Azure Copilot Not Working? Here's How to Fix It
Why Azure Copilot Isn't Working
I've seen this play out dozens of times. An Azure admin logs into the portal, looks for the Azure Copilot button, that little sparkle icon in the top toolbar, and it's just not there. Or it's there, but clicking it opens a blank panel that spins forever and never loads. Or it loads, you type a question in natural language, and the AI assistant returns nothing. No error. No explanation. Just silence.
Here's the thing: Azure Copilot setup problems fall into a surprisingly small number of root causes, but Microsoft's portal doesn't tell you which one you're hitting. That's the real frustration.
Azure Copilot is Microsoft's AI-powered assistant built directly into the Azure portal, Azure mobile app, and AI Shell. It uses Large Language Models combined with your live Azure environment context to answer questions, run commands, generate scripts, and help you manage resources, all through plain English. The idea is that instead of hunting through hundreds of service blades, you just ask. "Show me which VMs are costing the most this month." Done. It's genuinely powerful when it works.
When it doesn't work, the causes break into four main buckets:
1. Tenant-level access is disabled. By default, Azure Copilot is available to everyone in your tenant, but a Global Administrator may have intentionally or accidentally turned it off. If that's happened, no amount of browser refreshes will fix it for regular users.
2. Websocket connections are being blocked. This is the one that catches people completely off guard. Azure Copilot depends on a live websocket connection to https://directline.botframework.com. Corporate firewalls and overzealous network proxy configs block this all the time. The portal loads fine, your Azure resources show up fine, but Copilot silently fails because the bot framework channel can't connect.
3. You're in a national cloud. Azure Copilot is not available in Azure Government or Microsoft Azure operated by 21Vianet, full stop. If your subscription lives in a national cloud environment, Copilot simply isn't there, and no configuration change will bring it back.
4. Agents (preview) access hasn't been granted yet. If you're trying to use the newer agentic features, full-screen mode, real-time notifications, file generation, that's a separate rollout managed at the tenant level. Regular Azure Copilot and the Agents preview are two different things.
I know this is frustrating, especially when you're trying to move fast on cloud infrastructure work. Let's find which category you're in and get it fixed. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go anywhere near Group Policy or firewall rules, do this first. It fixes maybe 40% of Azure Copilot not loading cases in under two minutes.
Open your Azure portal at portal.azure.com. Look at the top navigation bar, you're looking for a small sparkle or star icon labeled "Copilot." If you see it, great. If you don't, skip down to Step 1 in the step-by-step section because you have a tenant or access issue, not a browser issue.
If the icon is there but the panel won't load, do this in order:
First, open your browser's developer tools. In Chrome or Edge, press F12, then click the Network tab. Now click the Copilot button in the portal and watch what happens in the network log. You're looking for any request to directline.botframework.com that shows a red status, blocked, failed, or a CORS error. If you see it, your firewall or proxy is the culprit. That's the fix detailed in Step 3.
If network calls look clean, try this: open an InPrivate or Incognito window and navigate to portal.azure.com. Sign in fresh. Then try Copilot. If it works in private browsing but not your normal window, a browser extension is interfering, most likely an ad blocker, privacy shield, or VPN extension that intercepts websocket traffic.
If InPrivate doesn't help either, clear your portal cache specifically. In Edge or Chrome, navigate to portal.azure.com, then press Ctrl + Shift + Delete, set the time range to "All time," check Cookies and site data plus Cached images and files, and clear. Reload the portal completely and try again.
One more thing while you're here: confirm you're accessing the standard Azure portal and not a sovereign cloud endpoint. If your URL says portal.azure.us (Azure Government) or portal.azure.cn (21Vianet), Azure Copilot will never appear, it's not supported in those environments, period.
This is ground zero. If Azure Copilot is disabled at the tenant level, no individual user can turn it on for themselves, and the portal gives you essentially no indication that this is why it's not showing up.
You need Global Administrator rights to check this. If you're a regular user and Copilot isn't visible, send this guide to your Azure admin and ask them to check.
Sign into the Azure portal at portal.azure.com. In the top search bar, type Azure Copilot and select it from the results, you'll land on the Copilot management blade. Alternatively, navigate directly through: Microsoft Entra ID → User settings → Manage how end users launch and view their experiences.
Look for the Azure Copilot access toggle. If it's set to a restricted group or turned off entirely, that's your answer. By design, Azure Copilot is on for all tenant users by default, but Global Administrators can restrict it to specific Microsoft Entra users or groups. If a previous admin tightened this and nobody documented it, you'll see the icon missing for everyone who isn't in the allowed group.
To re-enable it broadly, toggle access to All users or add the affected user accounts or Microsoft Entra group to the allowed list. Changes typically propagate within a few minutes, have the affected user refresh the portal (hard refresh: Ctrl + F5) and check again.
