Skip to content

Control 2.3: Conditional Access Policies for Copilot Workloads

Control ID: 2.3 Pillar: Security & Protection Regulatory Reference: GLBA §501(b), NYDFS Part 500, FFIEC Last Verified: 2026-06-05 Governance Levels: Baseline / Recommended / Regulated

Objective

Configure Microsoft Entra Conditional Access policies that govern authentication and session controls for Microsoft 365 Copilot access. These policies enforce device compliance, location-based restrictions, risk-based authentication, and session management to help prevent unauthorized access to Copilot capabilities from unmanaged devices, untrusted locations, or compromised accounts. This control supports compliance with NYDFS cybersecurity requirements and FFIEC authentication guidance for financial institutions.

Why This Matters for FSI

  • GLBA §501(b) mandates safeguards for customer information systems — Conditional Access policies are a primary technical safeguard controlling who can access AI-powered tools that process customer data
  • NYDFS Part 500 (Section 500.12) requires multi-factor authentication for any individual accessing internal networks from an external network — Copilot access from outside the corporate environment must require MFA at minimum. The May 2026 CA enforcement change (see below) strengthened MFA enforcement for Copilot access from non-corporate environments.
  • NYDFS Part 500 (Section 500.07) requires access privilege limitations based on the principle of least privilege — Conditional Access enables risk-proportionate access controls for Copilot
  • FFIEC IT Examination Handbook (Authentication and Access Controls) expects layered authentication controls proportionate to risk — Copilot's ability to access and synthesize data across workloads warrants enhanced authentication controls
  • SEC Reg S-ID requires identity theft prevention programs — risk-based Conditional Access policies help detect and block access from compromised identities attempting to use Copilot

Control Description

Microsoft Entra Conditional Access evaluates signals (user identity, device state, location, risk level) at authentication time and enforces access controls based on policy configuration. For Copilot workloads, Conditional Access can target:

Copilot-Specific App Targeting

Target App App ID Description
Microsoft 365 Copilot (Enterprise Copilot Platform) fb8d773d-7ef8-4ec0-a117-179f88add510 Direct Copilot service
Microsoft 365 (Office 365) 00000003-0000-0ff1-ce00-000000000000 Cloud app suite — select "Office 365" in CA portal; App ID shown is the SharePoint Online principal (see note)
Microsoft Teams cc15fd57-2c6c-4117-a88c-83b1d56b4bbe Teams Copilot features
SharePoint Online 00000003-0000-0ff1-ce00-000000000000 SharePoint agents and Copilot in SharePoint

Critical: The correct Enterprise Copilot Platform App ID is fb8d773d-7ef8-4ec0-a117-179f88add510. Verify all existing CA policies reference this exact value — misconfigured app IDs will cause policies to miss Copilot traffic entirely.

Note: The "Office 365" entry in Conditional Access is a cloud app suite encompassing SharePoint Online, Exchange Online, and other Microsoft 365 services. The App ID 00000003-0000-0ff1-ce00-000000000000 is the SharePoint Online service principal. In the CA portal, select the "Office 365" cloud app to target the full suite rather than referencing a single App ID.

Conditional Access Enforcement Change (May 2026 — Now in Effect)

Microsoft Entra ID began enforcing a behavioral change to Conditional Access policies starting May 13, 2026, with rollout completing across all cloud environments through June 2026.

What changed: Policies targeting "All resources" that include resource exclusions now enforce MFA and device compliance even for the excluded resources when users sign in through client applications requesting low-privilege scopes. Previously, these exclusions created a bypass path.

FSI impact: Institutions with CA policies structured as "All resources + exclusions" should have audited their policies before the May 2026 enforcement date. If the Enterprise Copilot Platform (App ID: fb8d773d-7ef8-4ec0-a117-179f88add510) is listed as an exclusion in any "All resources" policy, those policies are now enforcing controls against Copilot access. Per NYDFS 23 NYCRR Part 500, Section 500.12, MFA requirements for external network access apply — this enforcement change closed a gap where Copilot-specific exclusions could bypass MFA requirements.

