Protect organization data by preventing users from accessing Microsoft CoPilot without commercial data protection
In this example, a custom SaaS application is created with a custom user action. When a user, who has an Entra-ID account with commercial protection enabled, accesses Microsoft CoPilot, they can successfully navigate through CoPilot. See Commercial data protection explained for more information.
On the other hand, if a user attempts to access Microsoft CoPilot with an Entra-ID account that does not have commercial protection enabled or without logging in, they will find that CoPilot is unavailable. This is because the absence of commercial protection leaves the user’s data vulnerable, and as a safety measure, FortiOS can restrict access to CoPilot in such cases. This ensures that the user’s data remains protected at all times.
|
Microsoft’s Header solution, which provides a list of domains and header name-value pair, is one of the strategies designed to prevent the unauthorized use of Copilot without commercial data protection. See Require commercial data protection in Copilot for more information. FortiOS will utilize this domain list and header information during the configuration of the inline CASB profile. |
To configure a customized inline CASB profile in the GUI:
-
Configure the inline CASB profile:
-
Go to Security Profiles > Inline-CASB.
-
Click Create new.
-
Enter a Name, such as Microsoft-Copilot.
-
In the SaaS Applications table, click Create new. The Create SaaS Application Rules pane opens.
-
In the Application dropdown, click Create to create a custom entry. The Create Inline-CASB SaaS Application pane opens.
-
Enter the Name as Copilot-services.
-
Enter the Domains as bing.com, edgeservices.bing.com, and copilot.microsoft.com.
-
Click OK. A confirmation dialog is displayed.
-
Click OK and click Next.
-
Configure the custom control and action:
-
In the Custom Controls table, click Create new. The Create Custom Control pane opens.
-
Enter a Name, such as Entra-ID.
-
In the Application-Defined Controls table, click Create new. The Create Custom Control Action pane opens.
-
Enter a Name, such as Entra.
-
Set the Control Type to Manipulate HTTP headers.
-
Set the Action to Create header.
-
Set the Header name to x-ms-entraonly-copilot.
-
Set the Header value to 1.
-
Click OK to save the custom action.
-
Click OK to save the custom control.
-
-
Click OK to save the application rule.
-
Click OK to save the inline CASB profile.
-
-
Use the CLI to remove the empty match entry:
This step is only necessary when configuring the CASB profile in the GUI.
config casb user-activity edit "Copilot-services-Entra-ID" config match delete 1 end next end -
Configure the firewall policy:
-
Go to Policy & Objects > Firewall Policy.
-
Edit an existing policy or create a new one.
-
Set the Inspection Mode to Proxy-based.
-
In the Security Profiles section, enable Inline-CASB and select the Microsoft-Copilot profile.
-
Set the SSL Inspection profile to one that uses deep inspection.
-
Configure the other settings as needed.
-
Click OK.
-
To configure a customized inline CASB profile in the CLI:
-
Configure the CASB SaaS application:
config casb saas-application edit "Copilot-services" set domains "bing.com" "edgeservices.bing.com" "copilot.microsoft.com" next end -
Configure the CASB user activity:
config casb user-activity edit "Copilot-services-Entra-ID" set application "Copilot-services" set category other config control-options edit "Entra" config operations edit "Entra" set action new set header-name "x-ms-entraonly-copilot" set values "1" next end next end next end -
Configure the inline CASB profile:
config casb profile edit "Microsoft-Copilot" config saas-application edit "Copilot-services" config custom-control edit "Copilot-services-Entra-ID" config option edit "Entra" next end next end next end next end -
Configure the firewall policy:
config firewall policy edit 1 set name "CoPilot" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set casb-profile "Microsoft-Copilot" set nat enable next end
To test the configuration:
-
Open an Incognito tab in your browser and navigate to bing.com.
-
The Copilot option is not available because the user is not logged in with an Entra-ID account that has commercial data protection enabled.
-
Log in with an Entra-ID account that has commercial data protection enabled and verify that the Copilot option is available.
-
To verify if commercial data protection is turned on for your account, open a new tab in your browser and navigate to copilot.microsoft.com. Users should be able to identify a green shield adjacent to their user profile icon, indicating the active status of data protection. See Manage Copilot for more information.
Sample log:
1: date=2024-05-08 time=11:52:58 eventtime=1715125978612375798 tz="+1200" logid="2500010002" type="utm" subtype="casb" eventtype="casb" level="information" vd="root" policyid=1 poluuid="8abe7a4e-08ae-51ef-edb0-45c05b514641" policytype="policy" sessionid=123544 srcip=13.13.13.13 dstip=131.253.33.200 srcport=49752 dstport=443 srcintf="port2" srcintfrole="undefined" srcuuid="6e01eac6-a97d-51ed-5220-dac5db63d2ca" dstintf="port1" dstintfrole="wan" dstuuid="6e01eac6-a97d-51ed-5220-dac5db63d2ca" proto=6 url="https://www.bing.com/fd/ls/lsp.aspx" action="monitor" profile="Microsoft-Copilot" saasapp="Copilot-services" useractivity="Copilot-services-Entra-ID" operation="Entra" activitycategory="other" msg="CASB access was monitored because it contained activity."