-
Notifications
You must be signed in to change notification settings - Fork 121
Network-25396: Conditional Access policies enforce strong authentication for private apps #744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
praneeth-0000
wants to merge
7
commits into
main
Choose a base branch
from
Feature-25396
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+347
−0
Open
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
7c5b06c
Test 25396
praneeth-0000 9afd381
Changed user facing messages and beautified code
praneeth-0000 9a81ac6
fixed casing in table headers
praneeth-0000 3ffa3e8
fixed user facing messages
praneeth-0000 21fd120
moved portal links to bottom
praneeth-0000 943356d
combined q1 and q4 queries and simplified logic
praneeth-0000 c7ada61
added logic to handle empty csa
praneeth-0000 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| When Private Access applications are not protected by Conditional Access policies requiring strong authentication, organizations undermine the security benefits of their Zero Trust Network Access implementation. | ||
|
|
||
| Threat actors who obtain user credentials through phishing attacks, credential stuffing, or password spraying can authenticate to private applications using only a compromised password, gaining initial access to internal resources that should be protected by stronger controls. Once authenticated, threat actors can establish persistence by accessing sensitive internal systems, downloading data, or creating additional access mechanisms. The absence of multifactor authentication—or worse, the use of phishable MFA methods such as SMS or voice—enables adversary-in-the-middle attacks where threat actors intercept authentication tokens and session cookies, facilitating credential access to additional systems. | ||
|
|
||
| Threat actors can then perform lateral movement by pivoting from the initially compromised private application to other internal resources accessible through the Private Access infrastructure. | ||
|
|
||
| Microsoft recommends enforcing phishing-resistant authentication methods such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for access to private applications, with multifactor authentication as the minimum acceptable baseline. The authentication strength feature in Conditional Access allows organizations to require specific combinations of authentication methods, enabling granular enforcement aligned with the Microsoft passwordless strategy. | ||
|
|
||
| **Remediation action** | ||
|
|
||
| - [Apply Conditional Access policies to Private Access applications requiring MFA or authentication strength from within Global Secure Access](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-target-resource-private-access-apps) | ||
|
|
||
| - [Configure authentication strength policies to require phishing-resistant methods for high-value private applications](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths) | ||
|
|
||
| - [Deploy phishing-resistant authentication methods including FIDO2 security keys, Windows Hello for Business, or certificate-based authentication](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-plan-prerequisites-phishing-resistant-passwordless-authentication) | ||
| <!--- Results ---> | ||
| %TestResult% |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,330 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Validates that Conditional Access policies enforce strong authentication for Private Access applications. | ||
|
|
||
| .DESCRIPTION | ||
| This test checks if all Private Access applications (Per-app and Quick Access) are protected | ||
| by Conditional Access policies requiring strong authentication (MFA or authentication strength). | ||
|
|
||
| .NOTES | ||
| Test ID: 25396 | ||
| Category: Global Secure Access | ||
| Required API: applications, servicePrincipals, identity/conditionalAccess/policies, authenticationStrength/policies | ||
| #> | ||
|
|
||
| function Test-Assessment-25396 { | ||
| [ZtTest( | ||
| Category = 'Global Secure Access', | ||
| ImplementationCost = 'Medium', | ||
| MinimumLicense = ('Entra_Premium_Private_Access', 'AAD_PREMIUM'), | ||
| Pillar = 'Network', | ||
| RiskLevel = 'High', | ||
| SfiPillar = 'Protect identities and secrets', | ||
| TenantType = ('Workforce'), | ||
| TestId = 25396, | ||
| Title = 'Conditional Access policies enforce strong authentication for private apps', | ||
| UserImpact = 'Medium' | ||
