Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Global Secure Access network controls enable you to implement granular access controls for Microsoft Copilot Studio agents. You can apply network security policies including web content filtering, threat intelligence filtering and network file filtering to agent traffic. This capability provides similar security controls for agents that you use for other traffic types in your organization.
Microsoft Entra integrates with Microsoft Copilot Studio to provide network security controls for agent interactions. This integration allows organizations to apply security policies, monitor agent traffic with the Global Secure Access visibility platform, and ensure secure communication between agents and external resources.
Prerequisites
To configure network security for Copilot Studio agents, you must have:
- A Global Secure Access Administrator role in Microsoft Entra ID to manage Global Secure Access features.
- A Power Platform Administrator role to manage Copilot Studio environments.
- A Power Platform environment with Dataverse added to the environment. For more information, see Create and manage environments in the Power Platform admin center.
Enable network controls for Copilot Studio agents
To enable network controls for Copilot Studio agents, you must first enable traffic forwarding from these agents in the Power Platform Admin Center.
- Sign in to the Power Platform Admin Center as a Power Platform Administrator.
- Browse to Security > Identity & access > Global Secure Access for Agents.
- Select the appropriate environment or environment group and select Set up.
- Enable Global Secure Access for Agents for the selection.
Note
After enabling Global Secure Access for Agents in the environment or environment group, any existing Copilot Studio custom connector must be edited and saved to ensure its traffic is routed through Global Secure Access. Custom connectors created afterward automatically use this configuration.
Create security policies for Copilot Studio agents
After enabling network controls, you can enforce Global Secure Access security policies on agent traffic. You can apply web content filtering, threat intelligence filtering, and other security policies. The following example shows how to configure a web content filtering policy:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Secure > Web content filtering policies.
- Select Create policy.
- Enter a descriptive name and a description for the policy, then select Next.
- Select Add rule.
- Configure rules based on your security to Copilot Studio agent requirements. For example, block access to
Web respositories,Illegal software, not safe for work (NSFW) sites, and more. - Select Next to review the policy.
- Select Create policy.
Next, you can create policies like threat intelligence to protect agents against malicious destinations or file policy to safeguard against unintended data exposure and prevent inline data leaks.
Link policies to the baseline profile
Group your security policies by linking them to the baseline profile to apply them to Copilot Studio agent traffic. Security profiles linked to Conditional Access policies aren't currently supported for Copilot Studio agents.
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Secure > Security profiles.
- Select the Baseline profile tab.
- Select Edit to edit the baseline profile rules.
- Select Link a policy and then select Existing policy.
- Select the Copilot Studio agent web repositories policy created earlier and select Add.
- Select Save to save the profile changes.
Monitor and maintain
Regular monitoring and maintenance ensure your security configuration remains effective:
- Review traffic logs regularly for unusual patterns or blocked legitimate traffic. For more information, see Global Secure Access network traffic logs.
- Update filtering policies as new services or requirements emerge.
- Test policy changes in a development environment before applying to production.
Note
Configuration changes in the Global Secure Access experience related to web content filtering typically take effect in less than five minutes.
Known limitations
- The enforcement feature supports only the baseline profile. Network security policies apply per tenant.
- Global Secure Access partner ecosystem integrations, such as third-party Data Loss Prevention (DLP), aren't supported.
- Copilot Studio Bing search network transactions (including knowledge from public websites and Wikipedia) aren't supported.
- Network requests to Dataverse and Azure SQL knowledge sources aren't supported.
- Network requests to the following custom tools aren't supported: prompt, agent flow, Computer Use, and child agents.
- Network requests to Large Language Model (LLM), either for orchestration or results enhancement, aren't supported.
- Only specific Copilot Studio connectors are supported with network security controls. Refer to the Copilot Studio documentation for the list of supported connectors.
- Currently the Agent Name returned in the Global Secure Access traffic logs is the agent's unique schema name.