Secure AI Gateway for Power Platform Agents: Enterprise-Grade Protection for Autonomous AI

The Challenge: AI Agents Operating Without Security Guardrails

As organizations deploy AI agents to automate tasks previously handled by humans, a critical gap emerges: traditional network security controls don't apply to autonomous agents.

When Power Platform agents (Copilot Studio bots) interact with external services, knowledge bases, and APIs, you face significant risks:

• Prompt injection attacks that manipulate agent behavior
• Data leakage through unmonitored prompts and responses
• Uncontrolled API usage leading to runaway costs
• Malicious content generation bypassing content policies
• Zero visibility into what agents are actually doing
• Compliance violations when agents handle sensitive data

Unlike human users who go through identity verification and network security controls, agents often operate with broad permissions and minimal oversight. Microsoft''s Secure Web and AI Gateway for Power Platform Agents (preview) solves this by extending the same enterprise security controls you use for users to your autonomous AI agents.

What is Secure Web and AI Gateway?

Secure Web and AI Gateway is a component of Microsoft Entra Global Secure Access that acts as a security checkpoint between your Power Platform agents and external resources—including AI services, web APIs, databases, and cloud applications.

Architecture Overview

graph TD
    A[User Interaction] --> B[Copilot Studio Agent]
    B --> C[Global Secure Access
Security Gateway]
    C --> D{Policy Evaluation}
    D -->|Allowed| E[External Resources]
    D -->|Blocked| F[Access Denied]
    
    C --> G[Web Content Filtering]
    C --> H[Threat Intelligence]
    C --> I[File Filtering]
    C --> J[DLP Integration]
    
    style C fill:#e1f5ff,stroke:#0078d4,stroke-width:3px
    style D fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style F fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style E fill:#c8e6c9,stroke:#388e3c,stroke-width:2px

Every request from your agents flows through Global Secure Access, where security policies are evaluated in real-time before allowing or blocking the connection.

How It Works: Real-Time Security Inspection

Step 1: Traffic Forwarding Configuration

In the Power Platform Admin Center, you enable Global Secure Access for specific environments or environment groups. Once enabled, all agent traffic—including:

• HTTP actions
• Custom connectors
• AI model calls (OpenAI, Azure OpenAI, etc.)
• Tool-generated connectors
• Model Context Protocol (MCP) servers

...automatically routes through Global Secure Access.

Step 2: Policy Evaluation

When an agent makes a request:

1. Request Interception: Global Secure Access receives the outbound request

2. Policy Check: Evaluates against configured security policies (baseline profile applies tenant-wide)

3. Decision: Allow, block, or log based on policy match

4. Response Handling: If allowed, forwards request to destination; if blocked, returns appropriate error

Step 3: Logging & Monitoring

Every agent interaction is logged with:

• Agent schema name (unique identifier)
• Request destination (URL, service)
• Policy decision (allowed/blocked)
• Timestamp and metadata
• Security violations

Key Security Capabilities

1. Web Content Filtering

Control what external websites and services agents can access based on:

• URL categories (social media, file sharing, gambling, etc.)
• Specific URLs (allowlist/blocklist)
• Risk levels (high-risk domains automatically blocked)

Example Scenario:

graph LR
    A[Agent Attempts Access] --> B{Web Content Filter}
    B -->|Category: Competitor Intel| C[BLOCKED]
    C --> D[Security Team Alerted]
    
    style B fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style C fill:#ffcccc,stroke:#d32f2f,stroke-width:2px

2. Threat Intelligence Filtering

Automatically block access to known malicious sites and services using Microsoft''s threat intelligence feeds:

• Phishing sites
• Malware distribution servers
• Command-and-control infrastructure
• Compromised legitimate sites
• Known exploit hosting domains

Example Scenario:

graph LR
    A[Agent Calls API] --> B{Threat Intelligence Check}
    B -->|Domain Flagged as Compromised| C[Request Blocked]
    C --> D[Incident Logged]
    
    style B fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style C fill:#ffcccc,stroke:#d32f2f,stroke-width:2px

3. Network File Filtering

Control file uploads and downloads to prevent:

• Sensitive data exfiltration
• Malware uploads to agent knowledge bases
• Unauthorized document sharing

