Control 1.29: Global Secure Access: Network Controls for Copilot Studio Agents
Control ID: 1.29 Pillar: Security Regulatory Reference: GLBA 501(b), FINRA 4511, FINRA 3110, FINRA RN 24-09, OCC Bulletin 2026-13 (formerly OCC 2011-12), SOX 302/404, NIST SP 800-53 SC-7 Last UI Verified: June 2026 Governance Levels: Baseline / Recommended / Regulated
Preview Feature
This is a preview feature. Preview features aren't meant for production use and may have restricted functionality. Features may change before becoming generally available. Subject to the Microsoft Azure Preview Supplemental Terms of Use. Evaluate suitability for your regulatory environment before enabling in production workloads. Document your risk acceptance decision as part of your change management record.
Relationship to Control 1.20 — Network Isolation
Control 1.29 is complementary to, not overlapping with, Control 1.20 (Network Isolation and Private Connectivity). Control 1.20 governs inbound network controls — restricting which clients and networks can reach your agents through private endpoints, VNet integration, and IP allowlists. Control 1.29 governs outbound network controls — filtering what external destinations your agents can access, applying web content filtering, threat intelligence blocking, and file transfer controls to traffic originating from agents. Both controls are required for a complete Zero Trust network posture for Microsoft Copilot Studio agent environments.
Objective
Extend Zero Trust network security principles to Copilot Studio agent outbound traffic by enabling Global Secure Access (GSA) forwarding for agent environments and applying web content filtering, threat intelligence filtering, and network file filtering policies to all agent-initiated external connections.
Why This Matters for FSI
Financial services AI agents increasingly initiate outbound connections to external systems — calling APIs, retrieving reference data, processing instructions from connected services, or accessing web-based knowledge sources. Without network-level outbound controls, a misconfigured or compromised agent represents a data exfiltration vector and a threat escalation path that bypasses traditional endpoint and perimeter controls.
The risk profile is acute for regulated institutions:
- Data exfiltration: An agent processing customer PII or NPI could be manipulated through prompt injection or misconfigured tool definitions to POST data to an attacker-controlled endpoint. Without outbound filtering, this traffic is invisible to traditional firewalls monitoring user endpoints.
- Unapproved AI destinations: FINRA, OCC, and SEC guidance increasingly scrutinizes use of third-party generative AI services. Agents autonomously connecting to unapproved AI endpoints (OpenAI public APIs, consumer ChatGPT, etc.) creates regulatory exposure without explicit policy approval.
- Malicious infrastructure access: Agents connecting to known command-and-control (C2) infrastructure through misconfigured connectors or malicious MCP servers can be weaponized as internal beachheads. Threat intelligence filtering closes this vector.
- Unauthorized file transfers: Agents with file handling capabilities could download malicious payloads or upload sensitive documents to unauthorized repositories without network file filtering controls.
Global Secure Access treats agents as security principals — applying the same network security policy layer used for users to agent-originated traffic. This provides a consistent, auditable control surface for FINRA Rule 4511 system security requirements, GLBA 501(b) safeguards obligations, and OCC Bulletin 2026-13 (formerly OCC 2011-12) technology risk management expectations.
Examination Evidence Value
GSA traffic logs provide a timestamped, searchable record of all external connections made by agents — including blocked requests. This log set is directly relevant as examination evidence for FINRA cybersecurity inquiries, OCC technology risk reviews, and SOX IT general controls assessments. Firms should retain GSA logs per their records retention schedule and export to SIEM per Control 3.9.
