Control 1.29: Global Secure Access: Network Controls for Copilot Studio Agents
Control ID: 1.29 Pillar: Security Regulatory Reference: GLBA 501(b), FINRA 4511, FINRA 25-07, OCC 2011-12, SOX 302/404, NIST SP 800-53 SC-7 Last UI Verified: April 2026 Governance Levels: Baseline / Recommended / Regulated
Preview Feature
This is a preview feature. Preview features aren't meant for production use and may have restricted functionality. Features may change before becoming generally available. Subject to the Microsoft Azure Preview Supplemental Terms of Use. Evaluate suitability for your regulatory environment before enabling in production workloads. Document your risk acceptance decision as part of your change management record.
Relationship to Control 1.20 — Network Isolation
Control 1.29 is complementary to, not overlapping with, Control 1.20 (Network Isolation and Private Connectivity). Control 1.20 governs inbound network controls — restricting which clients and networks can reach your agents through private endpoints, VNet integration, and IP allowlists. Control 1.29 governs outbound network controls — filtering what external destinations your agents can access, applying web content filtering, threat intelligence blocking, and file transfer controls to traffic originating from agents. Both controls are required for a complete Zero Trust network posture for Copilot Studio agent environments.
Objective
Extend Zero Trust network security principles to Microsoft Copilot Studio agent outbound traffic by enabling Global Secure Access (GSA) forwarding for agent environments and applying web content filtering, threat intelligence filtering, and network file filtering policies to all agent-initiated external connections.
Why This Matters for FSI
Financial services AI agents increasingly initiate outbound connections to external systems — calling APIs, retrieving reference data, processing instructions from connected services, or accessing web-based knowledge sources. Without network-level outbound controls, a misconfigured or compromised agent represents a data exfiltration vector and a threat escalation path that bypasses traditional endpoint and perimeter controls.
The risk profile is acute for regulated institutions:
- Data exfiltration: An agent processing customer PII or NPI could be manipulated through prompt injection or misconfigured tool definitions to POST data to an attacker-controlled endpoint. Without outbound filtering, this traffic is invisible to traditional firewalls monitoring user endpoints.
- Unapproved AI destinations: FINRA, OCC, and SEC guidance increasingly scrutinizes use of third-party generative AI services. Agents autonomously connecting to unapproved AI endpoints (OpenAI public APIs, consumer ChatGPT, etc.) creates regulatory exposure without explicit policy approval.
- Malicious infrastructure access: Agents connecting to known command-and-control (C2) infrastructure through misconfigured connectors or malicious MCP servers can be weaponized as internal beachheads. Threat intelligence filtering closes this vector.
- Unauthorized file transfers: Agents with file handling capabilities could download malicious payloads or upload sensitive documents to unauthorized repositories without network file filtering controls.
Global Secure Access treats agents as security principals — applying the same network security policy layer used for users to agent-originated traffic. This provides a consistent, auditable control surface for FINRA Rule 4511 system security requirements, GLBA 501(b) safeguards obligations, and OCC 2011-12 technology risk management expectations.
Examination Evidence Value
GSA traffic logs provide a timestamped, searchable record of all external connections made by agents — including blocked requests. This log set is directly relevant as examination evidence for FINRA cybersecurity inquiries, OCC technology risk reviews, and SOX IT general controls assessments. Firms should retain GSA logs per their records retention schedule and export to SIEM per Control 3.9.
Control Description
| Capability | Description |
|---|---|
| GSA Agent Traffic Forwarding | Enables Power Platform environments to route all Copilot Studio agent outbound HTTP/S traffic through the Global Secure Access globally distributed proxy. Configured per-environment or per-environment group in Power Platform admin center. Treats agents as first-class security principals subject to network policy. |
| Web Content Filtering | Applies URL and category-based filtering to agent-initiated web requests. Block access by content category (e.g., illegal software, social media, gambling, unapproved AI services, data repository sites) or by specific URL. Prevents agents from accessing destinations that violate organizational acceptable use policy regardless of how the connection is initiated. |
| Threat Intelligence Filtering | Blocks agent connections to known malicious sites, domains, and IP ranges using Microsoft threat intelligence feeds updated in near-real time. Prevents agents from being directed — through prompt injection, compromised connectors, or malicious MCP server definitions — to exfiltrate data to attacker-controlled infrastructure. |
| Network File Filtering | Controls file upload and download activity initiated by agents. Prevents agents from downloading malicious executables, scripts, or documents from unknown web destinations and from uploading sensitive organizational data (including documents containing NPI or PII) to unauthorized file hosting services. |
| GSA Traffic Logs with Agent Metadata | All agent traffic passing through GSA generates structured log entries including agent-specific metadata fields. Logs are queryable in Microsoft Entra admin center and exportable to Microsoft Sentinel (see Control 3.9) for SIEM correlation, retention, and examination evidence generation. |
| Baseline Profile Policy Linking | Security policies (web content filtering, threat intelligence, file filtering) are linked to the Global Secure Access baseline profile. The baseline profile applies at the tenant level to all forwarded agent traffic. Note: Conditional Access-linked profiles are not yet supported for agent traffic in the current preview. |
Key Configuration Points
Conditional Access Profile Limitation (Preview)
In the current preview, only the baseline profile is supported for agent traffic. Conditional Access-linked profiles — which would allow fine-grained per-agent or per-environment filtering based on Conditional Access policy conditions — are not yet available for Copilot Studio agent traffic. This means all agent environments on the same tenant share the same GSA baseline profile policies. Plan your policy scoping accordingly. Track Microsoft roadmap for per-agent Conditional Access profile support.
