ICP-by-platform · Microsoft Copilot Studio
Prompt-injection scanner for Microsoft Copilot Studio
Microsoft Copilot Studio (formerly Power Virtual Agents) lets enterprises build custom AI copilots deployed in Teams, SharePoint, and Microsoft 365. When a Copilot Studio bot is connected to a Power Automate flow that calls an Azure OpenAI vision model — for document analysis, Teams message image processing, SharePoint file triage, or form submission review — the images entering that flow come from employees, partners, and external users. Any of these parties can submit an image containing adversarial pixel-level instructions that redirect the Azure OpenAI model's output. Azure Prompt Shields, Microsoft's own PI defence layer, focuses on text-based injection and direct jailbreak attempts; it does not scan image bytes for embedded adversarial instructions. A Glyphward HTTP action inserted in the Power Automate flow before the Azure OpenAI connector closes the multimodal gap without requiring custom infrastructure or departing from the Microsoft ecosystem.
TL;DR
In the Power Automate cloud flow that feeds images to your Copilot Studio bot or Azure OpenAI connector: add an HTTP action after the image retrieval step, POST the base64 image to https://glyphward.com/v1/scan, parse the JSON response, and add a Condition that routes to the AI call only if score is less than 70. Azure OpenAI integration guide covers the Azure-specific API configuration. Free tier — 10 scans/day, no card required.
Where image PI enters Copilot Studio deployments
Teams image attachments processed by a bot. A Copilot Studio bot deployed in Teams can receive image uploads from any Teams channel member or direct-message sender. When the bot forwards that image to an Azure OpenAI vision model for analysis — helpdesk ticket triage, diagram explanation, error screenshot classification — the image is an untrusted input from whoever uploaded it. In organisations with guest access or external collaboration, this includes users outside the organisation's tenant boundary.
SharePoint file triggers in Power Automate. Power Automate flows triggered by new files in a SharePoint document library — a common pattern for document intelligence automation in M365 — pass those files to Azure OpenAI for classification, summarisation, or data extraction. Anyone with write access to the SharePoint library can add a file, which means any collaborator, contractor, or external vendor with library access can introduce an adversarial document.
Power Apps forms with image upload fields. Power Apps canvas apps often include image upload controls that feed into Power Automate flows for processing. A form that accepts photos of equipment damage, products, or documents and routes those photos to AI analysis has an unscanned image input from any user of the Power App — which may include external users on guest licenses.
Outlook and Exchange attachment processing. Power Automate's Outlook connector can trigger on new emails with attachments and forward those attachments to Azure OpenAI. Any external sender to your corporate email address is an untrusted input source. Email-based PI attacks are particularly accessible — the attacker only needs to send an email with a crafted attachment to any public-facing address in your organisation.
Integration: HTTP action in Power Automate
Power Automate's HTTP action (available on paid plans) can call any REST API. The scan gate adds two actions to your flow: an HTTP scan call and a Condition.
Step 1: After the action that retrieves the image binary (e.g., "Get file content" from SharePoint, "Get attachment" from Outlook, or the Teams file URL fetch), add an HTTP action:
Method: POST
URI: https://glyphward.com/v1/scan
Headers:
Authorization: Bearer [your Glyphward API key, from Azure Key Vault]
Content-Type: application/json
Body (JSON):
{
"image": "@{base64(body('Get_file_content'))}",
"source": "power_automate_copilot_studio"
}Step 2: Add a Parse JSON action after the HTTP action to extract the score and scan_id from the response body. Use the schema:
{
"type": "object",
"properties": {
"score": { "type": "integer" },
"scan_id": { "type": "string" }
}
}Step 3: Add a Condition action.
If: body('Parse_JSON')?['score'] is less than 70
Yes: Continue to Azure OpenAI connector
No: Send notification (Teams/email) with scan_id; terminate flowOn the "No" path, send a Teams notification to a security review channel with the scan_id and the source file reference. Do not send the image binary in the notification — reference the SharePoint or Outlook item by URL so the reviewer can access it with their existing permissions.