If you see that access was already set to "All users" and Copilot is still not appearing, the tenant-level setting isn't your problem. Move to Step 2.
This step takes 30 seconds and can save you hours of chasing a problem that has no solution for your environment.
Azure Copilot is simply not available in two environments: Azure Government (the US national cloud) and Microsoft Azure operated by 21Vianet (the China region). If your organization's subscriptions live in either of these environments, Azure Copilot is off the table. Microsoft has been clear that these national cloud environments are not in scope.
To check which cloud your subscription is in, look at the URL in your browser. portal.azure.com is the commercial cloud. portal.azure.us is Azure Government. portal.azure.cn is 21Vianet. Simple as that.
If you're on the commercial cloud, also verify that your account is associated with an active Azure subscription. Copilot isn't available on free trial accounts in all cases, and if your subscription has lapsed or been suspended, the feature set gets trimmed.
You can check your subscriptions by clicking your account name in the top-right of the portal and selecting Switch directory, or navigating to Subscriptions in the portal search. Confirm the status shows Active.
One thing that trips up enterprise users: if your Microsoft Entra tenant is associated with a national cloud directory but your engineers are trying to use the commercial portal, you can end up in a weird hybrid state where some features load and Copilot doesn't. In that case, work with your Azure account team to confirm directory association.
Once you've confirmed you're on the commercial cloud with an active subscription, head to Step 3.
This is the fix that most corporate IT teams miss, and it's responsible for a huge number of "Azure Copilot won't load" tickets I've seen in enterprise environments. The portal itself works fine. Your Azure resources load. But Copilot spins indefinitely or shows a connection error, because the actual bot channel can't connect.
Azure Copilot requires that your network allows websocket connections to:
https://directline.botframework.comThis is documented directly in Microsoft's official Azure Copilot requirements: "Your organization must allow websocket connections to https://directline.botframework.com." If your network team has never explicitly whitelisted this, there's a good chance it's being caught by a firewall rule, proxy inspection policy, or a Zscaler/Netskope-type secure web gateway that drops websocket upgrades.
Here's how to diagnose it properly. Open browser DevTools (F12), go to the Network tab, and filter by WS (websocket). Click the Copilot button and watch for a connection attempt to directline.botframework.com. If it shows as failed, blocked, or never appears at all, your network is the problem.
Take this to your network administrator with the exact URL. The fix on their end is to add a firewall rule or proxy bypass for *.botframework.com on port 443, with websocket upgrade traffic allowed (not just HTTPS inspection). Some proxy solutions like Zscaler also need an SSL inspection bypass for this domain, because websocket handshakes break under certain SSL interception configurations.
After the network change is made, close and reopen your browser completely, don't just refresh, and test Copilot again.
If basic Azure Copilot is working for you, you can ask it questions, get resource information, generate basic scripts, but you're missing the newer features like full-screen mode, real-time notifications, or the ability to open generated Terraform configs directly in Visual Studio Code for the Web, then you're dealing with a separate issue: Agents (preview) access.
Agents (preview) in Azure Copilot is a distinct capability layer on top of standard Azure Copilot. It extends the assistant with an agentic, multi-modal interface that can help you across six specific workload areas: deployments and infrastructure, migration, observability, optimization, resiliency, and troubleshooting and support.
Access to Agents (preview) is managed at the tenant level and is being rolled out gradually, not everyone gets it immediately. For most tenants, an access request is submitted automatically on your behalf. But you won't necessarily know that has happened, or when it'll be approved.
To check your status or push things along, your Global Administrator needs to navigate to the Azure Copilot management settings and look for the Agents (preview) section. They can confirm whether the tenant has been enrolled, and they can also submit or update enrollment preferences. Regular users cannot do this, it has to be the tenant admin.
If your organization wants earlier access, Microsoft has provided a form to fill out to help them prioritize your tenant as they expand capacity. Note that submitting the form does not guarantee access, it just gets you into the prioritization queue. Administrator tenant enablement is still required after approval.
Once Agents (preview) access is granted, all users in the tenant who can already access standard Azure Copilot will automatically gain access too. New agent capabilities that Microsoft releases going forward will also become available automatically, you won't need to re-enroll.
If the Azure portal specifically is giving you grief but you need Azure Copilot working right now, there are two alternative access paths that bypass browser-based issues entirely and can confirm whether the core problem is portal-specific or account-level.
AI Shell: Azure Copilot is accessible through AI Shell, which brings Copilot into a CLI context. This is useful for developers and engineers who prefer terminal workflows anyway. To test this path, install AI Shell and authenticate with the same Azure credentials you're having trouble with in the portal. If Copilot works here but not in the portal, the issue is browser or network-layer specific, not account permissions.
