Skip to content

Control 2.15: Network Security and Private Connectivity

Control ID: 2.15 Pillar: Security & Protection Regulatory Reference: NYDFS Part 500, FFIEC Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Evaluate and implement network-level security controls for Microsoft 365 Copilot traffic, including private connectivity options, network location-based access controls, and traffic inspection capabilities. While Copilot is a cloud-native service that processes data within Microsoft's infrastructure, financial institutions must understand the network paths involved, apply appropriate network security controls, and determine whether private connectivity options (such as Azure Private Link or Microsoft's Global Secure Access) provide material security benefits for their Copilot deployment.

Why This Matters for FSI

  • NYDFS Part 500 (Section 500.02) requires a cybersecurity program that protects information systems and nonpublic information — network security controls for AI service access are part of this program
  • NYDFS Part 500 (Section 500.12) requires multi-factor authentication for accessing internal networks from external networks — network-level controls supplement authentication for Copilot access
  • FFIEC IT Examination Handbook (Information Security) expects network security controls including firewalls, intrusion detection, and network segmentation — examiners will evaluate network controls for AI service traffic
  • FFIEC IT Examination Handbook (Architecture) expects secure network architecture for cloud services — Copilot's network path should be documented and controlled
  • OCC Bulletin 2001-47 expects banks to evaluate network security for outsourced services — Copilot traffic paths to Microsoft cloud infrastructure should be assessed
  • PCI DSS (if applicable) requires network segmentation and secure transmission — Copilot traffic from cardholder data environments needs specific attention

Control Description

Microsoft 365 Copilot operates as a cloud service within Microsoft's infrastructure. Network security for Copilot involves controlling how traffic flows between the organization's network and Microsoft's cloud services, and applying appropriate security controls at network boundaries.

Copilot Network Traffic Flow

User Device                    Corporate Network              Microsoft Cloud
┌──────────┐                  ┌────────────────┐            ┌──────────────────┐
│          │    Corporate     │                │   Internet │                  │
│ Copilot  │    Network       │  Firewall/     │   or       │  M365 Service    │
│ Client   │ ──────────────→  │  Proxy/SASE    │ ─────────→ │  Endpoints       │
│          │                  │                │   Private  │                  │
│          │    or Direct     │  Network       │   Link     │  ├─ Copilot API  │
│          │    Internet      │  Controls      │            │  ├─ Graph API    │
│          │                  │                │            │  ├─ Auth (Entra) │
│          │ ──────────────→  │                │            │  └─ Bing (if web │
└──────────┘    (remote)      └────────────────┘            │     search on)   │
                                                            └──────────────────┘

Network Security Control Options

Control Description Copilot Relevance Complexity
Firewall rules Allow/block traffic to M365 endpoints Control which M365 endpoints are reachable Low
Web proxy/CASB Inspect and filter HTTPS traffic Limited — M365 uses certificate pinning Medium
SASE/SSE Secure Access Service Edge for cloud traffic Network-level access control for Copilot Medium
Global Secure Access Microsoft's SASE solution (Entra Internet Access + Private Access) Native integration with Entra CA for network-aware policies Medium
Azure Private Link Private connectivity to M365 services Private network path for M365 traffic High
VPN Tunnel remote traffic through corporate network Route Copilot traffic through corporate controls Low-Medium
Split tunneling Route M365 traffic directly to internet Improves performance but reduces network inspection Medium
DNS-based controls Control resolution of M365 endpoints Basic traffic steering for Copilot services Low

Microsoft 365 Network Endpoints for Copilot

Endpoint Category URLs/IPs Purpose Required
M365 Common *.microsoft.com, *.office.com, *.office365.com Core M365 service endpoints Yes
Authentication login.microsoftonline.com, *.msftauth.net Entra ID authentication Yes
Copilot-specific Subset of M365 endpoints Copilot API and processing Yes
Graph API graph.microsoft.com Microsoft Graph for data access Yes
Bing *.bing.com (if web search enabled) Web search grounding Only if web search enabled
CDN *.akamaized.net, *.msecnd.net Content delivery Yes
Telemetry *.data.microsoft.com Service telemetry Recommended

Global Secure Access for Copilot

Microsoft Entra Global Secure Access (GSA) provides a Microsoft-native SASE solution that integrates with Conditional Access:

GSA Component Copilot Application Benefit
Entra Internet Access Secure internet-bound M365 traffic Network-aware Conditional Access for Copilot
Entra Private Access Private connectivity to on-premises resources Not directly applicable to Copilot
Compliant network check CA condition: device on compliant network Restrict Copilot to traffic through GSA
Traffic forwarding Route M365 traffic through GSA Unified policy enforcement for all M365 traffic
Universal tenant restrictions Prevent access to unauthorized tenants Block Copilot use on non-corporate tenants

Network Security Decision Matrix

Scenario Recommended Approach Rationale
All users on corporate network Firewall rules + proxy + CA location policies Traditional network perimeter adequate
Hybrid workforce (office + remote) VPN or Global Secure Access + CA policies Need consistent controls for remote and office
Fully remote workforce Global Secure Access + CA device compliance No corporate network to anchor controls
Branch offices with local internet Split tunneling + Global Secure Access Performance + security balance
Trading floors Dedicated network segment + strict firewall Highest network security for MNPI environments

Copilot Surface Coverage

M365 Application Network Controls Apply Private Link Available Global Secure Access Notes
Microsoft 365 Copilot Chat Yes Yes (via M365) Yes Web-based and desktop client
Word Yes Yes (via M365) Yes Desktop and web client
Excel Yes Yes (via M365) Yes Desktop and web client
PowerPoint Yes Yes (via M365) Yes Desktop and web client
Outlook Yes Yes (via M365) Yes Desktop and web client
Teams Yes Yes (via M365) Yes Desktop and web client
OneNote Yes Yes (via M365) Yes Desktop and web client
Loop Yes Yes (via M365) Yes Web-based client
Copilot Pages Yes Yes (via M365) Yes Web-based client
SharePoint (Agents) Yes Yes (via M365) Yes Web-based access

Governance Levels

Level Requirement Rationale
Baseline Document M365/Copilot network endpoints in firewall allow lists; verify TLS 1.2+ for all Copilot traffic; block Bing endpoints if web search is disabled; configure Conditional Access with named (IP-based) locations; ensure M365 traffic is not routed through SSL inspection proxies that break certificate pinning Establishes basic network awareness and control — sufficient for firms with well-managed corporate networks
Recommended Implement Global Secure Access (Entra Internet Access) for M365 traffic; enable compliant network check in Conditional Access; configure universal tenant restrictions to prevent data exfiltration to unauthorized tenants; network segmentation for high-sensitivity environments (trading floors); quarterly network security review for Copilot endpoints Enhanced network controls with Microsoft-native SASE — suitable for firms with hybrid workforces needing consistent network-level controls
Regulated All Recommended requirements plus: Azure Private Link for M365 connectivity; dedicated network path for Copilot traffic from highest-sensitivity segments; network traffic logging and analysis for Copilot endpoints; annual network penetration testing covering Copilot access paths; network architecture documentation included in examination packages; incident response procedures for network-level Copilot security events Maximum network security with private connectivity — designed for firms operating in the most restrictive network security environments

Setup & Configuration

Step 1: Document Network Endpoints

  1. Download the current M365 network endpoints list from Microsoft
  2. Identify Copilot-specific endpoints
  3. Document in the firm's firewall management system
  4. Subscribe to endpoint change notifications
# Download M365 endpoints programmatically
$endpoints = Invoke-RestMethod -Uri "https://endpoints.office.com/endpoints/worldwide?clientrequestid=$(New-Guid)"

# Filter for Copilot-relevant services
$copilotEndpoints = $endpoints | Where-Object {
  $_.serviceArea -in @("Common", "SharePoint", "Exchange", "MicrosoftTeams", "Skype")
}

# Export for firewall configuration
$copilotEndpoints | ConvertTo-Json | Out-File "M365-Copilot-Endpoints.json"

Step 2: Configure Firewall Rules

  1. Allow traffic to all required M365 endpoints for Copilot functionality
  2. Block Bing endpoints (*.bing.com) if web search is disabled (see Control 2.6)
  3. Do not route M365 traffic through SSL break-and-inspect proxies (Microsoft uses certificate pinning)
  4. Consider split tunneling for M365 "Optimize" and "Allow" category endpoints

