Microsoft Entra Internet Access AI Gateway Preview

Introduction: why identity-first AI security matters

Generative AI adoption is accelerating across enterprises, but security readiness is lagging—especially around data leakage to unsanctioned AI tools, prompt injection attacks, and fragmented controls across devices and clouds. Microsoft’s latest Entra updates position identity as the control plane for governing AI access, with new network-layer protections designed to secure AI usage without requiring app rewrites.

What’s new: Secure Web & AI Gateway in Entra Internet Access (Public Preview)

Microsoft Entra Internet Access now includes a secure web and AI gateway, extending AI-aware inspection and policy enforcement into the network layer as part of Microsoft’s SASE approach.

1) Shadow AI Detection

• Discovers unsanctioned AI tools observed in network traffic.
• Uses Cloud Application Analytics plus Defender for Cloud Apps risk scoring and Microsoft’s Cloud App Catalog.
• Enables quick enforcement via Conditional Access to sanction, restrict, or block high-risk AI apps.

2) Network File Filtering (with Purview integration)

• Blocks uploads/downloads based on file type.
• Can inspect file content and metadata in transit.
• Integrates with Microsoft Purview to enforce Sensitive Information Types and Exact Data Match policies—reducing the chance of regulated or confidential data being shared with unapproved AI services.

3) Prompt Injection Protection

• Inspects AI traffic inline and blocks malicious prompts in real time.
• Extends Azure AI Prompt Shields to the network layer, aiming for consistent protection across AI apps, agents, and LLMs—without refactoring applications.

4) Controls for AI agents and MCP servers

• Applies network-layer boundaries with URL filtering to allow approved agent connections and block unsanctioned MCP servers.
• Pairs with Entra identity controls (e.g., MFA, geo-restrictions) across Windows, macOS, iOS, and Android.

Additional Entra Internet Access enhancements

Microsoft also highlighted broader improvements including:

• Threat intelligence filtering for known malicious sites.
• Remote networks for Internet traffic to extend protections to branches/remote sites without the Global Secure Access client.
• Cloud firewall for remote networks with centrally managed, identity-driven policies.

Impact on IT admins and security teams

• More uniform AI policy enforcement across browsers, devices, and environments (on-prem, hybrid, multi-cloud).
• Reduced reliance on per-app controls or SDK-based security retrofits.
• Stronger governance posture by linking network observations (what users access) with identity-driven decisions (what they’re allowed to do).

Action items / next steps

1. Evaluate the public preview of Secure Web & AI Gateway in Entra Internet Access and map it to your AI risk scenarios (Shadow AI, data leakage, prompt injection).
2. Integrate with Purview: validate Sensitive Information Types and Exact Data Match coverage for high-risk data categories.
3. Review Conditional Access policies for AI services (sanctioned vs. unsanctioned) and define block/allow criteria using Defender for Cloud Apps risk scoring.
4. Create an AI access baseline (approved tools, approved agent/MCP endpoints, logging/monitoring requirements) and socialize it with security and business owners.