-
Notifications
You must be signed in to change notification settings - Fork 249
Add: MT.1181 Check if a Conditional Access policy is present that blocks high agent risk signins #1809
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+76
−2
Merged
Add: MT.1181 Check if a Conditional Access policy is present that blocks high agent risk signins #1809
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
3f1483b
Create a Maester test to check if a conditional access policy is avai…
ExeqZ 81d8fbe
Create documentation for the new check
ExeqZ 18a1dc2
Add Test-MtCaAgentRiskBlockPolicy to module manifest and update docum…
ExeqZ 37b8038
Fix wording in Test-MtCaAgentRiskBlockPolicy documentation for clarity
ExeqZ 9801ea2
Add check for Conditional Access policy blocking high agent risk sign…
ExeqZ 38974fc
Refine title for high agent risk sign-in Conditional Access policy check
ExeqZ 2475a79
Update Test-MtCaAgentRiskBlockPolicy.md
ExeqZ d132381
Update Test-MtCaAgentRiskBlockPolicy.ps1
ExeqZ aba3f94
Merge branch 'main' into main
merill File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
powershell/public/maester/entra/Test-MtCaAgentRiskBlockPolicy.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| Checks whether your tenant has at least one enabled Conditional Access policy that blocks agent identities detected as high risk. | ||
|
|
||
| This check looks for enabled Microsoft Entra (Azure AD) Conditional Access policies that target agent identity with risk levels set to `High` and enforce a `Block` grant control. | ||
| Agents (service or managed identities used by automation or AI) that are flagged as high risk by Entra ID Protection should be prevented from authenticating to prevent potentially compromised AI agents from accessing organizational resources. | ||
|
|
||
| #### Remediation action: | ||
|
|
||
| To remediate, create or update a Conditional Access policy that: | ||
|
|
||
| - Users or agents: all agent identities. | ||
| - Target resources: All resources (formerly 'All cloud apps') | ||
| - Conditions: `Agent risk` to include `high`. | ||
| - Uses a grant control that includes the `Block` action. | ||
|
|
||
| Refer to Microsoft documentation when creating policies to ensure correct targeting and scope. | ||
|
|
||
| #### Related links | ||
|
|
||
| - Microsoft doc: https://learn.microsoft.com/entra/identity/conditional-access/policy-agent-block-high-risk | ||
50 changes: 50 additions & 0 deletions
50
powershell/public/maester/entra/Test-MtCaAgentRiskBlockPolicy.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| function Test-MtCaAgentRiskBlockPolicy { | ||
| <# | ||
| .Synopsis | ||
| Checks if the tenant has at least one conditional access policy that blocks agent identities based on their risk level. | ||
|
|
||
| .Description | ||
| Organizations should block agent identities that are detected as high risk by Microsoft Entra ID Protection to helping prevent potentially compromised AI agents from accessing your organization's resources. | ||
|
|
||
| Learn more: | ||
| https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-agent-block-high-risk | ||
|
|
||
| .Example | ||
| Test-MtCaAgentRiskBlockPolicy | ||
|
|
||
| .LINK | ||
| https://maester.dev/docs/commands/Test-MtCaAgentRiskBlockPolicy | ||
| #> | ||
| [CmdletBinding()] | ||
| [OutputType([bool])] | ||
| param () | ||
|
|
||
| try { | ||
| $policies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq 'enabled'} | ||
|
merill marked this conversation as resolved.
|
||
|
|
||
| $policiesResult = New-Object System.Collections.ArrayList | ||
| $result = $false | ||
|
|
||
| foreach ($policy in $policies) { | ||
| if ($policy.conditions.agentIdRiskLevels -match 'high' -and $policy.grantControls.builtInControls -match 'block'){ | ||
| $result = $true | ||
| $policiesResult.Add($policy) | Out-Null | ||
| } else { | ||
| $CurrentResult = $false | ||
| } | ||
| Write-Verbose "$($policy.displayName) - $CurrentResult" | ||
| } | ||
|
|
||
| if ( $result ) { | ||
| $testResult = "Well done! The following conditional access policies sufficiently blockes high risk agent identities:`n`n%TestResult%" | ||
| } else { | ||
| $testResult = 'No conditional access policy found that targets high risk agent identities.' | ||
| } | ||
|
|
||
| Add-MtTestResultDetail -Result $testResult -GraphObjects $policiesResult -GraphObjectType ConditionalAccess | ||
| return $result | ||
| } catch { | ||
| Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ | ||
| return $null | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.