On this page
A while back I built an LLM Firewall with AWS Lambda, a proxy that sits between users and the model to catch prompt injection. It worked, but it meant writing custom code for every app and having zero visibility into AI services I didn’t own.
That’s the core problem with app-level defenses. You’re counting on every application to protect itself, and most of them don’t. The ones you don’t even know about? Shadow AI services with zero protection.
Microsoft is taking a different approach by inspecting prompts at the network layer.
Prompt Shield (currently in preview) is part of Entra Internet Access. It breaks open TLS, extracts prompts from supported AI services like ChatGPT, Claude, and Deepseek, and runs them through Azure AI’s classifier before they reach the model. No code changes, no per-app proxies. One policy can cover multiple conversation schemes and custom JSON-based apps you define.
In this post, I’ll walk through deploying Prompt Shield end-to-end, configuring TLS inspection, testing with real jailbreak payloads, and comparing it to the app-level approach.
Why Prompt Injection is the New Phishing
Phishing exploits trust in a communication channel. Prompt injection exploits trust in a conversation. Different targets, same technique: social engineering.
The parallels go further than you’d expect:
| Phishing (2010s) | Prompt Injection (2020s) | |
|---|---|---|
| Attack surface | Email inboxes | AI chat interfaces, APIs, agents |
| Mechanism | Trick user into action | Trick model into action |
| Defense evolution | Per-mailbox โ gateway filtering | Per-app โ network-level filtering |
| Shadow problem | Personal email on corp network | Shadow AI on corp network |
| Scale | Millions of phishing emails/day | OWASP LLM01:2025 โ the #1 LLM threat |
OWASP ranks prompt injection as LLM01:2025, the number one threat to LLM applications. A 2025 agent security benchmark hit an average 84% attack success rate against LLM-based agents across 13 model backbones. And the surface keeps growing: more agents with tool access, more MCP integrations, more enterprises shipping AI with no prompt-level controls.
Email security went from “train users not to click” to gateway filtering. AI security needs to make the same jump.
What Prompt Shield Detects
Prompt Shield extends Azure AI Content Safety Prompt Shields to the network layer. It detects two categories of attacks:
Direct prompt injection (jailbreaks):
- System rule override โ “Ignore all previous instructions”
- Conversation mockup โ fabricating prior turns to manipulate context
- Role-play attacks โ “You are DAN, Do Anything Now”
- Encoding attacks โ base64, ROT13, character substitution to evade filters
Indirect prompt injection (document attacks):
- Data exfiltration via prompt โ tricking models into leaking training data or context
- Privilege escalation โ manipulating models to bypass authorization
- Availability attacks โ making models produce incorrect or unusable output
MITRE ATLAS Mapping
OWASP’s LLM01 page cross-references MITRE ATLAS, the adversarial threat landscape for AI systems. The following three techniques are directly cited by OWASP:
| Technique | ID | How Prompt Shield Helps |
|---|---|---|
| LLM Prompt Injection: Direct | AML.T0051.000 | Blocks jailbreaks, system rule overrides, and role-play attacks |
| LLM Prompt Injection: Indirect | AML.T0051.001 | Catches hidden instructions in documents and data exfiltration attempts |
| LLM Jailbreak | AML.T0054 | Detects DAN, encoding attacks, and conversation mockups |
Additional ATLAS techniques relevant to Prompt Shield’s coverage (analyst mapping):
| Technique | ID | How Prompt Shield Helps |
|---|---|---|
| Exfiltration via AI Inference API | AML.T0024 | Blocks prompt-based data exfiltration via AI chat interfaces |
| Erode AI Model Integrity | AML.T0031 | Prevents availability attacks that degrade model output quality |
Architecture: Network-Level vs App-Level
Before diving into the lab, here’s how Prompt Shield compares to the app-level approach I covered in the LLM Firewall post:
App-level firewalls protect only apps you control. Network-level Prompt Shield covers supported AI services across the network โ including shadow AI that IT doesn’t know about.