Post-enforcement verification: Run the Conditional Access optimization agent in Microsoft Entra ID to identify any remaining policies with resource exclusions. Review sign-in logs to confirm enforcement is behaving as expected — confirm no unintended blocks or bypasses are present. Organizations that did not complete CA policy remediation before the enforcement date should verify their current policy posture immediately. Document remediation actions and current policy state for examination readiness.

Conditional Access Signal Matrix

Signal Source FSI Relevance
User/Group membership Entra ID Scope Copilot access to licensed, approved groups
Device compliance Intune Restrict Copilot to managed, compliant devices
Device platform Entra ID Block Copilot from unsupported platforms
Location (Named locations) Entra ID Restrict Copilot to corporate offices and approved locations
Sign-in risk Entra ID Protection Block Copilot when sign-in risk is medium or high
User risk Entra ID Protection Require password change when user risk is elevated
Client app Entra ID Restrict to approved client applications
Authentication strength Entra ID Require phishing-resistant MFA for Copilot
IRM risk level (via Adaptive Protection) Insider Risk Management Dynamically block Copilot when insider risk is elevated
Policy Name Assignment Conditions Grant Controls Session Controls
FSI-Copilot-RequireMFA All Copilot users All platforms Require MFA (authentication strength: phishing-resistant)
FSI-Copilot-CompliantDevice All Copilot users All platforms Require compliant device
FSI-Copilot-BlockUntrustedLocation All Copilot users Exclude: named locations (corporate) Block access
FSI-Copilot-RiskBasedBlock All Copilot users Sign-in risk: Medium, High Block access
FSI-Copilot-SessionControl All Copilot users All Sign-in frequency: 8 hours; persistent browser: disabled
FSI-Copilot-AppProtection Mobile users iOS, Android Require app protection policy
FSI-Copilot-AdaptiveProtection All Copilot users IRM risk level: High Block or require additional verification

Conditional Access for Agent Identities (AI Agents)

Entra Conditional Access includes an "AI Agents" template category for creating policies that target agent identities — nonhuman identities used by Copilot Studio agents, declarative agents, and Entra Agent ID–based agents. These policies are distinct from user-based CA policies and extend governance controls to the agents themselves, covering how they authenticate and access resources.

Available templates (AI Agents tab in Microsoft Entra admin center):

Template Purpose Access Pattern
Block high-risk agent identities Blocks agent identities flagged as high-risk by Entra ID Protection Application-only and autonomous agents
Configure policy for autonomous agent access Controls resource access by agents acting with their own identity (no user present) Autonomous / app-only agents
Configure policy for on-behalf-of agent access Controls resource access by agents acting on behalf of a signed-in user Delegated / assistive agents

Find these templates in the Microsoft Entra admin center at: Entra ID > Conditional Access > Create new policy from templates > AI Agents tab.

Licensing prerequisite: Conditional Access for agent identities requires Microsoft Entra ID P1 (or P2 for risk-based agent policies via Identity Protection) plus a Microsoft Agent 365 license per user. Microsoft Agent 365 reached general availability for the Commercial segment on May 1, 2026. Note that technical enforcement of the Agent 365 licensing requirement within the CA system is in progress ("coming soon" per Microsoft documentation) — organizations should verify current licensing requirements at Conditional Access for agents before deploying these policies in production.

FSI applicability: FSI institutions deploying Copilot Studio agents, declarative agents, or Entra Agent ID–registered agents should apply the AI Agents CA template policies as a baseline governance layer alongside user-based Copilot CA policies. Cross-reference Control 2.17 for cross-tenant agent access controls.

IRM Adaptive Protection Dynamic Blocking

Insider Risk Management integrates with Conditional Access through Adaptive Protection to enable dynamic, risk-responsive access control for Copilot. When IRM identifies a user at elevated risk, Adaptive Protection can automatically adjust the user's Conditional Access policy to restrict or block Copilot access in real time.

This creates a feedback loop: risky behavior detected by IRM → user risk level elevated → CA policy dynamically restricts AI access → user must complete additional verification or is blocked entirely.

