How to force users to sign in at copilot.com

hi kcelmer​ Good questions — you’re not alone: many admins are asking the same. Short answer: there is some ability to require sign-in for Microsoft Copilot — but no fully reliable built-in way yet to force every user who visits copilot.com to sign in first, while still allowing licensed users. The platform’s design makes this tricky. Below is what you can do today, what works (and what doesn’t), and what to watch out for.

What you can do today (real controls)

Use Conditional Access / Entra ID policies for Copilot access

You can target the Copilot service in Conditional Access and require MFA or block access for unmanaged devices etc.
This enables you to enforce that only authorized, compliant users from compliant devices can use Copilot — helping ensure corporate data protection.

Ref: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-copilot-ai-security

Disable “personal (consumer) Copilot” for work devices/users

Using the Microsoft 365 Admin Center (Integrated Apps) + policies, you can limit or block Copilot Chat availability for users without a valid Copilot license.
This ensures users can’t slip in with personal MSAs and access Copilot outside enterprise data protection.

Ref: https://learn.microsoft.com/en-us/copilot/manage?

Use tenant-level policy: “Multiple account access to Copilot for work documents”

If configured properly, this can prevent use of personal Copilot on organizational files.

In short: with Intune + Entra + licensing correctly configured, you can limit Copilot use to enrolled, licensed enterprise accounts — but it's not 100% “lock-out all other Copilot entry points.”

What you can’t reliably enforce (yet)

There is no dedicated “Copilot web only” app object that admins can target in Conditional Access or app-block policies in a clean way. Under the hood, Copilot piggy-backs on traditional Microsoft 365 services (Exchange, SharePoint, Graph, etc.). Blocking or allowing “Copilot” alone often doesn’t work — the policy still triggers on those underlying services.

Because of that design, you can’t guarantee that a user navigating to copilot.com will be forced to sign in before they start using it (unless you block access or force sign-in across all Microsoft 365 services).

There’s no “enterprise-only login gate” setting for Copilot at global scale — it’s a mix of licensing, conditional access policies, and device compliance.

If this doesn’t meet your needs — blocking Copilot.com entirely may be the only surefire way

If your organization cannot risk any “slip-through” via personal accounts or unmanaged devices, you might need to block access to copilot.com via network or firewall (or DNS) until Microsoft exposes stronger admin controls. Some enterprises already adopt that as a temporary measure while governance controls mature.