Example Scenario:

graph LR
    A[Agent Downloads .sql File] --> B{File Filter}
    B -->|.sql from External Source| C[BLOCKED]
    C --> D[Compliance Violation Logged]
    
    style B fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style C fill:#ffcccc,stroke:#d32f2f,stroke-width:2px

4. Data Loss Prevention (DLP) Integration

While the documentation focuses on web filtering, the gateway works in conjunction with Microsoft Purview DLP policies to:

• Detect sensitive data in agent prompts (PII, credentials, financial data)
• Redact or block prompts containing classified information
• Prevent agents from inadvertently exposing sensitive data to external AI services

Example Scenario:

graph LR
    A["Agent Generates Prompt
(Contains SSN)"] --> B{DLP Policy}
    B -->|SSN Pattern Detected| C[Prompt Redacted]
    C --> D[Safe Prompt Sent to AI]
    
    style B fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style C fill:#ffe082,stroke:#f9a825,stroke-width:2px
    style D fill:#c8e6c9,stroke:#388e3c,stroke-width:2px

Microsoft Purview Integration: Comprehensive Data Governance

We will cover Microsoft Purview capabilities:

Agent-Specific Risk Detections (from Purview)

• Unauthorized Data Access via Agent: Detect when agents access data outside configured scope
• Sensitive Data in Agent Responses: Identify when responses contain sensitive data
• Compliance Violations by Agent: Flag agents violating data residency or processing requirements
• Agent-to-Third-Party Data Transfer: Track when agents send data to external services

Combined Protection Model

graph TD
    A[Power Platform Agent] --> B[Microsoft Purview
Data Layer]
    B --> C{Data Classification}
    C --> D[Access Control]
    D --> E[Global Secure Access
Network Layer]
    E --> F{Policy Evaluation}
    F -->|Web Filtering| G[External AI Service]
    F -->|Threat Block| H[Access Denied]
    
    B --> I[Audit Data Usage]
    B --> J[Detect Violations]
    E --> K[Filter Content]
    E --> L[Control File Transfers]
    E --> M[Log All Traffic]
    
    style B fill:#e1bee7,stroke:#8e24aa,stroke-width:2px
    style E fill:#e1f5ff,stroke:#0078d4,stroke-width:2px
    style H fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style G fill:#c8e6c9,stroke:#388e3c,stroke-width:2px

This dual-layer approach ensures protection at both the data level (what information agents can access) and network level (where agents can send that information).

Configuration: Step-by-Step Setup

Prerequisites

Before configuring Secure Web and AI Gateway:

✅ Admin Roles Required:

• Global Secure Access Administrator (to manage GSA features)
• Power Platform Administrator (to manage Copilot Studio environments)

✅ Environment Requirements:

• Power Platform environment with Dataverse
• Copilot Studio or Power Virtual Agents license

✅ Important Constraint:

• After enabling GSA for agents, you must create new or update existing custom connectors for them to route through Global Secure Access

Step 1: Enable Global Secure Access for Agents

Environment-Level Configuration:

1. Sign in to Power Platform Admin Center

2. Navigate to Security > Identity & Access

3. Select Global Secure Access for Agents

4. Choose your environment and click Set up

5. Toggle Enable Global Secure Access for Agents to On

6. Click Save

Environment Group-Level Configuration:

1. Navigate to Security > Identity & Access > Global Secure Access for Agents

2. Select Environment groups tab

3. Choose environment group and click Set up

4. Toggle Enable Global Secure Access for Agents to On

5. Click Save

Step 2: Configure Security Policies in Global Secure Access Portal

Once traffic forwarding is enabled, configure security controls:

1. Navigate to Microsoft Entra admin center

2. Go to Global Secure Access > Security profiles > Baseline profile

3. Configure policies:

Web Content Filtering:

Block Categories:
- High Risk
- Malware
- Phishing
- Adult Content
- Illegal Activity

Allow Specific URLs:
- trusted-api.company.com
- approved-ai-service.azure.com

Threat Intelligence Filtering:

Enforcement Level: High
Block Known Malicious Sites: Enabled
Log All Blocked Attempts: Enabled

Network File Filtering:

Block File Types: .exe, .dll, .ps1, .bat
Allow File Types: .json, .xml, .txt
Max Upload Size: 10 MB