Configuration path: Microsoft Purview > Insider Risk Management > Adaptive Protection settings.

The integration works through IRM's real-time risk level signals, which Conditional Access evaluates as an additional condition alongside standard signals. A user who triggers an IRM high-risk alert will find that their next Copilot authentication request is blocked by the dynamically adjusted CA policy — without requiring a manual administrator action.

FSI value: For financial institutions, this dynamic coupling means that a departing employee who begins bulk-downloading data via Copilot can be automatically blocked from further Copilot access while the IRM investigation proceeds. The response is proportionate and immediate.

Access Flow Diagram

User Request to Copilot
  Entra ID Authentication
  ┌─────────────────────┐
  │ Conditional Access   │
  │ Policy Evaluation    │
  │                     │
  │ ✓ MFA completed?    │
  │ ✓ Device compliant? │
  │ ✓ Location trusted? │
  │ ✓ Risk level OK?    │
  │ ✓ App approved?     │
  │ ✓ IRM risk OK?      │
  └─────────┬───────────┘
     ┌──────┴──────┐
     │             │
  All Pass      Any Fail
     │             │
  Grant Access   Block/Remediate
  + Session      + Audit Log
  Controls

Copilot Surface Coverage

M365 Application CA Policy Applies Device Compliance Location Restriction Risk-Based Block Notes
Microsoft 365 Copilot Chat Yes Yes Yes Yes Primary Copilot entry point
Word Yes Yes Yes Yes Via Microsoft 365 app targeting
Excel Yes Yes Yes Yes Via Microsoft 365 app targeting
PowerPoint Yes Yes Yes Yes Via Microsoft 365 app targeting
Outlook Yes Yes Yes Yes Via Microsoft 365 app targeting
Teams Yes Yes Yes Yes Separate Teams app target available
OneNote Yes Yes Yes Yes Via Microsoft 365 app targeting
Loop Yes Yes Yes Yes Via Microsoft 365 app targeting
Copilot Pages Yes Yes Yes Yes Inherits from Microsoft 365 Copilot app
SharePoint (Agents) Yes Yes Yes Yes Via SharePoint Online app target

Governance Levels

Level Requirement Rationale
Baseline Require MFA for all Copilot users; require managed device (Intune enrolled); block access from anonymous or Tor networks; verify that the May 2026 CA enforcement audit was completed and any Copilot exclusions from "All resources" policies were remediated; enable Adaptive Protection in audit mode Minimum access controls — prevents Copilot access from unmanaged devices and unauthenticated sessions; May 2026 enforcement is now in effect
Recommended Add phishing-resistant MFA (FIDO2, Windows Hello, certificate-based); enforce device compliance (not just enrollment); restrict to named corporate locations + approved VPN; 8-hour sign-in frequency; block medium/high risk sign-ins; confirm Copilot-specific exclusions were removed from "All resources" CA policies and verify enforcement behavior in sign-in logs; enable Adaptive Protection dynamic blocking for high-risk users Strong access posture suitable for most FSI firms — aligns with NYDFS Part 500 MFA requirements and confirms the CA exclusion bypass path is closed
Regulated Require phishing-resistant MFA with authentication strength policy; compliant device from approved hardware list; corporate location only (no remote for Copilot); 4-hour sign-in frequency; real-time risk evaluation; integration with Defender for Cloud Apps for session-level monitoring; block all elevated risk sign-ins; enforce CA policies against all resources including Copilot with no exclusions, post-enforcement verification confirmed; enable Adaptive Protection dynamic blocking at medium-risk threshold with mandatory investigation trigger Maximum access restriction for highest-sensitivity environments — no Copilot exclusion gaps; immediate IRM-triggered access revocation for at-risk users

Setup & Configuration

Step 1: Define Named Locations

Portal: Microsoft Entra Admin Center > Protection > Conditional Access > Named locations

  1. Create IP-based named locations for corporate offices
  2. Create country/region-based named locations for approved jurisdictions
  3. Mark corporate network ranges as "trusted" locations

