Microsoft has marked Microsoft 365 Roadmap item 503587 as launched, adding hierarchical access-control-list support to Microsoft 365 Copilot connectors for Jira, Confluence, and ServiceNow. The capability reached general availability in April 2026 for Worldwide standard multi-tenant tenants, according to the Microsoft 365 Roadmap, which was last updated on July 13.
The change matters because connector content is indexed for use in Microsoft 365 Copilot and Microsoft Search. If a connector cannot correctly evaluate permissions inherited from a parent object—such as a Confluence space, Jira project, or ServiceNow catalog category—it risks either withholding legitimate results or, worse, exposing material too broadly.
“Nested permissions” in the roadmap entry refers to hierarchical ACL evaluation: permissions assigned at more than one level are considered when determining whether a particular user can see a specific item.
Microsoft’s current connector documentation provides concrete examples. For Confluence on-premises, the connector calculates effective access from page restrictions, parent-page restrictions, and space permissions. ServiceNow Catalog similarly evaluates user criteria set on both catalog categories and individual catalog items. Jira connectors apply their native hierarchy, including issue-level security where present and project permissions otherwise.
The aim is not to create a new permissions system in Microsoft 365. Rather, Copilot connectors should reflect the authorization decisions already made in Jira, Confluence, and ServiceNow when that data is synchronized into Microsoft’s search and Copilot experiences.
Admins running these connectors should review existing connections, especially those created before the feature’s rollout:
This update should improve authorization fidelity, but it does not eliminate the need for permission audits: indexed content remains only as accurately protected as the source ACLs, service-account rights, and Entra identity mappings behind the connector.
The change matters because connector content is indexed for use in Microsoft 365 Copilot and Microsoft Search. If a connector cannot correctly evaluate permissions inherited from a parent object—such as a Confluence space, Jira project, or ServiceNow catalog category—it risks either withholding legitimate results or, worse, exposing material too broadly.
Parent and child permissions now count
“Nested permissions” in the roadmap entry refers to hierarchical ACL evaluation: permissions assigned at more than one level are considered when determining whether a particular user can see a specific item.Microsoft’s current connector documentation provides concrete examples. For Confluence on-premises, the connector calculates effective access from page restrictions, parent-page restrictions, and space permissions. ServiceNow Catalog similarly evaluates user criteria set on both catalog categories and individual catalog items. Jira connectors apply their native hierarchy, including issue-level security where present and project permissions otherwise.
The aim is not to create a new permissions system in Microsoft 365. Rather, Copilot connectors should reflect the authorization decisions already made in Jira, Confluence, and ServiceNow when that data is synchronized into Microsoft’s search and Copilot experiences.
What admins should check
Microsoft says connector access can be set either to respect the source system’s ACLs or to make content visible to everyone in the organization. The latter is plainly inappropriate for most issue trackers, internal knowledge bases, and IT service-management deployments.Admins running these connectors should review existing connections, especially those created before the feature’s rollout:
- In the Microsoft 365 admin center, open Copilot > Connectors > Your Connections and verify that each relevant connection uses source-system access rather than an organization-wide visibility setting.
- Confirm that service accounts can read the source objects and permission records needed for evaluation. ServiceNow’s hierarchical setup, for example, requires access to both category- and item-level user-criteria tables.
- Validate identity mapping between the external service and Microsoft Entra ID, since a correctly read ACL is of little value if users and groups cannot be matched reliably.
- Test with accounts that inherit access through a parent container as well as accounts explicitly denied or restricted at the child-item level.
Scope and limitations
The roadmap lists the release as web-based, generally available, and limited to the Worldwide standard multi-tenant cloud. It does not promise availability in government, sovereign, or dedicated environments. Microsoft’s ServiceNow documentation separately notes that some hierarchical-permission functionality is unavailable in those environments.This update should improve authorization fidelity, but it does not eliminate the need for permission audits: indexed content remains only as accurately protected as the source ACLs, service-account rights, and Entra identity mappings behind the connector.
References
- Primary source: Microsoft 365 Roadmap
Published: 2026-07-13T23:07:14.8221961Z
Microsoft 365 Roadmap | Microsoft 365
The Microsoft 365 Roadmap lists updates that are currently planned for applicable subscribers. Check here for more information on the status of new features and updates.www.microsoft.com
- Official source: learn.microsoft.com
Manage connectors - Microsoft 365 Copilot connectors | Microsoft Learn
Manage your Microsoft 365 Copilot connector connection state and index quota utilization.learn.microsoft.com - Official source: download.microsoft.com
- Official source: adoption.microsoft.com