| App-Level (LLM Firewall) | Network-Level (Prompt Shield) | |
|---|---|---|
| Deployment | Per-app Lambda/proxy | One tenant-wide policy |
| Coverage | Only apps you control | Supported AI services with matched conversation schemes |
| Shadow AI | No visibility | Broad AI traffic visibility; prompt blocking for supported services |
| TLS inspection | Not needed (you own the proxy) | Required (intercepting third-party HTTPS) |
| Latency | Adds 50-200ms per request | Low latency (edge PoP processing) |
| Custom models | Full control over detection logic | Uses Azure AI Content Safety classifier |
| Cost | Lambda + API costs | Included in Entra Suite license |
| Agent support | Manual integration per agent | Copilot Studio agents via baseline profile (orchestration/results enhancement requests not yet supported) |
They’re not competing โ they’re complementary. App-level firewalls give you deep control over your own AI apps. Prompt Shield gives you broad coverage across supported services, and GSA’s traffic logs show you what you haven’t configured yet.
Use both. Prompt Shield at the perimeter, your own filtering for business logic. Same reason you run an email gateway and input validation.
Lab: Deploying Prompt Shield End-to-End
Prerequisites
- Microsoft Entra tenant with Global Secure Access Administrator and Conditional Access Administrator roles
- Entra Suite license (includes Internet Access). A trial is available through the Entra admin center
- Windows 10/11 device (VM works), Entra joined or hybrid joined
- OpenSSL for TLS certificate signing
Step 1: Activate Global Secure Access
- Navigate to Entra admin center > Global Secure Access > Dashboard
- Click Activate to enable the service
- Go to Connect > Traffic forwarding
- Enable the Internet access profile (the Microsoft traffic profile is optional for Prompt Shield but useful for broader GSA coverage)
The Internet access profile routes non-Microsoft internet traffic through GSA. This is the forwarding profile that Prompt Shield inspects.
Step 2: Configure TLS Inspection
This is the part that makes everything else work. Without TLS inspection, GSA can see where traffic goes but can’t read the request body to extract prompts. You need to break and inspect TLS to see what’s inside.
Generate and Sign the Certificate
- Navigate to Global Secure Access > Secure > TLS inspection policies
- Click the TLS inspection settings tab
- Click Create certificate (this generates a CSR)
- Download the CSR and sign it with your organization’s CA
For a lab environment, create a self-signed root CA and sign the CSR:
# Create a root CA with SHA-512
openssl req -x509 -newkey rsa:4096 -sha512 -days 1095 \
-keyout rootCA512.key -out rootCA512.pem -nodes \
-subj "/CN=Lab Root CA/O=Nine Lives Zero Trust/C=US"
# Sign the GSA CSR with required extensions
cat > signedCA_ext.cnf << 'EOF'
[signedCA_ext]
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
EOF
openssl x509 -req -in GSALabCert.csr \
-CA rootCA512.pem -CAkey rootCA512.key -CAcreateserial \
-out GSALabCert-signed.pem -days 730 -sha512 \
-extfile signedCA_ext.cnf -extensions signedCA_ext
Critical: The signed certificate must include
extendedKeyUsage = serverAuth. Microsoft’s sample configuration explicitly requires Server Auth, CA, and key-usage extensions. Lab observation: In our testing, omittingserverAuthcaused a Graph API 400 error on upload. The CSR generated by our tenant used SHA-512, so we signed with-sha512to match. Microsoft’s published sample uses SHA-256. Match whichever algorithm your CSR specifies.
