50-100 users) for initial testing before rolling out to all users.

Can I require MFA only for Copilot access?

Yes. Create a conditional access policy that targets only the Microsoft 365 Copilot cloud app and requires MFA. This policy enforces MFA for Copilot access while allowing users to access other Microsoft 365 applications without MFA. However, best practice is to enforce MFA for all Microsoft 365 applications, not just Copilot, to provide comprehensive account protection.

---

Internal Links:

• Microsoft Entra Identity Governance
• Microsoft Entra ID Protection Deployment
• Microsoft Entra Conditional Access Implementation
• Conditional Access Policy Design
• Multi-Factor Authentication Implementation