Why Copilot Studio Agents Can’t Return SharePoint Results for Guest Users in SSO-Enabled Apps

This week, I ran into a scenario that many organizations deploying Copilot Studio might face.

We had a guest user who had access to both:

• A Copilot Studio agent embedded in a SharePoint site, and

• The SharePoint files themselves.

What’s Going On?

In SSO-enabled apps, Copilot Studio agents query SharePoint using the identity of the signed-in user. This is done through delegated permissions meaning the agent acts on behalf of the user to search the content.

This process depends on:

• Microsoft Graph Search

• Microsoft Entra delegated permissions

For internal users, this works seamlessly. But for guest (B2B) users, it doesn’t — and here’s why:

• Guest identities typically can’t use Graph Search in the host tenant.

• Even if the SharePoint site is shared, security filtering causes the search to return “no content.”

• Licensing is tenant-bound, and guest accounts usually don’t have the required Microsoft 365 Copilot license.

A Simple Workaround for Guest Access

If your goal is to support guest users with access to static content, consider this approach:

Upload static files directly into Copilot Studio using the built-in file upload feature. This bypasses the need for delegated permissions and ensures the agent can respond to guest queries using the uploaded content.

Bottom Line

Even though the guest can access the files directly, the agent can’t retrieve or use that content to generate answers. This is a platform limitation, and currently, this scenario isn’t supported.

Thanks again to Remi Dyon from the Microsoft team for helping clarify this!

Helpful Resources

• Configure single sign-on with Microsoft Entra ID

• Upload files as a knowledge source