Supported Traffic Types
The following agent traffic types are captured by GSA forwarding when enabled:
- HTTP node traffic (agents making direct HTTP calls in flows)
- Tools-generated connectors (connectors automatically created from tool definitions)
- Custom connectors (Power Platform custom connectors invoked by agents)
- Custom Model Context Protocol (MCP) servers (external MCP server connections)
- Custom tools (agent tool definitions that make external calls)
Traffic Not Captured
- Agent traffic to Microsoft 365 and Power Platform internal services (these do not traverse GSA by design)
- Traffic using non-HTTP protocols not yet covered by the preview forwarding scope
Policy Evaluation Flow
When an agent initiates a request to an external resource:
- GSA intercepts the request at the forwarding layer
- Threat intelligence check: request destination evaluated against Microsoft threat feeds — block if matched
- Web content filtering check: destination URL/domain evaluated against category and explicit URL policies — block if matched
- Network file filtering check: if a file transfer operation is detected, evaluated against file filtering policy — block if matched
- If all checks pass: request forwarded to destination
- Regardless of outcome: log entry written with agent metadata, destination, action, and policy match details
License Requirements
| Component | License Required |
|---|---|
| Global Secure Access for agents | Microsoft Entra Internet Access license, or Microsoft 365 E3/E5 with appropriate Entra add-on |
| Power Platform admin center toggle | Power Platform admin role (no additional license) |
| GSA traffic log access | Included with GSA license |
| Sentinel export (Control 3.9) | Microsoft Sentinel workspace (Log Analytics) |
Prerequisites Checklist
- Global Secure Access license provisioned for tenant
- Microsoft Entra admin center access (Entra Global Admin or Entra Security Admin)
- Power Platform Admin role for environment configuration
- Copilot Studio environments identified and classified by zone (Zone 1 / 2 / 3)
- Organizational web content filtering category policy defined and approved
- Network file filtering scope agreed with data protection and legal teams
Zone-Specific Requirements
| Requirement | Zone 1 — Personal | Zone 2 — Team | Zone 3 — Enterprise / Regulated |
|---|---|---|---|
| GSA Agent Traffic Forwarding | Optional — recommended when agents access external web sources | Mandatory for all environments with external connector usage | Mandatory for all agent environments without exception |
| Web Content Filtering Policy | Basic — block known malicious categories | Required — block high-risk categories (illegal software, gambling, social media, unapproved AI sites, data repositories) | Required — comprehensive category blocking plus explicit allowlist; default-deny model for uncategorized destinations recommended |
| Threat Intelligence Filtering | Recommended | Required | Required |
| Network File Filtering | Optional | Recommended — block upload to unauthorized file hosts | Required — full upload and download filtering per data protection standards; upload of files from regulated systems explicitly blocked to non-approved destinations |
| GSA Traffic Log Review | Ad hoc | Weekly review required; findings documented | Daily review required; blocked request review integrated into incident response workflow |
| Log Export to Sentinel | Not required | Recommended (see Control 3.9) | Required — GSA logs exported to Sentinel workspace; retention aligned to regulatory schedule |
| Blocked Request SLA | No formal SLA | Review false positives within 5 business days | Review false positives within 24 hours; escalate anomalous blocked requests as potential incidents |
| Configuration Documentation | Recommended | Required — documented as change record | Required — documented as ITGC evidence; included in FINRA/SEC examination package |
| Allowlist Management | Ad hoc | Formal approval required for additions | Change-controlled; Security team approval required; quarterly review of allowlist entries |
Roles & Responsibilities
| Role | Responsibilities |
|---|---|
| Power Platform Admin | Enable GSA forwarding toggle per environment in Power Platform admin center; coordinate environment classification with Security team; document GSA configuration state per change management procedure |
| Entra Security Admin | Create and maintain web content filtering policies, threat intelligence policy, and network file filtering policy in Entra admin center; link policies to GSA baseline profile; own policy content and category selections |
| AI Governance Team / CoE | Define approved and blocked external destination categories relevant to AI agent use cases; approve agent-specific allowlist additions; review GSA traffic log anomaly reports |
| CISO / Security Operations | Review GSA traffic log alerts and anomaly reports; own incident response for blocked traffic anomalies; sign off on GSA configuration as part of ITGC evidence package |
| Compliance / Legal | Validate that web content filtering and file filtering policies are consistent with data protection obligations, GLBA privacy requirements, and applicable state laws; advise on log retention schedule |
