Skip to content

Add B2B Guest Access specification for Private Apps in Global Secure Access#3

Draft
Copilot wants to merge 7 commits intomainfrom
copilot/update-b2b-guest-access-md
Draft

Add B2B Guest Access specification for Private Apps in Global Secure Access#3
Copilot wants to merge 7 commits intomainfrom
copilot/update-b2b-guest-access-md

Conversation

Copy link

Copilot AI commented Jan 25, 2026
edited
Loading

Adds network specification for B2B Guest Access enabling external partners to access internal private applications through Global Secure Access without legacy VPN infrastructure.

Changes

  • New spec file: spec/network/30113.md
    • Follows established network spec format (30111.md, 30112.md)
    • Risk Level: High | User Impact: Low | Implementation Cost: Medium
    • Category: Zero Trust Network Access (ZTNA), B2B Collaboration

Specification Structure

  • Customer Facing Explanation: Security benefits of identity-driven, per-application access vs. legacy VPN-based external collaboration
  • Check Queries: Three validation queries covering:
    1. Private Access forwarding profile configuration for guest access
    2. B2B guest user assignments and Conditional Access policies
    3. Active guest user traffic through Global Secure Access client
  • Remediation Resources: 10-step implementation guide with Microsoft Learn documentation references
  • API Endpoints: Microsoft Graph beta APIs for networkAccess, identity/conditionalAccess, and traffic logs

Technical Context

Addresses preview feature where Global Secure Access client supports tenant switching for B2B guests, enabling least-privilege access to designated private apps using home organization credentials. All guest activity logged through Microsoft Entra audit trails with immediate revocation capability.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • learn.microsoft.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

When you look at this md file - I want to change, so that it covers "Implement B2B Guest Access for private apps" instead. You can find more details in this article - https://learn.microsoft.com/en-us/entra/global-secure-access/concept-b2b-guest-access. Can you please suggest changes to the md file, according to the format and style to the other network based md files?

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

tdetzner and others added 5 commits November 25, 2025 17:23
@tdetzner
feat: Add Network pillar specs for Global Secure Access and Universal…
6bd7ad3 
… CAE

- 30111: Global Secure Access is enabled
  - Checks for traffic forwarding profile configuration
  - Validates active user/remote network assignments
  - Includes Graph API endpoints for networkAccess/forwardingProfiles

- 30112: Universal Continuous Access Evaluation is enabled for GSA
  - Checks Conditional Access policies with CAE session controls
  - Validates Global Secure Access workload targeting
  - Includes optional Strict Enforcement mode validation

- network-spec-prompt.md: Network pillar-specific spec creation guidance
  - Tailored for Entra-based network checks
  - Includes API guidance for GSA, Azure networking, and Conditional Access
  - Provides validation checklist for network specs
@tdetzner
feat: Implement PowerShell check logic for Network pillar tests 30111…
6e66f4f 
… and 30112

- Test-Assessment.30111.ps1: Global Secure Access is enabled
  - Query 1: Retrieves networkAccess/forwardingProfiles to check configuration
  - Query 2: Validates user and remote network assignments to profiles
  - Output: Detailed markdown table with profile status and assignment counts
  - Includes portal link for manual verification

- Test-Assessment.30112.ps1: Universal CAE is enabled for GSA
  - Query 1: Retrieves Conditional Access policies with CAE session controls
  - Query 2: Checks for Strict Enforcement mode configuration (optional)
  - Output: Detailed markdown showing CAE-enabled policies and enforcement status
  - Includes documentation references and portal link

Both tests follow the existing ZtTest pattern and include:
- Proper licensing checks
- Error handling for Graph API calls
- Markdown-formatted output for reports
- Portal links for manual remediation
- Comprehensive details for troubleshooting
@tdetzner
fix: Remove trailing whitespace in 30112.md
51b58c6
@tdetzner
Merge branch 'microsoft:main' into main
e579d15
Initial plan
039a33c
Copilot AI and others added 2 commits January 25, 2026 21:46
@tdetzner
Create B2B Guest Access spec for Private Apps (30113.md)
5d789bc 
Co-authored-by: tdetzner <89040104+tdetzner@users.noreply.github.com>
@tdetzner
Fix Query 1 endpoint to remove unnecessary branchId parameter
15774c4 
Co-authored-by: tdetzner <89040104+tdetzner@users.noreply.github.com>
Copilot AI changed the title [WIP] Update MD file for B2B guest access in private apps Add B2B Guest Access specification for Private Apps in Global Secure Access Jan 25, 2026
Copilot AI requested a review from tdetzner January 25, 2026 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdetzner tdetzner Awaiting requested review from tdetzner

Assignees

@tdetzner tdetzner

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tdetzner