- Upload the signed certificate back in the TLS inspection settings
- Wait for the status to change from Enrolling to Enabled (~15-60 minutes)
Create a TLS Inspection Policy
- On the TLS inspection policies tab, click Create policy
- Name:
Inspect AI Traffic - Add rules targeting AI service FQDNs:
chatgpt.com,claude.ai,gemini.google.com,chat.deepseek.com - Action: Inspect
Step 3: Create the Prompt Shield Policy
- Navigate to Global Secure Access > Secure > Prompt policies (Preview)
- Click Create policy
- Name:
Block AI Prompt Injection - Default action: Allow (only block detected prompt injection, not all traffic)
The Prompt Shield policy with a default action of Allow โ clean prompts pass through, only detected prompt injection gets blocked.
Add a Rule with Conversation Schemes
- Click into the policy > Rules > Add rule
- Name:
Block Jailbreaks and Prompt Injection - Priority:
100 - Action: Block
- Add conversation schemes for each AI service you want to protect:
- ChatGPT (Logged in) โ extracts prompts from
/backend-api/f/conversation - ChatGPT (Logged out) โ extracts prompts from
/backend-anon/conversation(note: no/f/in the path). If your users browse ChatGPT without signing in, add a custom conversation scheme with this URL. - Claude โ extracts prompts from Anthropic’s API
- Gemini โ extracts prompts from Google’s API (see note below)
- Deepseek โ extracts prompts from Deepseek’s API
- ChatGPT (Logged in) โ extracts prompts from
One rule, four conversation schemes. Prompt Shield knows how to extract the prompt from each AI service’s unique request format.
Prompt Shield ships with 11 preconfigured conversation schemes: ChatGPT, Claude, Cohere, Deepseek, Gemini, Grok, Meta AI, Mistral, Perplexity, Pi, and Qwen. For custom AI services, you provide the URL pattern and JSON path to the prompt field.
Gemini note: Microsoft lists Gemini among the preconfigured conversation schemes but also states that Prompt Shield only supports JSON-based apps and does not support URL-encoded apps “like Gemini.” In our lab, we observed blocked transactions on Gemini connections (see traffic logs below), but this contradiction in the documentation means Gemini support may be partial or endpoint-dependent. Test thoroughly before relying on it in production.
Step 4: Link Policies to the Baseline Profile
- Navigate to Global Secure Access > Secure > Security profiles
- Click the Baseline profile tab > click into the baseline profile
- Go to Link policies and link both:
Block AI Prompt Injection(Prompt policy)Inspect AI Traffic(TLS inspection)
The baseline profile applies to all internet traffic without needing a Conditional Access policy. Both the Prompt Shield and TLS inspection policies are linked and enabled.
The baseline profile (priority 65000) applies to all internet traffic, including remote network traffic, without requiring a Conditional Access policy. For production, you can create custom security profiles linked to Conditional Access for more granular targeting (e.g., only apply Prompt Shield to specific user groups).
Step 5: Deploy the GSA Client
For the GSA client to forward traffic, the Windows device must be Entra joined and have the client installed:
- Download the GSA client from Global Secure Access > Connect > Client download
- Install on the target Windows device
- Import the root CA certificate to the Trusted Root Certification Authorities store
- Block QUIC protocol (forces traffic to HTTPS where GSA can inspect it):
# Block QUIC to force HTTPS (required for TLS inspection)
New-NetFirewallRule -DisplayName "Block QUIC" `
-Direction Outbound -Protocol UDP -RemotePort 443 `
-Action Block
- Disable Secure DNS (DNS-over-HTTPS) in your browser because GSA uses FQDN-based traffic acquisition, which requires plaintext DNS lookups. With DoH enabled, the browser resolves DNS through an encrypted channel that GSA can’t observe, causing traffic to bypass the tunnel entirely:
Edge: edge://settings/privacy โ "Use secure DNS" โ Off
Chrome: chrome://settings/security โ "Use secure DNS" โ Off
Verify the GSA client is running:
Get-Service -Name "*GlobalSecureAccess*" | Format-Table Name, Status
You should see four services running: ClientManagerService, EngineService, ForwardingProfileService, and TunnelingService.