Azure Mobile App: Azure Copilot is also built into the Azure mobile app for iOS and Android. Download the app, sign in with your Azure credentials, and look for the Copilot option in the app interface. Again, if it works on your phone but not your desktop portal, that's a very useful data point pointing to corporate network or browser restrictions on your workstation.
To test the mobile path without a full setup, use your phone's data connection rather than corporate Wi-Fi when you first test. If Copilot works on mobile data but not on Wi-Fi, you've just confirmed a network-level block on your corporate wireless network, which maps straight back to the websocket fix in Step 3.
Document which paths work and which don't before escalating to your network team or Microsoft Support. That kind of specific evidence makes the conversation go much faster and usually gets the firewall fix prioritized quickly.
Advanced Troubleshooting
If you've worked through all five steps and Azure Copilot is still misbehaving, you're likely dealing with one of a smaller set of enterprise-specific configurations. Here's where to dig next.
Conditional Access Policies Blocking Copilot
In larger organizations, Microsoft Entra Conditional Access policies can interfere with Azure Copilot in non-obvious ways. Policies that require compliant devices, specific network locations, or MFA re-authentication for certain app registrations can silently block the bot framework connection. Check your Conditional Access policies in Microsoft Entra ID → Security → Conditional Access and look for policies that target "All cloud apps" or specifically the Azure portal app registration. If the device accessing Copilot is flagged as non-compliant (even temporarily, during a compliance scan delay), Copilot can drop its connection mid-session.
Event Viewer and Browser Console Errors
For browser-side debugging, the browser console (F12 → Console tab) will sometimes surface more useful error details than the portal UI does. Look for messages referencing botframework, directline, or 401 / 403 status codes. A 401 typically means the authentication token for the Copilot session didn't pass correctly, often because of a session timeout or token validation failure through a proxy. A 403 usually means access was explicitly denied at some layer.
Domain-Joined Machine Proxy Configuration
On domain-joined Windows machines, Internet Explorer proxy settings (yes, still relevant through the WinINET stack) can override browser-level settings in surprising ways. Even if Chrome or Edge appear to have no proxy configured, the underlying OS proxy settings might be routing Copilot traffic through a corporate proxy that doesn't handle websockets correctly.
Check and test with this PowerShell command to see what proxy WinINET is using:
netsh winhttp show proxyIf a proxy is listed there, ask your network team whether that proxy is configured to allow websocket connections through without breaking them with SSL inspection.
Microsoft Entra Group Membership Sync Delays
If a Global Administrator grants Copilot access to a specific Microsoft Entra group and a user was just added to that group, there can be a replication delay, sometimes 15–30 minutes, before the change takes effect in the portal. If you're testing access immediately after an admin made a change, wait and try again before escalating. Have the user sign out of the portal and sign back in to force a fresh token with updated group membership claims.
Checking Azure Service Health
Sometimes the problem isn't you at all. Azure Copilot, like any cloud service, can experience outages or degraded performance. Before spending more time debugging, check Azure Service Health in the portal (search: Service Health) and look at the Service Issues tab filtered to the Azure Copilot service. If there's an active incident, you'll see it here along with estimated remediation times.
If you've confirmed that: your tenant is on the commercial cloud, Copilot access is enabled for your account, the directline.botframework.com websocket is unblocked, there are no active service health incidents, and Copilot still won't function, it's time to open a support ticket. Go to Microsoft Support and create a case under the Azure technical support category. When you open the ticket, include: your tenant ID, the browser console error output, a screenshot of your network tab showing the failed websocket attempt, and the results of testing on both AI Shell and the mobile app. That package of evidence gets you past first-line support quickly.
Prevention & Best Practices
Once you've got Azure Copilot working, the last thing you want is to lose it again because of a configuration drift or a network change nobody documented. Here's what I'd put in place now to keep things stable.
Document your network allowlist formally. The directline.botframework.com websocket requirement should be in your network runbook and your firewall change management system. When your network team rotates proxy configurations or implements new SSL inspection rules, this is the kind of domain that gets missed because it's not in the obvious "Microsoft 365" or "Azure" allowlist templates. Getting it documented means it survives staff turnover and quarterly firewall reviews.
Set up Azure Service Health alerts for Azure Copilot. In the portal, navigate to Service Health → Health Alerts and create an alert that fires to your team's email or Teams channel whenever Azure Copilot has a service issue. This means when Copilot goes down, you know within minutes and don't waste time debugging your own environment when the issue is on Microsoft's side.
