Network-25395: Entra Private Access Application segments are defined to enforce least-privilege access#747
Network-25395: Entra Private Access Application segments are defined to enforce least-privilege access#747SagarSathe merged 18 commits intomainfrom
Conversation
sandeepjha000
left a comment
sandeepjha000
left a comment
There was a problem hiding this comment.
@aahmed-spec - please address the feedback
Refactor assessment script by updating region markers and improving condition checks.
removed extra lines
aahmed-spec
changed the title
There was a problem hiding this comment.
Pull request overview
This PR adds a new security assessment test (Test-Assessment.25395) that evaluates Microsoft Entra Private Access applications to ensure they follow least-privilege principles through granular network segmentation and Custom Security Attributes (CSA) for Conditional Access targeting.
Key Changes
- Implementation of comprehensive Private Access application segmentation validation
- Helper functions to detect overly broad CIDR ranges, IP ranges, and port configurations with Active Directory exceptions
- Integration with Conditional Access policy evaluation using applicationFilter targeting
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25395.ps1 | Implements the core assessment logic with helper functions to validate network segments, check for broad access patterns, verify CSA assignments, and generate detailed compliance reports |
| src/powershell/tests/Test-Assessment.25395.md | Provides documentation explaining the security rationale, threat scenarios, remediation steps, and reference links for implementing least-privilege Private Access configurations |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@aahmed-spec I've opened a new pull request, #752, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: aahmed-spec <250927798+aahmed-spec@users.noreply.github.com>
Extract hardcoded AD ports to constant for maintainability
Inconsistent indentation detected. Lines 249-256 use tabs while the rest of the file uses spaces. PowerShell style guidelines typically recommend using spaces consistently throughout the file for better readability across different editors. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Inconsistent indentation detected. Line 346 uses tabs while the rest of the file uses spaces. PowerShell style guidelines typically recommend using spaces consistently throughout the file for better readability across different editors. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Clarified output descriptions in Test-IsBroadCidr function.
…Assessment.25395.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
updated 255 instead of 256 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@aahmed-spec I've opened a new pull request, #753, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
@copilot check the comments you have shared and let me know if they are resolved now. |
|
@aahmed-spec I've opened a new pull request, #754, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: aahmed-spec <250927798+aahmed-spec@users.noreply.github.com>
Fix off-by-one errors in IP and port range calculations for Test-Assessment.25395
Adding test 25395