How It Works: The Request Flow
When a user on a GSA-enabled device sends a prompt to ChatGPT, here’s what happens:
The full inspection pipeline. The GSA client tunnels traffic to the nearest edge PoP, where TLS is decrypted, the prompt is extracted via conversation scheme URL matching, and the Azure AI classifier makes an allow/block decision.
Verifying Prompt Shield
With everything configured, here’s what the lab validates.
GSA Client Connected
Once the Entra user signs in on the device, the GSA client connects with all three channels active: Internet, Entra, and M365.
GSA client connected with all three forwarding channels active. Organization: MSFT. Join type: Entra Joined.
TLS Inspection Active
Every HTTPS connection to an AI service now shows Microsoft’s intermediate CA in the certificate chain instead of the original:
Certificate chain for chatgpt.com:
CN=chatgpt.com
โโโ CN=Microsoft Global Secure Access Intermediate CA2
โโโ CN=GSA Lab CA
โโโ CN=GSA Lab Root CA (self-signed)
This confirms GSA is decrypting, inspecting, and re-encrypting all AI traffic in real time.
Prompt Inspection in Gen AI Insights
The Generative AI Insights logs (under Global Secure Access > Monitor) show every prompt sent to AI services through the tunnel:
Every prompt sent to ChatGPT is captured in the Gen AI Insights logs โ including the destination URL, user identity, and a unique transaction ID for forensic correlation.
This is the kind of visibility you can’t get from an app-level firewall. You see who sent what, to which service, and when. If you’re running a SOC, this is the difference between blind spots and actually knowing what’s happening.
Jailbreak Blocked
With normal prompts flowing through without issue, here’s what happens when a jailbreak prompt is sent to ChatGPT:
The jailbreak prompt was sent, but Prompt Shield killed the connection before ChatGPT could respond. In our lab, the user saw ‘Something went wrong’ instead of the AI’s response.
Normal conversation works. Jailbreak gets blocked. The traffic logs for Gemini show a similar pattern: connections during jailbreak testing show a mixed action status (displayed as “Composite” in the portal) with non-zero blocked transaction counts. Microsoft’s traffic log documentation defines the Action field as Allowed or Denied and notes that connection logs aggregate multiple transactions. The blocked counts we observed indicate enforcement occurred on those connections:
Traffic logs filtered for gemini.google.com. Connections with jailbreak prompts show ‘Composite’ action with 2-5 blocked transactions. Normal browsing shows ‘Allow’ with zero blocks. Prompt Shield selectively kills malicious requests while passing clean traffic.
The full Gen AI Insights log showing 17 prompts inspected across ChatGPT and Gemini, each with user identity, destination URL, and unique transaction ID for forensic correlation.
Key Takeaway: Conversation Scheme URL Matching
The most important lesson from this lab: the conversation scheme URL must exactly match the AI service’s API endpoint. ChatGPT uses different paths for logged-in (/backend-api/f/conversation) vs anonymous (/backend-anon/conversation) users. If the URL doesn’t match, Prompt Shield sees the traffic but can’t extract the prompt to classify it.
The 11 preconfigured conversation schemes handle this for common AI services. For custom AI apps, you’ll need to identify the exact POST endpoint and JSON path using browser developer tools.
Limitations and Gotchas
No security control is perfect, and Prompt Shield is no exception. Here’s what I ran into and what you should know:
Text-only: Prompt Shield analyzes text prompts. It does not inspect images, PDFs, or file uploads sent to AI models.
JSON-only: The conversation scheme extractors work with JSON request bodies. AI services that use URL-encoded form data or protocol buffers may not be fully supported. Microsoft’s docs explicitly note that URL-encoded apps require different handling.
10,000 character truncation: Prompts longer than 10,000 characters are truncated before analysis. An attacker who pads their jailbreak payload beyond 10K characters could evade detection.
Windows client required: While GSA clients exist for macOS, iOS, and Android, the current Prompt Shield deployment guidance specifically requires Windows 10/11 devices that are Entra joined or hybrid joined.
