Skip to content

Network 25407 internet access security profiles are applied to users via conditional access policies #714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SagarSathe merged 9 commits into from
Jan 2, 2026
Merged

Network 25407 internet access security profiles are applied to users via conditional access policies #714

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
60572a6
draft 25407
komalp2025 Dec 17, 2025
b179e48
draft 25407 -2
komalp2025 Dec 18, 2025
b9c40de
remove additional file 25472
komalp2025 Dec 19, 2025
597eee0
refactor 25407 contd
komalp2025 Dec 22, 2025
fcbd1e5
remove duplicate logic
komalp2025 Dec 23, 2025
2ef97be
add modifications for output
komalp2025 Dec 26, 2025
fc57a62
setting test output
komalp2025 Dec 30, 2025
6102972
update md file
komalp2025 Dec 30, 2025
a5fe4c4
update eval logic
komalp2025 Dec 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions src/powershell/tests/Test-Assessment.25407.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
When Internet Access policies are applied only through the Baseline Profile without Conditional Access integration, traffic filtering operates without identity or context awareness. Threat actors who compromise user credentials can exploit this gap because policy enforcement lacks the ability to differentiate between normal and risky sign-in sessions. Without Conditional Access linking security profiles to users, the organization cannot apply stricter filtering rules based on user risk level, device compliance state, or location context.

A compromised account operating from an anomalous location or exhibiting risky behavior receives the same network access as a legitimate user operating from a compliant device. This uniform policy application prevents adaptive security controls from restricting access during active compromise, allowing threat actors to reach malicious destinations, exfiltrate data, or establish command-and-control channels without triggering user-aware security enforcement. Integrating security profiles with Conditional Access enables identity-aware web content filtering that can block access to high-risk categories for risky sessions while allowing broader access for verified, compliant users.

**Remediation action**

- Create a security profile in Global Secure Access to group web content filtering policies:[How to configure Global Secure Access web content filtering](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-web-content-filtering)

- Create a Conditional Access policy targeting users or groups and link the security profile through Session controls: [Conditional Access: Session controls](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#use-global-secure-access-security-profile)

<!--- Results --->
%TestResult%
100 changes: 100 additions & 0 deletions src/powershell/tests/Test-Assessment.25407.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
<#
.SYNOPSIS
Internet Access security profiles are applied to users via Conditional Access policies.
#>

function Test-Assessment-25407 {
[ZtTest(
Category = 'Global Secure Access',
ImplementationCost = 'Medium',
MinimumLicense = ('Entra_Premium_Internet_Access'),
Pillar = 'Network',
RiskLevel = 'High',
SfiPillar = 'Protect networks',
TenantType = ('Workforce', 'External'),
TestId = 25407,
Title = 'Internet Access security policies are enforced through Conditional Access for user-aware protection',
UserImpact = 'Low'
)]
[CmdletBinding()]
param()

#region Data Collection
Write-PSFMessage '🟦 Start GSA Conditional Access evaluation (security profiles via CA)' -Tag Test -Level VeryVerbose

# Q1: Retrieve all Conditional Access policies
$policies = Get-ZtConditionalAccessPolicy

# Q2: Retrieve all Global Secure Access filtering/security profiles
$filteringProfiles = Invoke-ZtGraphRequest -RelativeUri 'networkAccess/filteringProfiles' -ApiVersion beta

# Process CA policies to find those with enabled GSA security profiles linked to enabled filtering profiles

$gsaPolicies = $policies | Where-Object { ($_.state -eq 'enabled' )-and ($null -ne $_.sessionControls.globalSecureAccessFilteringProfile) }
$gsaPolicyDetails = @()

foreach ($policy in $gsaPolicies) {
$profileId = $policy.sessionControls.globalSecureAccessFilteringProfile.profileId
$caLinkageEnabled = $policy.sessionControls.globalSecureAccessFilteringProfile.isEnabled
$matchedProfile = $filteringProfiles | Where-Object { $_.id -eq $profileId }
$gsaPolicyDetails += [PSCustomObject]@{
PolicyId = $policy.id
PolicyDisplayName = $policy.displayName
PolicyState = $policy.state
ProfileId = $profileId
CALinkageEnabled = $caLinkageEnabled
ProfileName = $matchedProfile.name
ProfileState = $matchedProfile.state
}
}
$caPolicyWithGsaProfilesEnabled = $gsaPolicyDetails | Where-Object { $_.ProfileState -eq 'enabled' -and $_.CALinkageEnabled -eq $true }
$caPolicyWithGsaProfilesDisabled = $gsaPolicyDetails | Where-Object { $_.ProfileState -ne 'enabled' -or $_.CALinkageEnabled -ne $true }
#endregion Data Collection

#region Assessment Logic
$passed = $caPolicyWithGsaProfilesEnabled.Count -ge 1
#endregion Assessment Logic

#region Report Generation
$mdInfo = ''
$testResultMarkdown = ''
# Generate markdown table for policies with Global Secure Access filtering profiles
if ($passed) {
$testResultMarkdown = "✅ Internet Access policy is being applied via Conditional Access.`n`n%TestResult%"
}
else {
$testResultMarkdown = "❌ Internet Access policy is not being applied via Conditional Access.`n`n%TestResult%"
if ($gsaPolicyDetails) {
$mdInfo = "`n## Conditional Access Policies with Global Secure Access Security Profiles`n`n"
$mdInfo += "| CA Policy Name | CA Policy State | Security Profile ID | CA Linkage Enabled | Security Profile Name | Security Profile State |`n"
$mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- |`n"
foreach ($item in $caPolicyWithGsaProfilesDisabled) {
$policyPortalLink = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($item.PolicyId)"
$caStateIcon = '✅ Enabled'
$linkageIcon = if ($item.CALinkageEnabled) {
'✅ Enabled'
}
else {
'❌ Disabled'
}
$profileStateIcon = if ($item.ProfileState -eq 'enabled') {
'✅ Enabled'
}
else {
'❌ Disabled'
}
$mdInfo += "| [$(Get-SafeMarkdown $item.PolicyDisplayName)]($policyPortalLink) | $caStateIcon | $($item.ProfileId) | $linkageIcon | $(Get-SafeMarkdown $item.ProfileName) | $profileStateIcon |`n"
}
}
}

#endregion Report Generation

$params = @{
TestId = '25407'
Status = $passed
Result = $testResultMarkdown -replace '%TestResult%', $mdInfo
}

Add-ZtTestResultDetail @params
}