Control Description
| Capability | Description |
|---|---|
| GSA Agent Traffic Forwarding | Enables Power Platform environments to route all Copilot Studio agent outbound HTTP/S traffic through the Global Secure Access globally distributed proxy. Configured per-environment or per-environment group in Power Platform admin center. Treats agents as first-class security principals subject to network policy. |
| Web Content Filtering | Applies URL and category-based filtering to agent-initiated web requests. Block access by content category (e.g., illegal software, social media, gambling, unapproved AI services, data repository sites) or by specific URL. Prevents agents from accessing destinations that violate organizational acceptable use policy regardless of how the connection is initiated. |
| Threat Intelligence Filtering | Blocks agent connections to known malicious sites, domains, and IP ranges using Microsoft threat intelligence feeds updated in near-real time. Prevents agents from being directed — through prompt injection, compromised connectors, or malicious MCP server definitions — to exfiltrate data to attacker-controlled infrastructure. |
| Network File Filtering | Controls file upload and download activity initiated by agents. Prevents agents from downloading malicious executables, scripts, or documents from unknown web destinations and from uploading sensitive organizational data (including documents containing NPI or PII) to unauthorized file hosting services. |
| GSA Traffic Logs with Agent Metadata | All agent traffic passing through GSA generates structured log entries including agent-specific metadata fields. Logs are queryable in Microsoft Entra admin center and exportable to Microsoft Sentinel (see Control 3.9) for SIEM correlation, retention, and examination evidence generation. |
| Baseline Profile Policy Linking | Security policies (web content filtering, threat intelligence, file filtering) are linked to the Global Secure Access baseline profile. The baseline profile applies at the tenant level to all forwarded agent traffic. Note: Conditional Access-linked profiles are not yet supported for agent traffic in the current preview. |
Secure Web and AI Gateway for Copilot Studio agents
Preview scope and current limits
Microsoft documents Secure Web and AI Gateway for Copilot Studio agents as a Global Secure Access (GSA) capability for forwarding Copilot Studio agent traffic from Power Platform environments or environment groups to GSA. In the current preview, agent network controls use the GSA baseline profile; Conditional Access-linked profiles, partner DLP integrations, Copilot Studio Bing search transactions, Dataverse and Azure SQL knowledge-source traffic, Copilot Studio LLM orchestration or result-enhancement requests, and some connectors or custom tools aren't supported. Review the Power Platform Secure Web and AI Gateway overview and the Microsoft Entra configuration guide before relying on this control for regulated workloads.
In plain terms, Secure Web and AI Gateway is the GSA feature that routes supported Copilot Studio agent egress through Microsoft's globally distributed proxy so agent HTTP, connector, and MCP traffic can be evaluated against tenant security policies. It extends the same style of web content filtering, threat intelligence filtering, network file filtering, and traffic logging used for users to supported agent-originated traffic, with implementation caveats for the preview limitations above.
MCP connector traffic governance
Microsoft's Copilot Studio documentation states that GSA forwarding applies to HTTP node traffic, tools-generated connectors, custom connectors, custom Model Context Protocol (MCP) servers, custom tools, and supported connectors. For Control 2.17 — Multi-Agent Orchestration Limits, treat Secure Web and AI Gateway as the network-policy layer for MCP and Bring Your Own MCP server (BYO MCP) traffic: approve the MCP server and tool surface under Control 2.17, then use GSA baseline-profile policies to evaluate the outbound MCP requests that leave the agent environment.
This supports governance of MCP traffic in three ways:
- Destination control: Web content filtering and explicit URL rules help restrict MCP calls to approved domains and categories, including approved internal APIs and sanctioned vendor MCP endpoints.
- Threat-intelligence screening: Threat intelligence filtering helps mitigate malicious or compromised MCP destinations by evaluating agent requests against Microsoft threat intelligence before the request is forwarded.
- File-transfer guardrails and logs: Network file filtering and GSA traffic logs help identify uploads, downloads, and blocked requests associated with an agent's schema name, supporting SIEM correlation per Control 3.9.
These controls do not replace MCP server approval, server-level authentication review, tool-level DLP/access controls, request/response telemetry, or the MCP monitoring patterns documented in Control 2.17. They provide an additional outbound network layer for supported MCP traffic.
Prompt-injection defense
Secure Web and AI Gateway should be positioned as defense-in-depth for prompt-injection scenarios, not as a complete prompt-injection solution. For supported Copilot Studio agent traffic, GSA helps mitigate prompt-injection-driven egress by constraining where induced tool calls can connect, screening destinations with threat intelligence, controlling file uploads and downloads, and logging blocked attempts for investigation. This can attenuate common classes of prompt-injection vectors, including direct instructions that try to force an agent to call an unauthorized HTTP endpoint, indirect instructions embedded in external content that try to exfiltrate data through a connector, and malicious MCP responses that try to redirect the agent to an unapproved destination.
