Configure data loss prevention for Azure AI services

Azure AI services data loss prevention capabilities allow customers to configure the list of outbound URLs their Azure AI services resources are allowed to access. This creates another level of control for customers to prevent data loss. In this article, we'll cover the steps required to enable the data loss prevention feature for Azure AI services resources.

Prerequisites

Before you make a request, you need an Azure account and an Azure AI services subscription. If you already have an account, go ahead and skip to the next section. If you don't have an account, we have a guide to get you set up in minutes: Create an Azure AI services multi-service resource.

Enabling data loss prevention

There are two parts to enable data loss prevention. First, the resource property restrictOutboundNetworkAccess must be set to true. When this is set to true, you also need to provide the list of approved URLs. The list of URLs is added to the allowedFqdnList property. The allowedFqdnList property contains an array of comma-separated URLs.

Note

• The allowedFqdnList property value supports a maximum of 1000 URLs.
• The property supports both IP addresses (IPv4 only) and fully qualified domain names (i.e., www.microsoft.com) as values.
• It can take up to 15 minutes for the updated list to take effect.

Azure CLI

1. Install the Azure CLI and sign in, or select Try it.

2. View the details of the Azure AI services resource.

   az cognitiveservices account show \
       -g "myresourcegroup" -n "myaccount" \
   

3. View the current properties of the Azure AI services resource.

   az rest -m get \
       -u /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2021-04-30 \
   

4. Configure the restrictOutboundNetworkAccess property and update the allowed FqdnList with the approved URLs

   az rest -m patch \
       -u /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2021-04-30 \
       -b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "microsoft.com" ] }}'
   

PowerShell

1. Install the Azure PowerShell and sign in, or select Try it.

2. Display the current properties for Azure AI services resource.

   $getParams = @{
       ResourceGroupName = 'myresourcegroup'
       ResourceProviderName = 'Microsoft.CognitiveServices'
       ResourceType = 'accounts'
       Name = 'myaccount'
       ApiVersion = '2021-04-30'
       Method = 'GET'
   }
   Invoke-AzRestMethod @getParams
   

3. Configure the restrictOutboundNetworkAccess property and update the allowed FqdnList with the approved URLs

   $patchParams = @{
       ResourceGroupName = 'myresourcegroup'
       ResourceProviderName = 'Microsoft.CognitiveServices'
       ResourceType = 'accounts'
       Name = 'myaccount'
       ApiVersion = '2021-04-30'
       Payload = '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "microsoft.com" ] }}'
       Method = 'PATCH'
   }
   Invoke-AzRestMethod @patchParams
   

Supported services

The following services support data loss prevention configuration:

• Azure OpenAI
• Azure AI Vision
• Content Moderator
• Custom Vision
• Face
• Document Intelligence
• Speech Service
• QnA Maker

Next steps

• Configure Virtual Networks