Portal: Microsoft Entra Admin Center > Global Secure Access

  1. Enable Entra Internet Access
  2. Configure M365 traffic forwarding profile
  3. Deploy the Global Secure Access client to managed devices
  4. Configure Conditional Access with "Compliant network" condition

Step 4: Configure Conditional Access Network Location

Portal: Microsoft Entra Admin Center > Protection > Conditional Access > Named locations

  1. Define corporate network IP ranges as trusted named locations
  2. Create CA policy requiring Copilot access from named locations or compliant network
  3. For remote users: require either VPN connection or GSA client

Step 5: Configure Universal Tenant Restrictions

Portal: Microsoft Entra Admin Center > Global Secure Access > Tenant restrictions

  1. Enable tenant restrictions v2
  2. Configure to allow access only to the corporate M365 tenant
  3. Block Copilot access on unauthorized tenants (prevents data exfiltration to personal tenants)

Step 6: Network Monitoring

  1. Configure network logging for M365 endpoints
  2. Monitor for unexpected traffic patterns to Copilot-related endpoints
  3. Set up alerts for traffic from unauthorized network segments to M365
  4. Include Copilot network traffic in the firm's SOC monitoring scope

Financial Sector Considerations

  • Trading Floor Networks: Trading environments often have the strictest network security requirements. Copilot traffic from trading floor networks should be routed through dedicated firewall rules with enhanced logging. Consider whether Copilot should be accessible from trading floor networks at all.
  • Branch Office Connectivity: Financial firms with distributed branch networks may use local internet breakout for M365 traffic (split tunneling). This improves Copilot performance but reduces corporate network visibility. Global Secure Access provides a middle ground — allowing direct internet routing while maintaining policy enforcement.
  • SSL Inspection Considerations: Many financial firms use SSL inspection proxies for security monitoring. Microsoft 365 uses certificate pinning, and routing M365 traffic through SSL inspection proxies breaks this pinning. Follow Microsoft's published guidance for bypassing SSL inspection for M365 endpoints.
  • VPN Tunnel Capacity: If requiring VPN for remote Copilot access, verify that VPN infrastructure has sufficient capacity for the additional traffic. Copilot's AI processing generates relatively modest network traffic, but many concurrent users can accumulate.
  • Private Link Cost-Benefit: Azure Private Link for M365 provides private network connectivity but adds complexity and cost. Evaluate whether the security benefit (private path to Microsoft) justifies the implementation effort. For most FSI firms, Conditional Access + GSA provides equivalent security at lower complexity.
  • Tenant Restrictions for Data Exfiltration: Universal tenant restrictions help prevent users from signing into personal or unauthorized M365 tenants and using Copilot there. This is a meaningful data exfiltration control — a user could potentially copy data to a personal tenant and use Copilot to process it outside corporate controls.
  • Examination Documentation: Network architecture documents should include Copilot traffic paths, security controls applied, and monitoring capabilities. FFIEC examiners will evaluate whether AI service traffic is adequately controlled.

Verification Criteria

  1. Endpoint Documentation: Verify that M365/Copilot network endpoints are documented in the firewall management system and are current
  2. Firewall Rules: Confirm firewall rules allow required M365 traffic and block unnecessary endpoints (e.g., Bing if web search disabled)
  3. TLS Verification: Confirm that all Copilot traffic uses TLS 1.2 or higher — test from representative network locations
  4. Location-Based CA: Access Copilot from outside named locations — verify Conditional Access blocks or requires additional authentication
  5. GSA Deployment (if applicable): Verify Global Secure Access client is deployed to managed devices and M365 traffic is routed through GSA
  6. Tenant Restrictions: Attempt to sign into a personal M365 tenant from a managed device — verify access is blocked or restricted
  7. SSL Inspection Bypass: Verify that M365 endpoints are excluded from SSL inspection proxy processing
  8. Network Segmentation: For trading floor environments, verify that Copilot traffic is appropriately segmented and logged
  9. Network Monitoring: Confirm that Copilot-related network traffic is included in SOC monitoring scope
  10. Documentation: Verify that network architecture documentation includes Copilot traffic paths and is included in examination readiness materials

Additional Resources