API key storage: Store the Glyphward API key in Azure Key Vault and reference it in the Power Automate HTTP action using the Azure Key Vault connector's "Get secret" action. Do not paste the key directly into the HTTP action — Power Automate flow run history logs request details that are visible to flow editors.
Relationship to Azure Prompt Shields
Azure AI Content Safety's Prompt Shields (available in Azure OpenAI and Azure AI Studio) detects text-based direct and indirect PI attacks. It analyses the text of user messages and documents for instruction-following patterns that suggest PI. It does not analyse image bytes — when an image is passed to Azure OpenAI as a vision input, Prompt Shields does not inspect the image's pixel content for adversarial typographic overlays, steganographic payloads, or FigStep-class attacks.
Glyphward and Azure Prompt Shields are complementary: use Prompt Shields for text-based PI in chat messages and document text layers; use Glyphward for image bytes before any vision model call. Together they cover the full multimodal attack surface. See the Azure OpenAI integration guide for the full architecture pattern combining both layers.
Coverage matrix
| Defence layer | Teams image upload | SharePoint file trigger | Outlook attachment | Power Apps image field |
|---|---|---|---|---|
| Azure Prompt Shields | Text only (not image pixels) | Text only | Text only | Text only |
| Microsoft Defender for Cloud | Malware/threat intel only | Malware/threat intel only | Malware/threat intel only | No |
| Text-only scanner (Lakera, LLM Guard) | No — image bytes ignored | No | No | No |
| Glyphward HTTP action | Yes — pixel-level scan | Yes | Yes | Yes |
Related questions
Does this work with the new Copilot Studio agent capabilities (multi-step agents)?
Yes, and the risk is higher for agentic Copilot Studio deployments than for single-turn bots. In a Copilot Studio agent that takes multiple actions based on image content — reading a SharePoint file and then updating a CRM record, or processing a form image and then sending an email — a successful PI attack can redirect the entire action sequence, not just a single response. For agentic flows, use a lower threshold (score ≥ 60 blocks the image) and scan every image in the flow, not just the first one.
Is an HTTP action available on all Power Automate plans?
Power Automate's premium HTTP action (which can call external REST APIs) requires a premium license — available on Power Automate Premium (per-user) and Power Automate Process plans. It is not available on the Office 365-included Power Automate plan, which only supports the subset of pre-built standard connectors. If you are on a plan without the premium HTTP action, you can call Glyphward from a custom Azure Function or Logic App instead, triggered from the Power Automate flow via an HTTP Request connector (which is a standard connector available on all plans).
Can I build a shared Glyphward connector for our tenant?
Yes. Power Automate supports custom connectors that wrap external REST APIs with an OpenAPI definition. You can build a custom Glyphward connector that exposes a single "Scan image" action, handles authentication via the Glyphward API key stored in the connector's connection credentials, and returns the score and scan_id as named outputs. This makes the Glyphward scan action reusable across all flows in your tenant without each flow needing to configure the HTTP action and key separately. Contact us for the OpenAPI spec to use as the basis for the custom connector definition.
Does this apply to Microsoft 365 Copilot (the enterprise AI assistant) as well?
Microsoft 365 Copilot (the AI assistant built into Word, Excel, Teams, and Outlook) processes documents and images that users reference in their prompts. M365 Copilot is a Microsoft-managed service with Microsoft's own safety controls applied server-side — it is a different integration path from Copilot Studio custom bots. This guide covers Copilot Studio custom bots and Power Automate flows that your team builds and controls. For M365 Copilot, the relevant controls are at the tenant policy level (data residency, sensitivity labels, information barriers), not the API integration level covered here.
Further reading
- For Azure OpenAI — detailed integration guide for Azure OpenAI vision model calls, including Prompt Shields complementary architecture.
- FigStep detection — the typographic attack class most likely in Teams-shared screenshots and SharePoint document images.
- Indirect prompt injection via image — PI payloads in SharePoint-linked or OneDrive-linked images rather than direct uploads.
- For document AI pipelines — full integration guide for document extraction pipelines that process SharePoint or Outlook attachments.
- Multimodal LLM security API — general overview of the Glyphward scanning API.
- Why text-only scanners miss image prompt injection — architectural background.