Protect enterprise generative AI applications with Prompt Shield (Preview)

Implementation Effort: Medium

User Impact: High

Overview

In a Zero Trust security model, organizations must assume that all inputs—including prompts sent to generative AI applications—are potentially malicious and require continuous validation. Prompt injection attacks represent a critical threat to enterprise AI systems, where bad actors craft adversarial inputs to manipulate large language models (LLMs) into ignoring instructions, exposing sensitive data, performing unintended actions, or generating harmful content.

Prompt Shield, part of Microsoft's AI Gateway within the Security Service Edge (SSE) solution, provides real-time network-level protection against prompt injection attacks and jailbreak attempts—one of the top security risks for LLMs identified by OWASP. By enforcing guardrails at the network edge through Global Secure Access, Prompt Shield ensures consistent security across all generative AI applications without requiring code changes, while maintaining a strong Zero Trust posture that validates every AI interaction before it reaches the language model.

Implementation steps:

• Enable Internet Access traffic forwarding profile and configure user assignments
• Configure TLS inspection settings and policies (prerequisite for inspecting encrypted AI traffic)
• Install and configure Global Secure Access client on user devices
• Create prompt policies in Microsoft Entra admin center with Block action for malicious prompts
• Configure conversation schemes (target LLMs) with preconfigured models or custom JSON-based extractors (URL + JSON path)
• Link prompt policy to security profile (new or existing)
• Create Conditional Access policy targeting "All internet resources with Global Secure Access" and assign security profile
• Test policy enforcement by attempting prompt injections against protected AI applications
• Monitor enforcement through traffic logs and security alerts

Important considerations:

• TLS inspection is required as prerequisite—prompts in encrypted HTTPS traffic cannot be scanned without TLS termination
• Currently supports only text prompts (no file attachments)
• Supports only JSON-based generative AI apps (URL-based encoding like Gemini not supported)
• Prompts limited to 10,000 characters (longer prompts are truncated)
• Rate limits apply when scanning requests for specified conversation schemes—exceeded limits result in blocked requests
• For custom LLMs, specify exact URL and JSON path for each conversation scheme to optimize performance
• Prompt Shield uses Azure AI Content Safety jailbreak detection capabilities

Reference

• Protect enterprise generative AI applications with Prompt Shield (preview)
• Azure AI Content Safety - Jailbreak detection
• Apply Conditional Access policies to Global Secure Access traffic