Edit

Share via

Create a file policy to filter network file content (preview)

Global Secure Access supports network content filtering through file policies. This feature helps you safeguard against unintended data exposure and prevents inline data leaks to generative AI applications and internet destinations. By extending data protection capabilities to the network layer through Global Secure Access, network content filtering enables your organization to enforce data policies on network traffic in real time. You can discover and protect files shared with unsanctioned destinations, such as generative AI and unmanaged cloud apps, from managed endpoints through browsers, applications, add-ins, APIs, and more.

The network content filtering solution brings together Microsoft Purview's data classification service and the identity-centric network security policies in Global Secure Access. This combination creates an advanced network-layer data security solution, Data Loss Prevention (DLP), that's identity-centric and policy-driven. By combining content inspection with real-time user risk evaluation, you can enforce granular controls over sensitive data movement across the network without compromising user productivity or security posture.

High-level architecture

Diagram showing the architecture of network content filtering with Global Secure Access and Microsoft Purview.

This article explains how to create a file policy to filter internet traffic flowing through Global Secure Access.

Important

The network content filtering with file policies feature is currently in PREVIEW.
This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Scenarios included in this preview

This preview supports the following key scenarios and outcomes for HTTP/1.1 traffic:

  • By using Basic file policy, you can block files based on supported file MIME types.
  • By using the Scan with Purview action in file policy, you can audit and block files based on:
    • Microsoft Purview sensitivity labels
    • Sensitive content in the file
    • The user's risk level
  • You can generate Data Loss Prevention (DLP) admin alerts for rule matches.

Important

This preview supports network content filtering only for files over HTTP/1.1. It doesn't support network content filtering for text.

Prerequisites

To use the File Policy feature, you need the following prerequisites:

  • A valid Microsoft Entra tenant.
  • Licensing for the product. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.
    • A valid Microsoft Entra Internet Access license.
    • A valid Microsoft Purview license, required for Scan with Purview inspection.
      • You must set up pay-as-you-go billing to use Scan with Purview.
      • You can use basic file policy without a Purview license.
  • A user with the Global Secure Access Administrator role in Microsoft Entra ID to configure Global Secure Access settings.
  • A Conditional Access Administrator role to configure Conditional Access policies.
  • The Global Secure Access client requires a device (or virtual machine) that is either Microsoft Entra ID joined or Microsoft Entra ID Hybrid joined.

Initial configuration

To configure file policies, complete the following initial setup steps:

  1. Enable the Internet Access traffic forwarding profile and ensure correct user assignments.  
  2. Configure the Transport Layer Security (TLS) inspection policy.
  3. Install and configure the Global Secure Access client:
    1. Install the Global Secure Access client on Windows or macOS.

      Important

      Before you continue, test and ensure your client's internet traffic is routed through Global Secure Access. To verify the client configuration, see the steps in the following section.

    2. Select the Global Secure Access icon and select the Troubleshooting tab.
    3. Under Advanced Diagnostics, select Run tool.
    4. In the Global Secure Access Advanced Diagnostics window, select the Forwarding Profile tab. 
    5. Verify that Internet Access rules are present in the Rules section. This configuration might take up to 15 minutes to apply to clients after enabling the Internet Access traffic profile in the Microsoft Entra admin center. Screenshot of the Global Secure Access Advanced Diagnostics window on the Forwarding Profile tab, showing Internet Access rules in the Rules section.
  4. Confirm access to web applications you plan for file policies.

Configure a file policy

To configure a file policy in Global Secure Access, complete the following steps:

  1. Create a file policy.
  2. Link the file policy to a security profile.
  3. Configure a Conditional Access policy.

Create a file policy

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access > Secure > File policies.
  3. Select + Create Policy. Pick the options that fit your needs.
  4. On the Basics tab:
    1. Enter the policy Name.
    2. Enter the policy Description.
    3. Select Next.
  5. On the Rules tab:
    1. Add a new rule.
    2. Enter the Rule name, Description, Priority, and Status as appropriate.
    3. Select the appropriate option for the Action menu:
      • To configure a basic data policy, select Allow or Block.
      • To use data policies configured in Microsoft Purview, select Scan with Purview. Screenshot of the File scan rule screen with the Action menu expanded and the Scan with Purview option selected.
    4. For Matching conditions, select the appropriate Activities and Content types.
    5. Select + Add destination and configure the destinations.
  6. Select Next.
  7. On the Review tab, review your settings.
  8. Select Create to create the policy.