Step 3: Update Custom Connectors

Critical Step: Existing custom connectors won''t automatically route through GSA. For each custom connector:

1. Open the connector in Power Apps or Power Automate

2. Update the connector configuration

3. Test connectivity through GSA

4. Deploy updated connector

Known Limitations & Considerations

Current Limitations (Preview)

❌ Agent Identification: Traffic logs show agent''s `schema name` rather than friendly display name (user experience improvement coming)

❌ Block Experience: Blocked agents receive:

• `502 Bad Gateway` for HTTP Actions
• `403 Forbidden` for connectors
• (Improved error messages coming in future releases)

❌ Baseline Profile Only: Currently, security policies apply tenant-wide via baseline profile (no per-agent or per-environment granularity)

❌ No Third-Party DLP: GSA partner ecosystem integrations (third-party DLP solutions) aren''t supported

❌ Bing Search Not Supported: Copilot Studio Bing search network transactions don''t route through GSA

❌ Limited Connector Support: Only specific connectors support GSA (see supported connectors list below)

Supported Connectors

Microsoft Connectors:

• Microsoft Teams, OneDrive for Business, SharePoint
• Microsoft Dataverse, Power Apps, Power Automate
• Office 365 Outlook, Office 365 Groups
• Microsoft Forms, Planner, To-Do
• Power BI, Project Online
• Azure services (Data Factory, Log Analytics, Table Storage, AI Foundry)
• Microsoft Defender ATP
• Microsoft Copilot Studio

Third-Party Connectors:

• Slack, Jira
• Google Drive
• Databricks
• Smartsheet
• Amazon S3
• Box MCP Server
• Blackbaud (Altru, RENXT, SKY Add-ins)
• iAuditor, Impower ERP
• Partner Center Referrals
• Luware Nimbus

Note: As this is a preview feature, connector support will expand. Check Microsoft''s connector reference for updates.

Important Constraints

⚠️ Connector Recreation: After enabling GSA, you must create new or update existing custom connectors—they won''t automatically route through the gateway.

⚠️ Latency Impact: Security inspection adds processing time to each agent request (typically milliseconds, but can impact real-time scenarios).

⚠️ Tenant-Wide Policies: Baseline profile applies to all agents in the tenant—no per-agent policy customization currently available.

⚠️ Preview Limitations: As a preview feature, functionality may change, and it''s not recommended for production-critical scenarios without testing.

Real-World Protection Scenarios

Scenario 1: Preventing Prompt Injection

Without Secure AI Gateway:

graph LR
    A["Malicious Input:
Ignore all instructions"] --> B[Agent Processes]
    B --> C[Sent to OpenAI
No Inspection]
    C --> D[Potential
Information Disclosure]
    
    style D fill:#ffcccc,stroke:#d32f2f,stroke-width:2px

With Secure AI Gateway + Purview:

graph LR
    A["Malicious Input:
Ignore all instructions"] --> B{Purview DLP}
    B -->|Injection Pattern Detected| C[Request Blocked]
    C --> D[Security Team Alerted]
    D --> E["User: Request Violates
Security Policy"]
    
    style B fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style C fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style E fill:#c8e6c9,stroke:#388e3c,stroke-width:2px

Scenario 2: Blocking Data Exfiltration

Without Secure AI Gateway:

graph LR
    A[Compromised Agent] --> B[Uploads customer.db]
    B --> C[No Network Inspection]
    C --> D[Sensitive Data Leaves Org]
    D --> E[Compliance Violation]
    
    style D fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style E fill:#ffcccc,stroke:#d32f2f,stroke-width:2px

With Secure AI Gateway:

graph LR
    A[Compromised Agent] --> B["Uploads customer.db
to suspicious-site.com"]
    B --> C{GSA Threat Intelligence}
    C -->|Domain Flagged as Malicious| D[Upload Blocked]
    D --> E[Traffic Logged]
    E --> F[Incident Response Triggered]
    
    style C fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style D fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style F fill:#c8e6c9,stroke:#388e3c,stroke-width:2px

