Data loss prevention example - Block HTTP requests in copilots

Important

Power Virtual Agents capabilities and features are now part of Microsoft Copilot Studio following significant investments in generative AI and enhanced integrations across Microsoft Copilot.

Some articles and screenshots may refer to Power Virtual Agents while we update documentation and training content.

Copilot makers in your organization can make HTTP requests with the Send HTTP request node or by extending Classic chatbots with Bot Framework Composer.

You can use data loss prevention policies to prevent copilot makers from configuring HTTP requests to help prevent data exfiltration.

See the Configure data loss prevention for Microsoft Copilot Studio copilots topic for information about other DLP-related connectors.

Configure DLP to block HTTP requests in the Power Platform admin center

Select or create a policy

1. In the Power Platform admin center, under Policies, select Data policies.

2. Create a new policy, or choose an existing policy to edit:

   1. If you want to create a new policy, select New policy.

   2. If you want to choose an existing policy to edit, select the policy and select Edit policy.

3. Enter a name for the policy then select Next. You can change the name later.

Choose an environment

1. Choose one or more environments to add to your policy.

2. Select + Add to policy.

3. Select Next.

Add the connector

1. Use the search box to find the HTTP connector.

   

2. Select the connector's More actions menu (⋮), and then select Block.

   

3. If admins want to allow or deny specific HTTP endpoints, they can use DLP connector endpoint filtering instead of blocking all HTTP calls.

4. Select Next.

5. Review your policy, then select Update policy to apply the DLP changes.

   

Confirm policy enforcement

Web App

You can confirm that this connector is being used in the DLP policy from the Microsoft Copilot Studio.

First, open your copilot from the environment where the DLP policy is applied. Go to the authoring canvas, create a new topic, add a Send HTTP request node (minimally populating the URL property) and then Save your Topic.

If the policy is enforced, you'll see an error banner with a Details button. On the Channels page, expand error link and select the Download button to see details.

In the details file, a row will appear describing the violation. A violation will occur if the HTTP connector is blocked, if the HTTP connector is in a different data group than other connectors in your DLP policy, or if the HTTP policy is not blocked but an endpoint is denied.

Classic

You can confirm that this connector is being used in the DLP policy from the Microsoft Copilot Studio (classic) web app.

First, open your copilot from the environment where the DLP policy is applied. Go to the authoring canvas, and open (or create) a topic that includes a custom Bot Framework Trigger that uses an HTTP request.

If the policy is enforced, you'll see an error in the Topic checker that says DLP policies are blocking HTTP requests for the affected node. The error is titled "HTTP requests blocked" and includes a message advising you to remove the HTTP request or contact an admin.