Microsoft also documents Prompt Injection Protection in Global Secure Access for JSON-based generative AI applications routed through Internet Access traffic forwarding, TLS inspection, prompt policies, and security profiles. Use that capability as a complementary control for external GenAI endpoints that are within its supported scope. Do not assume it inspects Copilot Studio's internal LLM orchestration traffic: Microsoft's Secure Web and AI Gateway limitations state that Copilot Studio LLM orchestration and result-enhancement requests aren't supported by agent network controls, and Prompt Injection Protection currently supports text prompts for JSON-based GenAI apps with documented size and file limitations.
Tenant restriction policies
Universal tenant restrictions use Global Secure Access signaling to apply tenant restrictions v2 policy information to Microsoft Entra ID and Microsoft Graph traffic. Microsoft documents the configuration path as Microsoft Entra admin center > Global Secure Access > Settings > Session Management > Universal Tenant Restrictions, after tenant restrictions v2 policies are defined in cross-tenant access settings. See Turn on universal tenant restrictions and Set up tenant restrictions v2.
For agent governance, tenant restrictions are complementary to Secure Web and AI Gateway rather than a substitute for it. Tenant restrictions help reduce cross-tenant authentication and Microsoft Graph data-plane risk for managed devices and remote networks, while the Secure Web and AI Gateway agent forwarding toggle governs supported Copilot Studio agent egress such as HTTP, connector, custom connector, custom MCP server, and custom tool traffic. Document both policy sets in the change record so reviewers can distinguish tenant-boundary restrictions from agent outbound filtering.
Configuration pointers
At a high level, configure this capability in two administrative surfaces:
- In the Power Platform admin center, go to Security > Identity & access > Global Secure Access for Agents, select an environment or environment group, choose Set up, and enable Global Secure Access for Agents. Microsoft notes that existing Copilot Studio custom connectors must be edited and saved after enablement so their traffic routes through GSA.
- In the Microsoft Entra admin center, go to Global Secure Access > Secure to create web content filtering, threat intelligence, network file filtering, and—where applicable—prompt policies. For Copilot Studio agent traffic, link the relevant web, threat, and file policies to the Baseline profile because Conditional Access-linked security profiles aren't currently supported for agent traffic.
Cross-references
- Control 1.20 — Network Isolation and Private Connectivity: inbound network isolation remains the companion control for private endpoint, VNet, and IP-restriction scenarios.
- Control 2.17 — Multi-Agent Orchestration Limits: MCP approval, BYO MCP governance, and multi-agent orchestration monitoring remain the source controls for tool and delegation risk.
- Control 2.25 — Microsoft Agent 365 Admin Center Governance Console: Agent 365 governance console evidence should reflect whether GSA network visibility and related policy posture are configured for governed environments.
Key Configuration Points
Conditional Access Profile Limitation (Preview)
In the current preview, only the baseline profile is supported for agent traffic. Conditional Access-linked profiles — which would allow fine-grained per-agent or per-environment filtering based on Conditional Access policy conditions — are not yet available for Copilot Studio agent traffic. This means all agent environments on the same tenant share the same GSA baseline profile policies. Plan your policy scoping accordingly. Track Microsoft roadmap for per-agent Conditional Access profile support.
