Exclusion of Copilot App (for O365) from Conditional Access Policies does not work

This behavior comes down to how Copilot actually accesses data in Microsoft 365. Even though you see a “Copilot” app ID in your Entra ID sign-in logs, Copilot itself is not a standalone cloud app in the sense Conditional Access expects. Under the hood, Copilot relies on the same Microsoft 365 service endpoints (Exchange Online, SharePoint Online, Teams, etc.) to retrieve and process data. So when you exclude the “Copilot” app from your policy, the Conditional Access engine still enforces the rule at the point where those underlying services are being accessed, and that’s why the MFA prompt continues to appear.

the Conditional Access evaluation happens against the real resource Copilot is calling, not the Copilot front-end identity you’re excluding. Right now Microsoft doesn’t provide a way to carve Copilot out of a blanket “all cloud apps” MFA policy. The recommended approach is to adjust the scope of your policy at the service level instead of trying to exclude Copilot directly. For example, you could refine the policy to target specific apps where you want MFA, or rely on session controls and sign-in frequency settings rather than enforcing MFA on every request.

So the reason the exclusion is failing isn’t a misconfiguration on your sideit’s simply because Copilot is layered on top of Exchange, SharePoint, OneDrive, and Teams, and those are the apps Conditional Access actually controls. If your requirement is to reduce reauthentication friction for Copilot, the practical path is to tune sign-in frequency or session persistence rather than excluding the Copilot app object.