| )] | ||
| [CmdletBinding()] | ||
| param() | ||
|
|
||
| #region Data Collection | ||
| Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose | ||
|
|
||
| $activity = 'Checking Private Access authentication controls' | ||
| Write-ZtProgress -Activity $activity -Status 'Getting Private Access applications' | ||
|
|
||
| # Query Q1: Get all Private Access service principals with tags and CSAs | ||
| $privateAccessApps = Invoke-ZtGraphRequest -RelativeUri 'servicePrincipals' -Filter "(tags/any(t:t eq 'PrivateAccessNonWebApplication') or tags/any(t:t eq 'NetworkAccessQuickAccessApplication'))" -Select 'id,displayName,appId,tags,customSecurityAttributes' -ApiVersion v1.0 -ConsistencyLevel eventual | ||
|
|
||
| # Initialize test variables | ||
| $testResultMarkdown = '' | ||
| $passed = $false | ||
| $allAppDetails = @() | ||
| $totalApps = 0 | ||
| $phishingResistantApps = 0 | ||
| $passwordlessMfaApps = 0 | ||
| $mfaApps = 0 | ||
| $unprotectedApps = 0 | ||
| $manualReviewApps = 0 | ||
| $appsWithoutCSA = 0 | ||
| $filterPoliciesCount = 0 | ||
|
|
||
| # Built-in authentication strength IDs | ||
| $builtInAuthStrengthIds = @{ | ||
| 'MFA' = '00000000-0000-0000-0000-000000000002' | ||
| 'PasswordlessMFA' = '00000000-0000-0000-0000-000000000003' | ||
| 'PhishingResistant' = '00000000-0000-0000-0000-000000000004' | ||
| } | ||
|
|
||
| # Authentication level priority for comparison | ||
| $authLevelPriority = @{ | ||
| 'PhishingResistant' = 4 | ||
| 'PasswordlessMFA' = 3 | ||
| 'MFA' = 2 | ||
| 'None' = 1 | ||
| } | ||
|
|
||
| # Status sort order for reporting | ||
| $statusSortOrder = @{ | ||
| 'Protected' = 3 | ||
| 'Manual Review' = 2 | ||
| 'Unprotected' = 1 | ||
| } | ||
|
|
||
| # Phishing-resistant methods | ||
| $phishingResistantMethods = @('windowsHelloForBusiness', 'fido2', 'x509CertificateMultiFactor') | ||
| #endregion Data Collection | ||
|
|
||
| #region Assessment Logic | ||
| if (-not $privateAccessApps -or $privateAccessApps.Count -eq 0) { | ||
| $passed = $false | ||
| $testResultMarkdown = @" | ||
| ⚠️ No Private Access applications are configured. | ||
|
|
||
| ## Portal Links | ||
|
|
||
| - [Global Secure Access > Applications > Enterprise applications](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/EnterpriseApplicationListBladeV3/fromNav/globalSecureAccess/applicationType/GlobalSecureAccessApplication) | ||
| - [Conditional Access > Policies](https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview/menuId//fromNav/Identity) | ||
| - [Authentication methods > Authentication strengths](https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/AuthStrengths) | ||
| "@ | ||
| } | ||
| else { | ||
| $totalApps = $privateAccessApps.Count | ||
|
|
||
| Write-ZtProgress -Activity $activity -Status 'Getting Conditional Access policies' | ||
|
|
||
| # Query Q2: Get all enabled CA policies | ||
| $caPolicies = Get-ZtConditionalAccessPolicy | Where-Object { $_.state -eq 'enabled' } | ||
|
|
||
| # Count policies with applicationFilter | ||
| $filterPolicies = $caPolicies | Where-Object { $_.conditions.applications.applicationFilter } | ||
| $filterPoliciesCount = if ($filterPolicies) { $filterPolicies.Count } else { 0 } | ||
|
|
||
| # Cache for authentication strength policies | ||
| $authStrengthCache = @{} | ||
|
|
||
| Write-ZtProgress -Activity $activity -Status 'Evaluating authentication controls for each app' | ||
|
|
||
| foreach ($app in $privateAccessApps) { | ||
| $appId = $app.appId | ||
| $displayName = $app.displayName | ||
|
|
||
| # Determine app type | ||
| $appType = if ($app.tags -contains 'NetworkAccessQuickAccessApplication') { 'Quick Access' } else { 'Per-App' } | ||
|
|
||
| # Check CSA presence | ||
| $hasCSA = $null -ne $app.customSecurityAttributes -and ($app.customSecurityAttributes.PSObject.Properties.Count -gt 0) | ||
|
|
||
| # Find CA policies targeting this app | ||
| $targetingPolicies = @() | ||
| foreach ($policy in $caPolicies) { | ||
| $includeApps = $policy.conditions.applications.includeApplications | ||
| $excludeApps = $policy.conditions.applications.excludeApplications | ||
|
|
||
| # Check if explicitly excluded | ||
| if ($excludeApps -contains $appId) { | ||
| continue | ||
| } | ||
|
|
||
| # Check direct targeting or "All" | ||
| if (($includeApps -contains $appId) -or ($includeApps -contains 'All')) { | ||
| $targetingPolicies += $policy | ||
| } | ||
| } | ||
|
|
||
| # Determine authentication strength level | ||