Supported Traffic Types
The following agent traffic types are captured by GSA forwarding when enabled:
- HTTP node traffic (agents making direct HTTP calls in flows)
- Tools-generated connectors (connectors automatically created from tool definitions)
- Custom connectors (Power Platform custom connectors invoked by agents)
- Custom Model Context Protocol (MCP) servers (external MCP server connections)
- Custom tools (agent tool definitions that make external calls)
Traffic Not Captured
- Agent traffic to Microsoft 365 and Power Platform internal services (these do not traverse GSA by design)
- Traffic using non-HTTP protocols not yet covered by the preview forwarding scope
Policy Evaluation Flow
When an agent initiates a request to an external resource:
- GSA intercepts the request at the forwarding layer
- Threat intelligence check: request destination evaluated against Microsoft threat feeds — block if matched
- Web content filtering check: destination URL/domain evaluated against category and explicit URL policies — block if matched
- Network file filtering check: if a file transfer operation is detected, evaluated against file filtering policy — block if matched
- If all checks pass: request forwarded to destination
- Regardless of outcome: log entry written with agent metadata, destination, action, and policy match details
License Requirements
| Component | License Required |
|---|---|
| Global Secure Access for agents | Microsoft Entra Internet Access license, or Microsoft 365 E3/E5 with appropriate Entra add-on |
| Power Platform admin center toggle | Power Platform admin role (no additional license) |
| GSA traffic log access | Included with GSA license |
| Sentinel export (Control 3.9) | Microsoft Sentinel workspace (Log Analytics) |
Prerequisites Checklist
- Global Secure Access license provisioned for tenant
- Microsoft Entra admin center access (Entra Global Admin or Entra Security Admin)
- Power Platform Admin role for environment configuration
- Copilot Studio environments identified and classified by zone (Zone 1 / 2 / 3)
- Organizational web content filtering category policy defined and approved
- Network file filtering scope agreed with data protection and legal teams
Zone-Specific Requirements
| Requirement | Zone 1 — Personal | Zone 2 — Team | Zone 3 — Enterprise / Regulated |
|---|---|---|---|
| GSA Agent Traffic Forwarding | Optional — recommended when agents access external web sources | Mandatory for all environments with external connector usage | Mandatory for all agent environments without exception |
| Web Content Filtering Policy | Basic — block known malicious categories | Required — block high-risk categories (illegal software, gambling, social media, unapproved AI sites, data repositories) | Required — comprehensive category blocking plus explicit allowlist; default-deny model for uncategorized destinations recommended |
| Threat Intelligence Filtering | Recommended | Required | Required |
| Network File Filtering | Optional | Recommended — block upload to unauthorized file hosts | Required — full upload and download filtering per data protection standards; upload of files from regulated systems explicitly blocked to non-approved destinations |
| GSA Traffic Log Review | Ad hoc | Weekly review required; findings documented | Daily review required; blocked request review integrated into incident response workflow |
| Log Export to Sentinel | Not required | Recommended (see Control 3.9) | Required — GSA logs exported to Sentinel workspace; retention aligned to regulatory schedule |
| Blocked Request SLA | No formal SLA | Review false positives within 5 business days | Review false positives within 24 hours; escalate anomalous blocked requests as potential incidents |
| Configuration Documentation | Recommended | Required — documented as change record | Required — documented as ITGC evidence; included in FINRA/SEC examination package |
| Allowlist Management | Ad hoc | Formal approval required for additions | Change-controlled; Security team approval required; quarterly review of allowlist entries |
Roles & Responsibilities
| Role | Responsibilities |
|---|---|
| Power Platform Admin | Enable GSA forwarding toggle per environment in Power Platform admin center; coordinate environment classification with Security team; document GSA configuration state per change management procedure |
| Entra Security Admin | Create and maintain web content filtering policies, threat intelligence policy, and network file filtering policy in Entra admin center; link policies to GSA baseline profile; own policy content and category selections |
| AI Governance Team / CoE | Define approved and blocked external destination categories relevant to AI agent use cases; approve agent-specific allowlist additions; review GSA traffic log anomaly reports |
| CISO / Security Operations | Review GSA traffic log alerts and anomaly reports; own incident response for blocked traffic anomalies; sign off on GSA configuration as part of ITGC evidence package |
| Compliance / Legal | Validate that web content filtering and file filtering policies are consistent with data protection obligations, GLBA privacy requirements, and applicable state laws; advise on log retention schedule |
| Agent Developers | Declare all external destinations used by agents in design documentation; raise allowlist addition requests through formal change process; test agent functionality post-GSA enablement; report legitimate traffic blocked to Power Platform Administrator |