Note

If you choose the Scan with Purview action, you must also configure a corresponding DLP policy in Microsoft Purview that targets inline web traffic. Without a matching Purview DLP policy, the file policy can't inspect file content or enforce allow or deny decisions. For details, see the example walkthrough and Learn about Microsoft Purview Network Data Security.

  1. Browse to Global Secure Access > Secure > Security profiles.
  2. Select the security profile you want to modify.
  3. Switch to the Link policies view.
  4. Configure the link file policy:
    1. Select + Link a policy > Existing File policy.
    2. From the Policy name menu, select the file policy you created.
    3. Keep the default values for Position and State.
    4. Select Add.
  5. Close the security profile.

Configure a Conditional Access policy

To enforce the Global Secure Access security profile, create a Conditional Access policy with the following configuration:

  1. Sign in to the Microsoft Entra admin center.
  2. Browse to Identity > Protection > Conditional Access.
  3. Select + Create new policy.
  4. Name the policy.
  5. Select the users and groups to apply the policy to.
  6. Set the Target resources to All internet resources with Global Secure Access.
  7. Configure the Network, Conditions, and Grant sections according to your needs.
  8. Under Session, select Use Global Secure Access Security Profile and select the security profile you created.
  9. To create the policy, select Create.

For more information, see Create and link a Conditional Access policy.

The file policy is successfully configured.

Test the file policy

Test the configuration by attempting to upload or download files that match the file policy conditions. Verify that the policy settings block or allow the actions.

Example: Block sensitive PDF uploads to ChatGPT

This example walks through an end-to-end test scenario that blocks a PDF file containing sensitive data (such as credit card numbers or Social Security numbers) from being uploaded to ChatGPT.

Step 1: Configure the file policy destinations

When you create or edit your file policy rule, add the following destinations to match ChatGPT file upload traffic:

  • https://chatgpt.com/backend-api/files (add as URL)
  • https://chatgpt.com/backend-api/files/process_upload_stream (add as URL)
  • *.oaiusercontent.com (add as FQDN)

For Content types, select PDF (and other file types you want to inspect).

Tip

Web applications often use multiple URLs and FQDNs under the hood. Use browser developer tools or network traffic analysis to identify the correct upload endpoints for your target destination. For ChatGPT, the URLs listed here are the endpoints used for file upload operations.

Step 2: Configure a Purview DLP policy (for Scan with Purview action)

If you select Scan with Purview as the file policy action, you must also configure a corresponding Microsoft Purview DLP policy to inspect the file content and make the allow or deny decision.

  1. In the Microsoft Purview portal.
  2. Follow the steps in Use Network Data Security to help prevent sharing sensitive information with unmanaged AI to create a new DLP policy.
    1. In the Cloud apps step, search for and add ChatGPT.
    2. Configure the DLP rule to detect the sensitive information types you want to block (for example, credit card numbers or Social Security numbers).
    3. Set the rule action to Block.
  3. Save and apply the policy.

For more information about Purview DLP policies for network traffic, see Learn about Microsoft Purview Network Data Security.

Note

Network DLP with Global Secure Access integration is currently in preview. Global Secure Access forwards matching upload traffic to Microsoft Purview for content inspection. Purview evaluates the content against your DLP policy and returns an allow or deny decision. Global Secure Access then enforces the result.

Step 3: Validate the policy

  1. On a managed device with the Global Secure Access client installed, open a browser and go to ChatGPT.
  2. Prepare a test PDF file that contains sensitive data, such as sample credit card numbers or Social Security numbers. You can use a sample file from dlptest.com.
  3. In ChatGPT, attempt to upload the test PDF file.
  4. Verify that the upload is blocked. ChatGPT displays an error message because Global Secure Access prevented the file transfer.
  5. To confirm the block, check the traffic logs in the Microsoft Entra admin center under Global Secure Access > Monitor > Traffic logs.

Known limitations

  • Network content filtering doesn't support text. It only supports files.
  • Multipart encoding isn't supported, so file policy doesn't work for such applications. For example, Google Drive uses multipart encoding for file upload.
  • Compressed content is detected in ZIP format. The content isn't decompressed.
  • True file type detection might not be 100% accurate.
  • Destination applications that use WebSocket, such as Copilot, aren't supported.
  • Top level and second level domains don't support wildcards (like *, *.com, *contoso.com) while configuring FQDNs.

Monitoring and logging

To view traffic logs:

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Select Global Secure Access > Monitor > Traffic logs.

Related content

  • Last updated on