Identity and Authentication Requirements

Overview

Every action Copilot takes happens under a user’s identity. When Copilot reads an email, summarizes a document, or searches SharePoint, it does so as the signed-in user with that user’s permissions. That makes your identity configuration the single most important security boundary for Copilot.

This video covers the identity and authentication requirements you must verify before enabling Copilot in GCC, GCC High, or DoD environments.

What You’ll Learn

• Entra ID Baseline: Required license tier, directory health, and identity model considerations
• MFA Enforcement: Why Conditional Access-based MFA is required and how to migrate from legacy settings
• Conditional Access: Device compliance, session controls, and app-level policies for Copilot
• Hybrid Identity: Sync health, authentication method considerations, and consistency checks

Script

Hook: identity is Copilot’s security boundary

Copilot inherits user identity for everything it does. Every file it reads, every email it summarizes, every meeting it recaps—it accesses that data as the signed-in user.

That means your identity posture is Copilot’s security posture. If your MFA is weak, if your Conditional Access is misconfigured, if your directory is full of stale accounts with broad permissions—Copilot operates in that environment.

Let’s make sure your identity configuration is solid.

Entra ID baseline requirements

Start with your Microsoft Entra ID license tier.

You need Entra ID P1 at minimum. P1 gives you Conditional Access, which is essential for controlling how Copilot users authenticate and from what devices. If you’re on a Microsoft 365 E5 or equivalent government plan, you likely have Entra ID P2, which adds risk-based Conditional Access and privileged identity management. P2 is recommended but not required.

If you’re only on the free tier of Entra ID—which is included with Microsoft 365 E3—you have security defaults but not Conditional Access. That’s not sufficient for a government Copilot deployment. Verify your license tier in the Entra admin center under Licenses.

Next, understand your identity model. Are your users cloud-only, managed entirely in Entra ID? Or are you running hybrid identity with Entra Connect syncing from on-premises Active Directory?

If you’re hybrid, verify that Entra Connect is healthy. Check the sync status in the Entra admin center. Look for sync errors, objects that failed to sync, and any health alerts. A healthy sync pipeline is a prerequisite—Copilot needs accurate, current user and group information to enforce permissions correctly.

Finally, clean your directory. Disable stale user accounts that haven’t signed in for 90 days or more. Review group memberships for accuracy—especially groups that grant access to SharePoint sites, Teams, or shared mailboxes. Orphaned accounts and bloated group memberships create permission surfaces that Copilot will use. Clean them up before you enable Copilot.

MFA enforcement

Multi-factor authentication is mandatory for government Copilot deployments. This isn’t a recommendation. It’s a requirement.

The question is how you enforce it. There are two approaches in Entra ID: legacy per-user MFA and Conditional Access-based MFA. You need to be on Conditional Access-based MFA.

Legacy per-user MFA is the older model where you enable MFA on individual user accounts. It works, but it’s inflexible. You can’t target policies by device, location, risk level, or application. It’s an all-or-nothing setting per user.

Conditional Access-based MFA gives you policy-driven control. You define policies that require MFA based on conditions: user group, device compliance state, sign-in risk, network location, and application. This is the model Microsoft recommends and the model that government compliance frameworks expect.

If you’re still using per-user MFA or relying on security defaults, migrate to Conditional Access policies before deploying Copilot. The Entra admin center provides a migration wizard that helps you transition without disrupting users.

For the authentication methods themselves, move toward phishing-resistant options. FIDO2 security keys and certificate-based authentication are the strongest methods available. The federal government’s push toward phishing-resistant MFA aligns perfectly with a Copilot deployment—take the opportunity to upgrade your authentication methods at the same time.

Conditional Access for Copilot

Beyond MFA, your Conditional Access policies need to address several Copilot-specific scenarios.

First, device compliance. Copilot should only be accessible from managed, compliant devices. Create or verify a Conditional Access policy that requires device compliance for all Microsoft 365 cloud apps. This ensures Copilot can only be used on devices that meet your security baseline—encryption enabled, antivirus current, OS patched.

Second, managed device enforcement. In GCC High and DoD environments, you likely require government-furnished equipment for accessing controlled data. Make sure your Conditional Access policies enforce this. Block access from unmanaged devices or personal devices if your policy requires it.

Third, session controls. Copilot sessions are long-running. Users interact with Copilot throughout their workday—asking questions, drafting documents, summarizing meetings. Your sign-in frequency and persistent browser session policies should account for this pattern. Too aggressive a timeout forces constant reauthentication that frustrates users. Too lenient a timeout may not meet your security requirements. Find the right balance and test it.

Fourth, check for app-level policies that might affect Copilot. If you have Conditional Access policies that target specific cloud apps rather than “All cloud apps,” verify that the Copilot service is included. Copilot integrates with multiple M365 services, so a policy that blocks an underlying service can break Copilot functionality in unexpected ways.

Test your policies. Use the Conditional Access “What If” tool in the Entra admin center to simulate a Copilot user signing in from different scenarios—compliant device, non-compliant device, new location, risky sign-in. Verify that your policies produce the expected results before you go live.

Hybrid identity considerations

If you’re running hybrid identity, there are additional considerations.

Entra Connect sync timing matters. When a user’s group membership changes in on-premises AD, that change needs to sync to Entra ID before it’s reflected in Copilot’s permission model. Default sync cycles run every 30 minutes. If you need faster propagation, you can trigger delta syncs, but understand the latency.

Your authentication method affects the user experience. Password hash synchronization provides the most seamless experience with Copilot because authentication happens entirely in the cloud. Pass-through authentication and federation work but add dependencies on on-premises infrastructure. If your federation server goes down, users can’t authenticate to Copilot.

Ensure identity consistency. The UPN, email address, and group memberships in on-premises AD should match what’s in Entra ID. Mismatches create confusing permission behaviors where users can access content directly but Copilot can’t surface it, or vice versa. Run an identity health check before deployment to catch inconsistencies.

Close: identity readiness checklist

Here’s your identity readiness checklist for Copilot.

Entra ID license: P1 confirmed, P2 preferred. Verify in the Entra admin center.

MFA: enforced via Conditional Access policies, not per-user settings. Phishing-resistant methods deployed or planned.

Device compliance: Conditional Access policy requires compliant, managed devices for Microsoft 365 apps.

Session controls: sign-in frequency and persistent session policies configured and tested for Copilot usage patterns.

Directory health: stale accounts disabled, group memberships reviewed, no orphaned objects.

Hybrid sync: Entra Connect healthy with no sync errors, authentication method documented, identity consistency verified.

If all of these check out, your identity foundation is ready for Copilot. If any are gaps, address them now. Identity is the one area where shortcuts come back to cost you the most.

Sources & References

• Microsoft 365 Copilot requirements — Copilot requirements including identity prerequisites
• How MFA works in Microsoft Entra — MFA concepts and enforcement options
• Conditional Access overview — Conditional Access policy design and implementation