top of page
Search

Copilot's + Conditional Access = True

  • Writer: Vlad Johansen
    Vlad Johansen
  • Dec 6, 2024
  • 2 min read

Hello everyone


In November 2024 Microsoft maked it possible to scope Conditional Access policies to Copilot for Microsoft 365 and Copilot for Security. It's a great news for every IAM admins and consultants out there. Let's take a look on how it works. It's not straight forward process, the applications can't be found in Targeted resources , so we need to create service principals using powershell first, to get them available in the application list CA.


  1. Open powershell as administrator and type in this to connect to MS Graph with read and write all permissions.

Connect-MgGraph -Scopes "Application.ReadWrite.All"


  1. Now run this command after you have authenticated to MS Graph

    New-MgServicePrincipal -AppId fb8d773d-7ef8-4ec0-a117-179f88add510


    This command will register service principal for the service Copilot for Microsoft 365


  2. I was met with this message after running this command, so if you will get this , try to run

ree

this command to force delete MS Graph module and overwrite it


Install-Module -Name Microsoft.Graph -Force -AllowClobber


This may take a while. You can try to reconnect to MS Graph after that and re-run the command and it should work


As you can see now, the registration is successful

ree

  1. To register Copilot for Security run this command


    New-MgServicePrincipal -AppId bb5ffd56-39eb-458c-a53a-775ba21277da


  2. Now, after we have registered both application, let's take a look how it looks like in CA

  3. Go to entra.microsoft.com --> Identity --> Protection --> Conditional Access

  4. Press on Create Policy --> Target resources --> Select resources --> Select None

  5. Search for Enterprise and you will see registered application for Copilot for Microsoft 365

    ree

  6. Same with Copilot for Security

    ree

We can now create and scope our CA policies to this resources. This is fantastic work from Microsoft and my opinion is that this should be done for long time ago. Definitely a game changer when it comes to secure the access to AI.


Have a wonderful weekend everyone and thanks for reading



Comments

Latest Blog Posts

© 2024-2025 need4.cloud

bottom of page