| Internal Audit | Verify GSA forwarding is enabled for all in-scope environments; sample GSA traffic logs for completeness and agent metadata quality; include GSA controls in ITGC scope for SOX 302/404 assessments |
Related Controls
| Control ID | Title | Relationship |
|---|---|---|
| 1.20 | Network Isolation and Private Connectivity | Complementary — 1.20 governs inbound network controls (private endpoints, VNet, IP restrictions); 1.29 governs outbound filtering. Both required for complete Zero Trust network posture. |
| 1.4 | Advanced Connector Policies | Complementary — connector policies restrict which connectors agents may use (catalog-level control); GSA filtering applies independently to traffic from permitted connectors. Layered defense. |
| 1.5 | DLP and Sensitivity Labels | Complementary — DLP controls data in transit at the Power Platform layer; GSA network filtering provides the network-layer backstop if DLP classification is incomplete or data is transmitted through non-DLP-inspected paths. |
| 1.8 | Runtime Protection and External Threat Detection | Complementary — 1.8 provides runtime behavioral monitoring; 1.29 provides network-layer prevention. GSA blocked events should feed into 1.8 threat detection workflows. |
| 3.9 | Microsoft Sentinel Integration | Dependent — Zone 3 requires GSA traffic logs exported to Sentinel. 3.9 defines log schema, alert rules, and retention policy that consume GSA agent traffic log data. |
| 2.25 | Agent 365 Admin Center Governance Console | Informational — Agent 365 governance templates include Entra Network visibility cards. GSA configuration state should be reflected in the governance console environment health view. |
| 2.17 | Multi-Agent Orchestration Limits | Complementary — Control 2.17 governs MCP server approval, BYO MCP patterns, and multi-agent delegation controls; the Secure Web and AI Gateway subsection describes the outbound network layer for supported MCP connector traffic. |
| W365A | Windows 365 for Agents reference | Informational — Cloud PC execution for agents can generate outbound web traffic that should be evaluated against GSA egress policy and traffic-log review where enabled. |
Implementation Playbooks
| Playbook | Description | Audience |
|---|---|---|
| Portal Walkthrough | Step-by-step configuration of GSA agent forwarding in Power Platform admin center and all three filtering policy types in Entra admin center | Power Platform Admins, Security Admins |
| PowerShell Setup | Automate GSA forwarding enablement across multiple environments, query traffic logs for agent events, and export configuration state as audit evidence | Platform Engineers, Security Engineers |
| Verification Testing | Test procedures to confirm GSA forwarding is active, validate each filtering policy type is blocking correctly, and verify agent metadata appears in traffic logs | Security Engineers, QA, Internal Audit |
| Troubleshooting | Diagnosis and resolution for agent traffic not appearing in GSA logs, legitimate connectors incorrectly blocked, baseline profile propagation delays, and missing log metadata fields | Power Platform Admins, Security Operations |
Verification Criteria
- GSA agent traffic forwarding is confirmed enabled for all Zone 2 and Zone 3 Copilot Studio environments in Power Platform admin center; environment list is documented and reviewed quarterly.
- A web content filtering policy is created in Entra admin center with organizational-approved category blocks and explicit URL rules, and the policy is linked to the Global Secure Access baseline profile.
- A threat intelligence filtering policy is active in Entra admin center and linked to the GSA baseline profile; policy is set to block (not audit-only) for Zone 2 and Zone 3 environments.
- A network file filtering policy is configured per organizational data protection standards, covering both upload and download scenarios, and is linked to the GSA baseline profile.
- GSA traffic logs show agent-specific metadata fields (confirming that agent-originated traffic is being forwarded through GSA and not bypassing the proxy).
- Weekly log review is completed and documented for Zone 2 environments; daily log review is completed and documented for Zone 3 environments; review records are retained per the regulatory records schedule.
- Blocked traffic events are reviewed within the applicable SLA (5 business days for Zone 2, 24 hours for Zone 3); false positives are remediated and re-tested; anomalous blocked requests are escalated as potential security incidents.
- GSA configuration (forwarding state, policy definitions, baseline profile link) is documented as IT general control evidence and included in the FINRA/SEC examination evidence package; configuration matches the documented security baseline.
Additional Resources
- Microsoft Learn: Global Secure Access for agents in Copilot Studio (Preview)
- Microsoft Learn: Global Secure Access overview
- Microsoft Learn: Web content filtering in Global Secure Access
- Microsoft Learn: Threat intelligence filtering in Global Secure Access
- Microsoft Learn: Network content filtering in Global Secure Access
- Microsoft Learn: Global Secure Access traffic logs
- GLBA Safeguards Rule — FTC 16 CFR Part 314
- FINRA Rule 4511 — General Requirements
- OCC Bulletin 2026-13 — Technology Risk Management (formerly OCC Bulletin 2011-12)
- FSI-AgentGov Control 1.20 — Network Isolation and Private Connectivity
- FSI-AgentGov Control 3.9 — Microsoft Sentinel Integration
Updated: June 2026 | Version: v1.6.2 | UI Verification Status: Current