Step 2: Verify Enterprise Copilot Platform App ID

Portal: Microsoft Entra Admin Center > Protection > Conditional Access > Policies

Before creating or modifying CA policies, verify the correct App ID for the Enterprise Copilot Platform:

  • Correct App ID: fb8d773d-7ef8-4ec0-a117-179f88add510
  • Search existing CA policies for any policies that reference an incorrect Copilot app ID
  • Use the Conditional Access optimization agent to identify policies that may need correction

Prerequisite — Service Principal Registration: Before creating CA policies targeting the Enterprise Copilot Platform, the service principal must exist in your tenant. Register it with: New-MgServicePrincipal -AppId fb8d773d-7ef8-4ec0-a117-179f88add510. If the service principal is not registered, the app will not appear in the CA policy target resource picker.

Step 3: Verify May 2026 CA Enforcement Compliance

Portal: Microsoft Entra Admin Center > Protection > Conditional Access > Optimization

Verify that the May 2026 CA enforcement change has been addressed in all CA policies:

  1. Run the CA optimization agent to identify any remaining policies with resource exclusions
  2. Identify any policies that still exclude the Enterprise Copilot Platform app
  3. Remove or restructure remaining exclusions immediately and test in report-only mode before re-enabling enforcement
  4. Review Entra sign-in logs to confirm enforcement is behaving as expected — confirm no unintended blocks or policy-bypass gaps
  5. Document current policy posture and remediation actions for examination readiness

Step 4: Create Copilot MFA Policy

Portal: Microsoft Entra Admin Center > Protection > Conditional Access > Policies > New policy

  1. Name: FSI-Copilot-RequireMFA
  2. Assignments: Include — All Copilot-licensed users; Exclude — break-glass accounts
  3. Target resources: Microsoft 365 Copilot app (App ID: fb8d773d-7ef8-4ec0-a117-179f88add510)
  4. Grant: Require authentication strength — Phishing-resistant MFA
  5. Enable policy: Report-only (test for 7 days), then On

Step 5: Create Device Compliance Policy

  1. Name: FSI-Copilot-CompliantDevice
  2. Assignments: Include — All Copilot-licensed users
  3. Target resources: Microsoft 365 Copilot, Microsoft 365
  4. Conditions: All device platforms
  5. Grant: Require device to be marked as compliant
  6. Note: Requires Intune device compliance policies to be configured

Step 6: Create Location-Based Policy

  1. Name: FSI-Copilot-BlockUntrustedLocation
  2. Assignments: Include — All Copilot-licensed users
  3. Conditions: Locations — Include all locations, Exclude named trusted locations
  4. Grant: Block access

Step 7: Create Risk-Based Policy

  1. Name: FSI-Copilot-RiskBasedBlock
  2. Conditions: Sign-in risk — Medium, High
  3. Grant: Block access
  4. Prerequisite: Entra ID Protection P2 license

Step 8: Configure Session Controls

  1. Name: FSI-Copilot-SessionControl
  2. Session: Sign-in frequency — 8 hours (Recommended) or 4 hours (Regulated)
  3. Session: Persistent browser session — Disabled
  4. Session: Use Conditional Access App Control (routes through Defender for Cloud Apps)

Step 9: Enable Adaptive Protection Integration

Portal: Microsoft Purview > Insider Risk Management > Adaptive Protection

  1. Enable Adaptive Protection in Microsoft Purview IRM
  2. Configure risk level thresholds for CA enforcement
  3. In Entra ID Conditional Access, create a policy that evaluates IRM risk levels:
  4. Condition: Insider risk — tied to IRM Adaptive Protection signal
  5. Grant: Block access (Regulated) or require additional MFA step (Recommended)
  6. Test the integration: trigger an IRM risk event and verify CA policy responds within the configured evaluation interval

Key PowerShell Commands

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.Read.All","Policy.ReadWrite.ConditionalAccess"

