Link filtering policies to baseline profile for agent traffic
Implementation Effort: Low – Requires linking existing web content filtering policies to the baseline security profile in the Microsoft Entra admin center; a few clicks per policy.
User Impact: Medium – All agent and remote network traffic becomes subject to the linked filtering policies; improperly scoped policies could block legitimate agent connections.
Overview
Web content filtering policies exist, but they do not enforce anything until they are linked to a security profile. For Copilot Studio agent traffic, there is a specific constraint: security profiles linked to Conditional Access policies are not currently supported. This means the baseline profile is the only enforcement mechanism available for agent traffic. If filtering policies are not linked to the baseline profile, agent traffic flows through Global Secure Access without any filtering applied, and the organization has visibility without enforcement — it can see what agents access but cannot block anything.
The baseline profile applies at the lowest priority in the policy stack and governs all Internet Access traffic routed through the service, including remote network traffic. Linking AI-specific filtering policies — web content filtering rules targeting generative AI categories, threat intelligence filtering, and network file filtering — to this profile ensures those policies apply to every Copilot Studio agent's outbound traffic without requiring per-agent conditional access configuration. This is the step that activates enforcement for the filtering policies created in the previous web content filtering configuration task.
This supports Assume breach by ensuring that even if an agent is compromised, its outbound traffic is filtered and blocked from reaching malicious or unsanctioned destinations. It supports Verify explicitly by applying tenant-wide policy evaluation to all agent network requests, ensuring that no agent traffic is implicitly trusted regardless of its origin. Without linking policies to the baseline profile, the organization has created filtering rules that sit unused — agent traffic passes through Global Secure Access unfiltered, and the security controls exist in configuration but not in practice.