AI - 61008 - Agent identity lifecycle tagging (customSecurityAttributes present)

[sandeepjha000]

Spec-61008

Issue-619

[Copilot]

Pull request overview

Adds a new AI pillar assessment (TestId 61008) to validate that Agent Identity service principals and their parent blueprint principals are lifecycle-tagged with Custom Security Attributes (CSAs), enabling scalable Conditional Access targeting.

Changes:

• Introduces a new PowerShell assessment test (61008) that queries exported ServicePrincipal data and evaluates CSA presence on both the agent identity and blueprint principal surfaces.
• Adds end-user remediation guidance and embeds formatted assessment output into the corresponding markdown template.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/powershell/tests/Test-Assessment.61008.ps1	New assessment logic + reporting for CSA lifecycle tagging across agent identity and blueprint principal surfaces.
src/powershell/tests/Test-Assessment.61008.md	New documentation/remediation content and placeholder for rendered test output.

Comments suppressed due to low confidence (3)

src/powershell/tests/Test-Assessment.61008.ps1:152

• The blueprint principal lookup is keyed by $bp.appId, but later you index it with $agent.agentIdentityBlueprintId. This mismatch will cause blueprint principals to be missed (and conditionB to stay $false) unless agentIdentityBlueprintId actually contains the blueprint appId. Use a consistent join key (typically the blueprint principal id if agentIdentityBlueprintId is an objectId), and update the comment/variable names accordingly.

    # Build blueprint principal lookup keyed by appId for O(1) join
    $blueprintLookup = @{}
    foreach ($bp in $blueprintPrincipals) {
        if ($bp.appId) {
            $blueprintLookup[$bp.appId] = $bp

src/powershell/tests/Test-Assessment.61008.ps1:227

• The pass/fail summary text doesn’t match the spec logic implemented below: $passed can be $true even when some agents have a gap on one surface (because you only fail when both surfaces are untagged). Update the ✅/❌ messages so they accurately describe the evaluated condition (e.g., “at least one surface tagged for every agent” vs “one or more agents untagged on both surfaces”).

    if ($passed) {
        $testResultMarkdown = "✅ All agent identity service principals have custom security attributes assigned for lifecycle classification.`n`n%TestResult%"
    }
    else {
        $testResultMarkdown = "❌ One or more agent identity service principals do not have custom security attributes assigned. These untagged agents cannot be targeted by attribute-based Conditional Access policies.`n`n%TestResult%"

src/powershell/tests/Test-Assessment.61008.ps1:244

• This section title says “missing custom security attributes”, but the table includes any agent with a gap on either surface (per $hasAnySurfaceGap). Rename the heading to reflect that it’s listing “surface gaps” (or similar) to avoid contradicting the overall pass condition.

## [Agent identities missing custom security attributes]({0})

| Agent display name | Agent identity attribute names | Blueprint principal display name | Blueprint principal attribute names | Untagged surface |
|---|---|---|---|---|
{1}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexandair]

@sandeepjha000 Please, address my feedback.

[alexandair]

LGTM