# List all Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | Format-Table DisplayName, State, CreatedDateTime

# Get details of a specific policy
Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "<policy-id>" | Format-List

# Export all CA policies for documentation
Get-MgIdentityConditionalAccessPolicy | ConvertTo-Json -Depth 10 | Out-File "CA-Policies-Export.json"

# Search for policies referencing the Copilot app ID
$copilotAppId = "fb8d773d-7ef8-4ec0-a117-179f88add510"
Get-MgIdentityConditionalAccessPolicy | Where-Object {
    $_.Conditions.Applications.IncludeApplications -contains $copilotAppId -or
    $_.Conditions.Applications.ExcludeApplications -contains $copilotAppId
} | Format-Table DisplayName, State

Financial Sector Considerations

  • NYDFS Part 500 Compliance: Section 500.12 specifically requires MFA for accessing internal networks from external networks. For NYDFS-regulated entities, Copilot access from any non-corporate location must enforce MFA. The May 2026 CA enforcement change closed a gap where "All resources + exclusion" policies could allow Copilot access without MFA — NYDFS-regulated institutions should verify this remediation was completed and confirmed effective. The Regulated governance level addresses this by restricting Copilot to corporate locations only.
  • FFIEC Authentication Expectations: The FFIEC expects layered security controls proportionate to risk. Copilot's ability to synthesize data across the entire tenant makes it a higher-risk application warranting stronger authentication than basic M365 access.
  • Branch Office Considerations: Financial firms with distributed branch networks must define named locations for all branch offices. Consider using compliant network detection via Global Secure Access rather than IP-based ranges for dynamic branch networks.
  • Trading Floor Access: Trading floor environments may require device-based certificates or hardware tokens rather than phone-based MFA to comply with SEC and FINRA requirements restricting personal device use in trading areas.
  • Registered Representative Access: Representatives who access Copilot from client locations or during travel need clear guidance on VPN requirements and approved access methods. Overly restrictive location policies may impair field productivity.
  • Break-Glass Accounts: Maintain at least two break-glass accounts excluded from Conditional Access policies. These accounts should be monitored for use and have strong, unique passwords stored securely. Document break-glass procedures for examination readiness.
  • Examination Readiness: Maintain a Conditional Access policy inventory document showing all policies, their configurations, and last review dates. Include documentation of the May 2026 enforcement audit, remediation, and post-enforcement sign-in log review. Examiners may request this during IT examinations.

Verification Criteria

  1. App ID Accuracy: Verify all CA policies targeting Copilot reference the correct Enterprise Copilot Platform App ID: fb8d773d-7ef8-4ec0-a117-179f88add510
  2. May 2026 Enforcement Verification: Confirm CA policy audit for "All resources + exclusion" patterns has been completed; confirm post-enforcement sign-in logs show expected behavior; document remediation actions taken
  3. MFA Enforcement: Attempt to access Copilot without MFA — confirm access is blocked and MFA prompt is presented
  4. Device Compliance: Attempt to access Copilot from a non-compliant or unmanaged device — confirm access is blocked
  5. Location Restriction: Test Copilot access from an IP address outside named locations — confirm access is blocked (Recommended/Regulated levels)
  6. Risk-Based Blocking: Simulate a risky sign-in (use Entra ID Protection test tools) — confirm Copilot access is blocked when sign-in risk is medium or high
  7. Session Controls: Access Copilot and wait for the sign-in frequency interval to expire — confirm re-authentication is required
  8. Adaptive Protection Integration: Verify Adaptive Protection is enabled and that IRM risk level changes trigger corresponding CA policy enforcement for Copilot access
  9. Break-Glass Exclusion: Confirm break-glass accounts are excluded from Copilot CA policies and that exclusion is documented
  10. Audit Logging: Verify that Conditional Access policy evaluation results (success, failure, not applied) appear in the Entra sign-in logs
  11. Report-Only Testing: Before enabling enforcement, confirm policies have been tested in report-only mode for at least 7 days with acceptable results
  12. Policy Documentation: Confirm Conditional Access policy inventory is maintained and includes last review date, policy purpose, and exception justifications

Additional Resources