| $authLevel = 'None' | ||
| $authStrengthName = 'N/A' | ||
| $allPolicyDetails = @() | ||
| $status = 'Unprotected' | ||
|
|
||
| if ($targetingPolicies.Count -gt 0) { | ||
| # Evaluate all targeting policies and collect details | ||
| foreach ($policy in $targetingPolicies) { | ||
| $currentLevel = 'None' | ||
| $currentStrengthName = 'N/A' | ||
|
|
||
| # Check for authentication strength (Q3) | ||
| if ($policy.grantControls.authenticationStrength -and $policy.grantControls.authenticationStrength.id) { | ||
| $authStrengthId = $policy.grantControls.authenticationStrength.id | ||
|
|
||
| # Retrieve auth strength policy details if not cached | ||
| if (-not $authStrengthCache.ContainsKey($authStrengthId)) { | ||
| $authStrengthUri = "identity/conditionalAccess/authenticationStrength/policies/$authStrengthId" | ||
| $authStrengthPolicy = Invoke-ZtGraphRequest -RelativeUri $authStrengthUri -ApiVersion v1.0 | ||
| $authStrengthCache[$authStrengthId] = $authStrengthPolicy | ||
| } | ||
|
|
||
| $authStrengthPolicy = $authStrengthCache[$authStrengthId] | ||
| $currentStrengthName = $authStrengthPolicy.displayName | ||
|
|
||
| # Classify authentication strength | ||
| if ($authStrengthPolicy.policyType -eq 'builtIn') { | ||
| if ($authStrengthId -eq $builtInAuthStrengthIds['PhishingResistant']) { | ||
| $currentLevel = 'PhishingResistant' | ||
| } | ||
| elseif ($authStrengthId -eq $builtInAuthStrengthIds['PasswordlessMFA']) { | ||
| $currentLevel = 'PasswordlessMFA' | ||
| } | ||
| elseif ($authStrengthId -eq $builtInAuthStrengthIds['MFA']) { | ||
| $currentLevel = 'MFA' | ||
| } | ||
| } | ||
| elseif ($authStrengthPolicy.policyType -eq 'custom') { | ||
| # Check if all allowed combinations are phishing-resistant | ||
| $allPhishingResistant = $true | ||
| foreach ($authMethod in $authStrengthPolicy.allowedCombinations) { | ||
| if ($authMethod -notin $phishingResistantMethods) { | ||
| $allPhishingResistant = $false | ||
| break | ||
| } | ||
| } | ||
| $currentLevel = if ($allPhishingResistant) { 'PhishingResistant' } else { 'MFA' } | ||
| } | ||
| } | ||
| # Check for MFA in builtInControls | ||
| elseif ($policy.grantControls.builtInControls -contains 'mfa') { | ||
| $currentLevel = 'MFA' | ||
| $currentStrengthName = 'MFA (built-in)' | ||
| } | ||
|
|
||
| # Collect policy details | ||
| $allPolicyDetails += [PSCustomObject]@{ | ||
| PolicyName = $policy.displayName | ||
| AuthStrength = $currentStrengthName | ||
| Level = $currentLevel | ||
| Priority = $authLevelPriority[$currentLevel] | ||
| } | ||
| } | ||
|
|
||
| # Sort by strongest auth level and get the overall strongest | ||
| $sortedPolicies = $allPolicyDetails | Sort-Object -Property Priority -Descending | ||
| $strongestPolicy = $sortedPolicies | Select-Object -First 1 | ||
| $authLevel = $strongestPolicy.Level | ||
| $authStrengthName = $strongestPolicy.AuthStrength | ||
|
|
||
| # Get all policies with the strongest auth level | ||
| $strongestPolicies = $allPolicyDetails | Where-Object { $_.Level -eq $authLevel } | ||
| $strongestPolicyNames = ($strongestPolicies | ForEach-Object { $_.PolicyName }) -join ', ' | ||
| } | ||
|
|
||
| # Determine status | ||
| if ($authLevel -ne 'None') { | ||
| $status = 'Protected' | ||
|
|
||
| # Update counters | ||
| switch ($authLevel) { | ||
| 'PhishingResistant' { $phishingResistantApps++ } | ||
| 'PasswordlessMFA' { $passwordlessMfaApps++ } | ||
| 'MFA' { $mfaApps++ } | ||
| } | ||
| } | ||
| elseif ($hasCSA -and $filterPoliciesCount -gt 0) { | ||
| $status = 'Manual Review' | ||
| $manualReviewApps++ | ||
| } | ||
| else { | ||
| $status = 'Unprotected' | ||
| $unprotectedApps++ | ||
| } | ||
|
|
||
| if (-not $hasCSA) { | ||
| $appsWithoutCSA++ | ||
| } | ||
|
|
||
| # Add to results | ||
| $allAppDetails += [PSCustomObject]@{ | ||
| AppName = $displayName | ||
| AppId = $appId | ||
| AppType = $appType | ||
| HasCSA = if ($hasCSA) { 'Yes' } else { 'No' } | ||
| CAPolicies = if ($allPolicyDetails.Count -gt 0) { $strongestPolicyNames } else { 'None' } | ||
| AuthStrength = $authStrengthName | ||
| Level = $authLevel | ||
| Status = $status | ||
| StatusSort = $statusSortOrder[$status] | ||
| } | ||
| } | ||
|
|
||
| if ($unprotectedApps -eq 0 -and $manualReviewApps -eq 0) { | ||
| $passed = $true | ||
| $testResultMarkdown = "All Private Access applications are targeted by at least one enabled CA policy that requires authentication strength or MFA.`n`n%TestResult%" | ||
