Configure data loss prevention for Azure Cognitive Services

Cognitive Services data loss prevention capabilities allow customers to configure the list of outbound URLs their Cognitive Services resources are allowed to access. This creates another level of control for customers to prevent data loss. In this article, we'll cover the steps required to enable the data loss prevention feature for Cognitive Services resources.

Prerequisites

Before you make a request, you need an Azure account and an Azure Cognitive Services subscription. If you already have an account, go ahead and skip to the next section. If you don't have an account, we have a guide to get you set up in minutes: Create a Cognitive Services account for Azure.

You can get your subscription key from the Azure portal after creating your account.

Enabling data loss prevention

There are two parts to enable data loss prevention. First the property restrictOutboundNetworkAccess must be set to true. When this is set to true, you also need to provide the list of approved URLs. The list of URLs is added to the allowedFqdnList property. The allowedFqdnList property contains an array of comma-separated URLs.

Note

  • The allowedFqdnList property value supports a maximum of 1000 URLs.
  • The property supports both IP addresses and fully qualified domain names i.e., www.microsoft.com, values.
  • It can take up to 15 minutes for the updated list to take effect.
  1. Install the Azure CLI and sign in, or select Try it.

  2. View the details of the Cognitive Services resource.

    az cognitiveservices account show \
        -g "myresourcegroup" -n "myaccount" \
    
  3. View the current properties of the Cognitive Services resource.

    az rest -m get \
        -u /subscriptions/{subscription ID}}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2021-04-30 \
    
  4. Configure the restrictOutboundNetworkAccess property and update the allowed FqdnList with the approved URLs

    az rest -m patch \
        -u /subscriptions/{subscription ID}}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2021-04-30 \
        -b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "microsoft.com" ] }}'
    

Supported services

The following services support data loss prevention configuration:

  • Computer Vision
  • Content Moderator
  • Custom Vision
  • Face
  • Speech Service
  • QnA Maker

Next steps