Share via

403 Forbidden when calling Microsoft Graph Copilot getAllEnterpriseInteractions API with AiEnterpriseInteraction.Read.All

Riccardo Bruè 5 Reputation points
2026-03-10T08:54:15.85+00:00

Hello,

I'm encountering a 403 Forbidden (UnknownError) when calling the Copilot interaction history API in Microsoft Graph:

GET https://graph.microsoft.com/v1.0/copilot/users/{user}/interactionHistory/getAllEnterpriseInteractions

Error returned:

{ "error": { "code": "Forbidden", "message": "UnknownError", "innerError": { "date": "2026-03-09T10:33:48", "request-id": "55654d50-3ec1-42fb-b56e-f10695cd0cfd", "client-request-id": "99654d50-3ec1-42fb-b56e-310695cd0cfd" } } }

API: Microsoft Graph v1.0

Endpoint: /copilot/users/{id}/interactionHistory/getAllEnterpriseInteractions

Authentication: Application permissions (client credentials)

SDK: Microsoft Graph SDK

Token contains the role:

AiEnterpriseInteraction.Read.All

Admin consent has been granted.

The user queried has Copilot service plans enabled:

3f30311c-6b1e-48a4-ab79-725b469da960 (Microsoft 365 Copilot Chat)

82d30987-df9b-4486-b146-198b21d164c7 (Copilot Connectors)

Both are Enabled in AssignedPlans.

Is there any additional permission or tenant configuration required for the getAllEnterpriseInteractions API beyond AiEnterpriseInteraction.Read.All?

Also, are there any known limitations or rollout requirements for this API that could cause a 403 Forbidden even when the documented permission is present?

Thanks in advance for your help.

Microsoft Copilot | Microsoft 365 Copilot | Development

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karan Shewale 2,505 Reputation points Microsoft External Staff
    2026-03-12T05:40:08.17+00:00

    Hi Riccardo Bruè,

    The 403 Forbidden (UnknownError) is usually not a token-format problem once AiEnterpriseInteraction.Read.All is present and consented.

    Also, the AI Assist note about change notification subscription quotas is likely unrelated to this direct GET call unless you are creating subscriptions.

    For this endpoint, check these in order:

    1. Endpoint support + permission mode
      • Confirm this API is enabled in your tenant/region and supports your auth mode (application).
    2. Copilot entitlement
      • Target user typically needs qualifying Microsoft 365 Copilot entitlement (Copilot Chat + Connectors alone may not be sufficient for all enterprise interaction history scenarios).
    3. Token claims
      • aud = https://graph.microsoft.com
      • roles contains AiEnterpriseInteraction.Read.All
      • Token issued by same tenant where consent was granted.
    4. User scope
      • Use a member user in the same tenant (not guest/B2B external user).
    5. Service rollout / policy gating
      • This API can return 403 when backend enablement/compliance gating is not active for the tenant.

    If all checks pass, open Microsoft support with:

    • request-id
    • client-request-id
    • UTC timestamp
    • tenant ID, app ID, user ID/UPN

    That is the fastest way to confirm backend rollout/allow-list status.

    References

    Thanks & Regards

    Karan Shewale.

  2. Q&A Assist
    2026-03-10T08:54:31.1433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The 403 Forbidden response for the Copilot interaction history API with UnknownError is consistent with Microsoft Graph returning authorization failures when prerequisites beyond the basic permission are not met.

    From the available information, there are two main categories of causes for 403s with Microsoft Graph even when the documented permission is present:

    1. Token or permission mismatch for the target API
      Microsoft Graph requires that the access token be issued specifically for Microsoft Graph, and that the scopes/roles match what the API expects. If the token is issued for a different resource (for example, Azure AD Graph, Exchange, or SharePoint) or the audience (aud) claim does not match Microsoft Graph, the call fails with 403. Action:
      • Ensure the token is requested for Microsoft Graph as the resource and that the aud claim matches Microsoft Graph.
      • Confirm that the app registration actually has the AiEnterpriseInteraction.Read.All application permission granted with admin consent, and that the role appears in the token used for the call.
    2. Service-side authorization or quota limits on change/interaction subscriptions
      Copilot interaction history is surfaced through Microsoft Graph’s change notification and interaction APIs. For Teams and Copilot-related resources, Microsoft Graph enforces per-organization subscription limits. When those limits are exceeded, additional operations can fail with 403 Forbidden. For change notifications, Microsoft Graph documents that:
      • There is a per-organization limit of 10,000 total subscriptions shared across all Teams-related change notification subscriptions in the tenant.
      • When this combined number of active subscriptions reaches the limit, any additional subscription creation request for a Teams resource fails with 403 Forbidden.
      Copilot interaction history subscriptions are also subject to specific quotas:
      • Per app and tenant combination (for subscriptions tracking AI interactions across a tenant): 1
      • Per app and user combination (for subscriptions tracking AI interactions a particular user is part of): 1
      • Per user (for subscriptions tracking AI interactions a particular user is part of): 10 subscriptions
      • Per organization: 10,000 total subscriptions
      While the call in the question is a direct GET rather than a subscription creation, these limits indicate that Copilot interaction history is tightly quota-controlled at the tenant level. If the tenant is at or near these limits, or if there is a backend constraint on Copilot interaction history for that tenant, the service can respond with 403 even when the permission is present.

    Given the context, additional tenant configuration or rollout requirements for Copilot interaction history are not documented beyond:

    • Correct Microsoft Graph audience in the token.
    • Correct application permission (AiEnterpriseInteraction.Read.All) with admin consent.
    • Compliance with tenant-level quotas and limits for Copilot/Teams-related subscriptions and interactions.

    If all of the following are true:

    • The token’s aud claim is Microsoft Graph.
    • AiEnterpriseInteraction.Read.All is present as an app role in the token.
    • The user has the required Copilot service plans enabled.
    • The tenant is not exceeding the documented subscription/interaction limits.

    Then the remaining step is to capture the request-id and date from the 403 response (already available in the error) and open a support case so that Microsoft can check backend Copilot rollout state and any tenant-specific restrictions that are not exposed via public documentation.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.