| Agent Developers | Declare all external destinations used by agents in design documentation; raise allowlist addition requests through formal change process; test agent functionality post-GSA enablement; report legitimate traffic blocked to Power Platform Administrator |
| Internal Audit | Verify GSA forwarding is enabled for all in-scope environments; sample GSA traffic logs for completeness and agent metadata quality; include GSA controls in ITGC scope for SOX 302/404 assessments |
Related Controls
| Control ID | Title | Relationship |
|---|---|---|
| 1.20 | Network Isolation and Private Connectivity | Complementary — 1.20 governs inbound network controls (private endpoints, VNet, IP restrictions); 1.29 governs outbound filtering. Both required for complete Zero Trust network posture. |
| 1.4 | Advanced Connector Policies | Complementary — connector policies restrict which connectors agents may use (catalog-level control); GSA filtering applies independently to traffic from permitted connectors. Layered defense. |
| 1.5 | DLP and Sensitivity Labels | Complementary — DLP controls data in transit at the Power Platform layer; GSA network filtering provides the network-layer backstop if DLP classification is incomplete or data is transmitted through non-DLP-inspected paths. |
| 1.8 | Runtime Protection and External Threat Detection | Complementary — 1.8 provides runtime behavioral monitoring; 1.29 provides network-layer prevention. GSA blocked events should feed into 1.8 threat detection workflows. |
| 3.9 | Microsoft Sentinel Integration | Dependent — Zone 3 requires GSA traffic logs exported to Sentinel. 3.9 defines log schema, alert rules, and retention policy that consume GSA agent traffic log data. |
| 2.25 | Agent 365 Admin Center Governance Console | Informational — Agent 365 governance templates include Entra Network visibility cards. GSA configuration state should be reflected in the governance console environment health view. |
Implementation Playbooks
| Playbook | Description | Audience |
|---|---|---|
| Portal Walkthrough | Step-by-step configuration of GSA agent forwarding in Power Platform admin center and all three filtering policy types in Entra admin center | Power Platform Admins, Security Admins |
| PowerShell Setup | Automate GSA forwarding enablement across multiple environments, query traffic logs for agent events, and export configuration state as audit evidence | Platform Engineers, Security Engineers |
| Verification Testing | Test procedures to confirm GSA forwarding is active, validate each filtering policy type is blocking correctly, and verify agent metadata appears in traffic logs | Security Engineers, QA, Internal Audit |
| Troubleshooting | Diagnosis and resolution for agent traffic not appearing in GSA logs, legitimate connectors incorrectly blocked, baseline profile propagation delays, and missing log metadata fields | Power Platform Admins, Security Operations |
Verification Criteria
- GSA agent traffic forwarding is confirmed enabled for all Zone 2 and Zone 3 Copilot Studio environments in Power Platform admin center; environment list is documented and reviewed quarterly.
- A web content filtering policy is created in Entra admin center with organizational-approved category blocks and explicit URL rules, and the policy is linked to the Global Secure Access baseline profile.
- A threat intelligence filtering policy is active in Entra admin center and linked to the GSA baseline profile; policy is set to block (not audit-only) for Zone 2 and Zone 3 environments.
- A network file filtering policy is configured per organizational data protection standards, covering both upload and download scenarios, and is linked to the GSA baseline profile.
- GSA traffic logs show agent-specific metadata fields (confirming that agent-originated traffic is being forwarded through GSA and not bypassing the proxy).
- Weekly log review is completed and documented for Zone 2 environments; daily log review is completed and documented for Zone 3 environments; review records are retained per the regulatory records schedule.
- Blocked traffic events are reviewed within the applicable SLA (5 business days for Zone 2, 24 hours for Zone 3); false positives are remediated and re-tested; anomalous blocked requests are escalated as potential security incidents.
- GSA configuration (forwarding state, policy definitions, baseline profile link) is documented as IT general control evidence and included in the FINRA/SEC examination evidence package; configuration matches the documented security baseline.
Additional Resources
- Microsoft Learn: Global Secure Access for agents in Copilot Studio (Preview)
- Microsoft Learn: Global Secure Access overview
- Microsoft Learn: Web content filtering in Global Secure Access
- Microsoft Learn: Threat intelligence filtering in Global Secure Access
- Microsoft Learn: Network file filtering in Global Secure Access
- Microsoft Learn: Global Secure Access traffic logs
- GLBA Safeguards Rule — FTC 16 CFR Part 314
- FINRA Rule 4511 — General Requirements
- OCC Bulletin 2011-12 — Technology Risk Management
- FSI-AgentGov Control 1.20 — Network Isolation and Private Connectivity
- FSI-AgentGov Control 3.9 — Microsoft Sentinel Integration
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current