Scenario 3: Enforcing Compliance Boundaries

Without Secure AI Gateway:

graph LR
    A[HR Agent:
EU Employee Data] --> B[Calls US-based AI Service]
    B --> C[GDPR Violation:
EU Data Processed in US]
    C --> D[Regulatory Penalties]
    
    style C fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style D fill:#ffcccc,stroke:#d32f2f,stroke-width:2px

With Secure AI Gateway + Purview:

graph LR
    A[HR Agent:
EU Employee Data] --> B{Purview Classification}
    B -->|EU Personal Data| C{GSA Policy Check}
    C -->|US Service Request| D[Request Blocked]
    D --> E[Routed to EU-Region AI]
    E --> F[GDPR Compliance Maintained]
    
    style B fill:#e1bee7,stroke:#8e24aa,stroke-width:2px
    style C fill:#fff4ce,stroke:#f9a825,stroke-width:2px
    style D fill:#ffcccc,stroke:#d32f2f,stroke-width:2px
    style F fill:#c8e6c9,stroke:#388e3c,stroke-width:2px

Benefits: Why Enterprises Need This

✅ Security Parity with Users: Apply the same security controls to agents as you do to human users

✅ Visibility & Auditing: Complete logs of agent network activity for compliance and investigations

✅ Threat Prevention: Automatically block access to malicious sites and services

✅ Data Loss Prevention: Prevent sensitive data from leaving your organization through agent actions

✅ Cost Control: Rate limiting and traffic monitoring prevent runaway API usage

✅ Compliance Enablement: Enforce regulatory requirements (GDPR, HIPAA, SOC 2) for agent data handling

✅ Centralized Management: Single control plane for all agent security policies

Best Practices

1. Start Permissive, Then Tighten

Begin with logging-only mode to understand agent behavior before enforcing blocks. This prevents breaking legitimate agent workflows.

2. Use Allowlists for Known Services

If your agents regularly call specific trusted APIs (e.g., company-approved AI services), explicitly allowlist them to avoid false positives.

3. Combine with Purview DLP

For comprehensive protection, use both Global Secure Access (network layer) and Purview DLP (data layer). This provides defense in depth.

4. Monitor Agent Schema Names

Since logs show schema names (not friendly names), maintain a mapping document for security teams to quickly identify which agent triggered an alert.

5. Plan for Connector Updates

Budget time to update custom connectors after enabling GSA—this is not automatic and requires manual reconfiguration.

6. Test Thoroughly Before Production

Agent behavior can change subtly when routing through GSA due to latency or policy enforcement. Test all critical agent workflows in a pilot environment first.

7. Establish Incident Response Procedures

Define what happens when an agent triggers a security violation:

• Who gets notified?
• How quickly should the agent be disabled?
• What investigation steps are required?

The Future of Agent Security

As AI agents become more autonomous and handle increasingly sensitive tasks, security controls like Secure Web and AI Gateway will shift from "nice to have" to essential enterprise infrastructure.

Microsoft''s approach—extending proven user security controls to agents via Global Secure Access—provides a familiar model for security teams while addressing new risks unique to autonomous AI.

Combined with Microsoft Purview''s agent-specific data security capabilities , organizations gain comprehensive protection across both network and data layers.

Why This Matters

🔐 Agents need security controls just like users - Autonomous AI should not operate without oversight

�� Global Secure Access extends to agents - Same web filtering, threat protection, and network controls

📊 Visibility is critical - Complete logging of agent network activity enables compliance and investigation

🛡️ Defense in depth matters - Combine GSA (network layer) with Purview (data layer) for comprehensive protection

⚠️ Plan for preview limitations - Baseline profile only, limited connectors, manual connector updates required

🚀 Start now with pilot - Test in non-production environment, refine policies, then roll out to production

Resources

• Microsoft Documentation: Configure Global Secure Access for Agents
• Entra Global Secure Access: Configure Security Controls
• Power Platform Admin Center: Admin Portal
• Microsoft Purview Agent Security: Coming soon
• Connector Reference: Supported Connectors

Ready to secure your AI agents? Start by enabling Global Secure Access in a test environment, understand your agent traffic patterns, then progressively roll out security controls. Your security team will gain the visibility and control they need, while your agents continue delivering business value—safely.

The era of unsecured autonomous AI is over. Enterprise-grade agent security starts here.

Archives