Network-25396: Conditional Access policies enforce strong authentication for private apps #744
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a new security assessment test (ID: 25396) that validates whether Conditional Access policies enforce strong authentication methods for Private Access applications within Microsoft Entra Global Secure Access.
Key changes:
- Implements comprehensive test logic to evaluate Private Access applications (both Per-app and Quick Access types) for CA policy coverage requiring MFA or authentication strength
- Introduces sophisticated authentication strength classification (Phishing-Resistant, Passwordless MFA, MFA baseline)
- Provides detailed reporting with manual review capability for apps protected via applicationFilter-based policies
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25396.ps1 | New test function that queries Private Access apps, evaluates CA policy coverage, classifies authentication strength levels, and generates detailed compliance reports with pass/fail/investigate status |
| src/powershell/tests/Test-Assessment.25396.md | Documentation explaining security risks of unprotected private apps and providing remediation guidance with links to Microsoft Learn articles |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
praneeth-0000
added
enhancement
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@praneeth-0000 Please, address my feedback.
| elseif ($authStrengthPolicy.policyType -eq 'custom') { | ||
| # Check if all allowed combinations are phishing-resistant | ||
| $allPhishingResistant = $true | ||
| foreach ($authMethod in $authStrengthPolicy.allowedCombinations) { | ||
| if ($authMethod -notin $phishingResistantMethods) { | ||
| $allPhishingResistant = $false | ||
| break | ||
| } | ||
| } | ||
| $currentLevel = if ($allPhishingResistant) { 'PhishingResistant' } else { 'MFA' } | ||
| } |
There was a problem hiding this comment.
Issue: This logic fails to handle multi-factor combinations correctly. The allowedCombinations array contains strings like:
"windowsHelloForBusiness" (single factor)
"password,microsoftAuthenticatorPush" (combination)
"password,sms" (combination)
When a custom auth strength has allowedCombinations = @("password,fido2"), the current logic checks if "password,fido2" is in the phishing-resistant list, finds it's not, and classifies as MFA instead of PhishingResistant.
Correct Implementation:
elseif ($authStrengthPolicy.policyType -eq 'custom') {
$allPhishingResistant = $true
foreach ($combination in $authStrengthPolicy.allowedCombinations) {
# Split combination by comma and check each method
$methods = $combination -split ','
$hasPhishingResistantMethod = $false
foreach ($method in $methods) {
if ($phishingResistantMethods -contains $method.Trim()) {
$hasPhishingResistantMethod = $true
break
}
}
if (-not $hasPhishingResistantMethod) {
$allPhishingResistant = $false
break
}
}
$currentLevel = if ($allPhishingResistant) { 'PhishingResistant' } else { 'MFA' }
}There was a problem hiding this comment.
Hi @alexandair , checked the "allowedCombinations" property, it has individual strings without commas
and coming to logic part, @tdetzner could you please confirm in the scenario where allowedCombinations has password , fido2 should the authentication strength level be phishing resistant or mfa?
According to docx "phishingResistant: Built-in phishing-resistant strength OR custom strength with only phishing-resistant methods", I thought the allowedCombinations should only contain one or all phishing resistant methods.
Added test for 25396
Conditional Access policies enforce strong authentication for private apps