Configure Prompt Shield for AI Traffic Inspection
Implementation Effort: Medium – Requires configuring prompt policies, conversation schemes for target LLMs, linking policies to security profiles, and creating a Conditional Access policy to scope enforcement.
User Impact: Medium – Users interacting with AI services through protected traffic paths may have prompts blocked if they match injection patterns, requiring awareness of what Prompt Shield does and how to escalate false positives.
Overview
Prompt injection is one of the most significant attack vectors against AI workloads. A threat actor crafts input that manipulates an LLM into ignoring its system instructions, exfiltrating data embedded in the context window, or executing unintended actions through tool calls. Because LLMs process natural language, the boundary between legitimate user input and adversarial manipulation is inherently ambiguous — traditional input validation cannot address this class of attack. Prompt Shield, delivered through Microsoft Entra Internet Access, provides inline detection of prompt injection attempts by inspecting traffic between users and LLM endpoints at the network layer before malicious prompts reach the model.
Adopting Prompt Shield is a single deployment motion that encompasses several configuration steps. The administrator creates a prompt policy that defines which traffic to inspect, configures conversation schemes that tell the inspection engine how to identify prompt and response boundaries for known LLM platforms like Azure OpenAI, OpenAI, and Anthropic, links the prompt policy to a Global Secure Access security profile so it is evaluated against matching traffic, and creates a Conditional Access policy to scope prompt protection to the appropriate users and conditions. These steps are tightly coupled — a prompt policy without conversation schemes has nothing to parse, a policy not linked to a security profile is never evaluated, and a policy without Conditional Access scoping applies to no one.
This supports Assume breach by adding a defense layer that operates independently of the AI application itself — even if an application's own prompt filtering is bypassed or absent, the network-layer inspection catches injection attempts before they reach the model. It supports Verify explicitly by inspecting the actual content of prompts against known injection patterns rather than relying on the application to self-police its inputs. If Prompt Shield is not configured, the organization depends entirely on each individual AI application's built-in safety mechanisms, which vary widely in effectiveness across first-party, third-party, and custom LLM deployments — leaving a gap that threat actors can exploit with publicly documented injection techniques.