TLS propagation delay (lab observation): In our testing, TLS inspection took 15-60 minutes to become active across GSA edge PoPs after uploading the signing certificate. During this window, traffic flows but is not inspected.
Rate limits: Under heavy load, Prompt Shield applies rate limits. When rate-limited, subsequent requests are blocked regardless of content, which can impact legitimate users.
Language coverage: The underlying classifier is trained on Chinese, English, French, German, Spanish, Italian, Japanese, and Portuguese. Other languages may have reduced detection accuracy.
What About Shadow AI?
This is where the network-level approach really pays off. With GSA’s Internet Access forwarding profile, you can see AI traffic beyond the services you’ve sanctioned.
Global Secure Access application usage analytics (currently in preview) can identify shadow IT, generative AI apps, and shadow AI applications. For more established shadow-IT discovery and control, Microsoft also offers Defender for Cloud Apps. Together, these provide:
- Discovery: Identifies AI services being used across your network
- Risk assessment: Categorizes discovered AI services by risk level
- Blocking: Web content filtering can block unsanctioned AI services entirely
Combined with Prompt Shield, you get a two-layer defense:
- Block unsanctioned AI services entirely with web content filtering
- Inspect sanctioned AI services for prompt injection with Prompt Shield
Production Deployment Considerations
A few things to think about if you’re taking this beyond a lab:
Conditional Access Integration
Instead of applying Prompt Shield to all users via the baseline profile, create a custom security profile and link it to a Conditional Access policy. This lets you:
- Target specific user groups (e.g., apply stricter policies to developers who use AI heavily)
- Apply different policies for different risk levels (e.g., stricter blocking for high-risk sign-ins)
- Exclude service accounts or break-glass accounts
User Experience When Blocked
When Prompt Shield blocks a prompt, it terminates the connection. In our lab, the user saw the AI app’s own error message (e.g., ChatGPT showed “Something went wrong”). This is different from web content filtering, which shows a customizable block page. Communicate to users what blocked AI errors mean via:
- Your organization’s acceptable use policy
- Internal documentation explaining Prompt Shield behavior
- A helpdesk contact for reporting false positives
Monitoring
GSA traffic logs flow to Log Analytics. Build Sentinel analytics rules to alert on:
- Spike in blocked prompt injection attempts (possible targeted attack)
- New AI service discovered in shadow AI detection
- TLS inspection certificate approaching expiration
- Rate limit events (possible false positive wave)
Certificate Management
The TLS inspection certificate has a fixed validity period. Set a calendar reminder to rotate it before expiration. An expired certificate immediately disables all TLS inspection, and with it, all Prompt Shield protection.
Conclusion
Email security evolved from per-mailbox filters to centralized gateways that everyone expects to have. AI security is heading in the same direction.
Prompt Shield is still in preview, and the support matrix is evolving. But the direction is right: move prompt inspection to the network layer where security teams have visibility across the environment, not just the apps they built.
If you already have app-level prompt filtering, keep it. Prompt Shield covers the perimeter and app-level controls handle business logic. Using both is the right model.
Resources
- Prompt Shield documentation (Microsoft Learn)
- Azure AI Content Safety: Prompt Shields (Microsoft Learn)
- TLS inspection settings for Global Secure Access (Microsoft Learn)
- Global Secure Access traffic logs (Microsoft Learn)
- Global Secure Access known limitations (Microsoft Learn)
- Application usage analytics (shadow AI) (Microsoft Learn)
- OWASP LLM01:2025 Prompt Injection (OWASP)
- MITRE ATLAS (MITRE)
Prompt Shield is currently in preview. If you have an Entra Suite license or want to test with a trial, everything in this post can be deployed today. Check Microsoft’s documentation for the latest on general availability and supported platforms.
Jerrad Dahlager, CISSP, CCSP
Cloud Security Architect ยท Adjunct Instructor
Marine Corps veteran and firm believer that the best security survives contact with reality.
Have thoughts on this post? I'd love to hear from you.