Use Microsoft Entra groups for Copilot access management, not per-user toggles. If your Global Administrator needs to restrict Azure Copilot access to certain teams, do it via a properly named Microsoft Entra group (e.g., AZ-Copilot-Allowed-Users) rather than individual accounts. This makes onboarding and offboarding clean, and the group membership is auditable in Entra ID's sign-in and audit logs.
Test Copilot after any corporate VPN or proxy changes. Any time your network team changes VPN split tunneling rules, updates a proxy configuration, or upgrades a secure web gateway appliance, add an Azure Copilot test to the post-change verification checklist. It takes 30 seconds and prevents helpdesk tickets the next morning.
Keep browser extensions minimal on machines that use the Azure portal. Ad blockers, privacy extensions, and VPN browser plugins regularly interfere with websocket-based features in enterprise web apps. Consider a separate browser profile for Azure portal work, kept clean of extensions, especially for admins who work in the portal daily.
- Add
*.botframework.comto your corporate firewall and proxy allowlist with websocket traffic explicitly permitted - Create an Azure Service Health alert scoped to Azure Copilot so outages reach your team immediately
- Manage Copilot access through a dedicated Microsoft Entra group rather than individual user toggles
- Document your Copilot network requirements in your IT runbook so configuration survives team changes and audits
Frequently Asked Questions
What exactly is Azure Copilot and what can it actually do?
Azure Copilot is an AI assistant built directly into the Azure portal, mobile app, and CLI tool AI Shell. It uses Large Language Models combined with live data from your Azure environment to answer questions in plain English, generate Azure CLI scripts, write PowerShell and Terraform configurations, estimate costs, analyze service health, troubleshoot deployed web apps, and manage virtual machines. Instead of navigating through hundreds of Azure service blades, you describe what you want and Copilot figures out the right path. Think of it as having a senior Azure architect on call inside your browser, one that can actually see your specific resources and environment.
Why can't I see the Azure Copilot button in my Azure portal?
There are three main reasons the Copilot icon goes missing: first, a Global Administrator in your tenant has restricted access to specific users or groups and your account isn't included; second, you're accessing Azure through a national cloud endpoint like portal.azure.us (Azure Government) or portal.azure.cn (21Vianet China), where Copilot isn't available; third, less commonly, there's a browser or session cache issue that's hiding it. Check your portal URL first, if it's not portal.azure.com, Copilot won't appear regardless of any other settings. If you're on the commercial portal, ask your Global Administrator to verify the tenant-level Copilot access setting in Microsoft Entra ID.
Does Azure Copilot cost extra, or is it included with my Azure subscription?
As of now, the capabilities currently available in Azure Copilot are included at no additional cost, you don't pay extra on top of your existing Azure subscription. Microsoft has been clear that future capabilities may eventually carry pricing, but there's been no announcement of when that changes or which features might be affected. The Agents (preview) features are also included during the preview period. Keep an eye on the Microsoft Product Terms for Azure Copilot, which is where any pricing changes will be officially announced before they take effect.
How do I get access to the Agents preview in Azure Copilot?
Access to Agents (preview) in Azure Copilot is managed at the tenant level by Microsoft, not something individual users can self-serve. For most Azure tenants, an access request is submitted automatically on your behalf, you just wait for the rollout to reach your tenant. Your Global Administrator can check on the status and preferences in the Azure Copilot management settings. Microsoft has also made a form available for organizations that want to signal interest in earlier access, though filling it out doesn't guarantee or accelerate approval. Once your tenant is approved, all users who can already access standard Azure Copilot get the Agents features automatically, no individual user action required.
Azure Copilot loads but then freezes or gives no response, what's wrong?
This symptom, where the panel opens but nothing comes back after you type, almost always points to a blocked websocket connection to directline.botframework.com. Azure Copilot communicates through this Bot Framework channel in real time, and if your corporate firewall, proxy, or SSL inspection policy breaks the websocket handshake, the panel appears to work but the AI can't actually send or receive messages. Open your browser's DevTools (F12), go to the Network tab, filter by WS (websocket), and click Copilot to see whether a connection to directline.botframework.com appears and whether it succeeds or fails. Take that evidence to your network administrator and ask them to allow websocket traffic to *.botframework.com port 443 without SSL inspection interception.
Can I use Azure Copilot if my organization uses Azure Government or the China region?
No, and this is non-negotiable right now. Azure Copilot is explicitly not available in national cloud environments, which includes Azure Government (portal.azure.us) and Microsoft Azure operated by 21Vianet (portal.azure.cn). There's no workaround, no opt-in, and no preview access path for these environments. Microsoft's position is that national clouds have separate compliance, data residency, and sovereignty requirements that mean features get evaluated separately before being made available. If your organization operates in a national cloud and Azure Copilot is something you need, the right path is to contact your Microsoft account team and register your interest formally, that's the most direct way to get visibility on any future availability timeline.