Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Copilot Studio gives administrators control over how images and embedded URLs appear in agent responses. With the ability to allow images and URLs, you can:
- Decide whether images and clickable links are shown to users.
- Limit image and link sources to trusted domains only.
- Help protect users from untrusted or potentially harmful content.
Malicious actors can exploit rendered images and embedded URLs in Copilot Studio to exfiltrate sensitive data. To mitigate this risk, organizations can choose to disable image rendering and clickable links to prevent attacks and protect users from untrusted or potentially harmful content. Controlling image rendering and embedded URLs enables you to align Copilot Studio with your organization’s security and compliance needs, ensuring agent responses remain safe and trustworthy.
How to configure
You can enable or disable image and URL rendering in Copilot Studio through the following entry points:
Security hub: In the Power Platform Admin Center, navigate to Security > Threat detection > Showing images and URLs. Select Allow images and URLs or Block all images and other URLs to enable or disable image and URL rendering to a specific environment or environment group.
Environment groups: In Power Platform Admin Center, navigate to Manage > Environment groups > Rules > Showing images and URLs.
Select Allow images and URLs or Block all images and other URLs to enable or disable image and URL rendering to a specific environment or environment group.
User experience when image rendering and embedded URLs are turned off
When the Allow images and URLs setting is turned off, any images or clickable links in agent responses are automatically blocked. Where an image or URL is blocked, you instead see a brief message indicating that content is restricted by your organization's policy. This setting ensures clarity and consistency across all channels, and helps protect you from untrusted or potentially harmful content in agent responses. Contact your organization administrator if you think certain content shouldn't be blocked.