| } | ||
| elseif ($unprotectedApps -eq 0 -and $manualReviewApps -gt 0) { | ||
| # Investigate state | ||
| $passed = $false | ||
| $testResultMarkdown = "Private Access applications have Custom Security Attributes assigned but no direct CA policy coverage. CA policies use applicationFilter targeting. Manual review required to verify if these apps are protected by applicationFilter-based policies.`n`n%TestResult%" | ||
| } | ||
| else { | ||
| # Fail state | ||
| $passed = $false | ||
| $testResultMarkdown = "One or more Private Access applications are not protected by Conditional Access policies requiring strong authentication.`n`n%TestResult%" | ||
| } | ||
| } | ||
| #endregion Assessment Logic | ||
|
|
||
| #region Report Generation | ||
| $mdInfo = '' | ||
|
|
||
| if ($totalApps -gt 0) { | ||
| $portalAppsLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_IAM/EnterpriseApplicationListBladeV3/fromNav/globalSecureAccess/applicationType/GlobalSecureAccessApplication' | ||
| $portalCaLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview/menuId//fromNav/Identity' | ||
| $portalAuthStrengthLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/AuthStrengths' | ||
|
|
||
| $mdInfo += @" | ||
|
|
||
| ## Summary | ||
|
|
||
| - **Total Private Access Apps:** $totalApps | ||
| - **Apps with Phishing-Resistant MFA:** $phishingResistantApps | ||
| - **Apps with Passwordless MFA:** $passwordlessMfaApps | ||
| - **Apps with MFA (baseline):** $mfaApps | ||
| - **Apps without Strong Auth:** $unprotectedApps | ||
| - **Apps Requiring Manual Review:** $manualReviewApps | ||
| - **Apps without CSAs:** $appsWithoutCSA | ||
| - **CA Policies using applicationFilter:** $filterPoliciesCount | ||
|
|
||
| ## Application Details | ||
|
|
||
| | App name | App id | App type | Has CSAs | CA policy | Auth strength | Level | Status | | ||
| | :------- | :----- | :------- | :------- | :-------- | :------------ | :---- | :----- | | ||
|
|
||
| "@ | ||
|
|
||
| foreach ($app in ($allAppDetails | Sort-Object StatusSort, AppName)) { | ||
| $statusIcon = switch ($app.Status) { | ||
| 'Protected' { '✅' } | ||
| 'Unprotected' { '❌' } | ||
| 'Manual Review' { '⚠️' } | ||
| default { '' } | ||
| } | ||
| $mdInfo += "| $($app.AppName) | $($app.AppId) | $($app.AppType) | $($app.HasCSA) | $($app.CAPolicies) | $($app.AuthStrength) | $($app.Level) | $statusIcon $($app.Status) |`n" | ||
alexandair marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
|
|
||
| $mdInfo += @" | ||
| ## Portal Links | ||
| - [Portal Link: Global Secure Access > Applications](${portalAppsLink}) | ||
| - [Conditional Access Policies](${portalCaLink}) | ||
| - [Authentication Strengths](${portalAuthStrengthLink}) | ||
| "@ | ||
| } | ||
|
|
||
| # Replace the placeholder with detailed information | ||
| $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo | ||
| #endregion Report Generation | ||
|
|
||
| $params = @{ | ||
| TestId = '25396' | ||
| Title = 'Conditional Access policies enforce strong authentication for private apps' | ||
| Status = $passed | ||
| Result = $testResultMarkdown | ||
| } | ||
|
|
||
| if ($unprotectedApps -eq 0 -and $manualReviewApps -gt 0) { | ||
| $params.CustomStatus = 'Investigate' | ||
| } | ||
|
|
||
| # Add test result details | ||
| Add-ZtTestResultDetail @params | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue: This logic fails to handle multi-factor combinations correctly. The allowedCombinations array contains strings like:
"windowsHelloForBusiness" (single factor)
"password,microsoftAuthenticatorPush" (combination)
"password,sms" (combination)
When a custom auth strength has allowedCombinations = @("password,fido2"), the current logic checks if "password,fido2" is in the phishing-resistant list, finds it's not, and classifies as MFA instead of PhishingResistant.
Correct Implementation:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @alexandair , checked the "allowedCombinations" property, it has individual strings without commas
and coming to logic part, @tdetzner could you please confirm in the scenario where allowedCombinations has password , fido2 should the authentication strength level be phishing resistant or mfa?
According to docx "
phishingResistant: Built-in phishing-resistant strength OR custom strength with only phishing-resistant methods", I thought the allowedCombinations should only contain one or all phishing resistant methods.