Merge pull request #711 from microsoft/Feature-25403

SagarSathe · web-flow · commit a9869ae3bd41 · 2026-01-06T15:07:39.000+05:30
Feature - 25403 - DC Agent is deployed and enforcing strong authentication policies.
diff --git a/src/powershell/tests/Test-Assessment.25403.md b/src/powershell/tests/Test-Assessment.25403.md
@@ -0,0 +1,8 @@
+Without the Microsoft Entra Private Access Sensor agent deployed to domain controllers, threat actors can exploit Kerberos authentication requests from any device on the network. This includes unmanaged or compromised endpoints that can obtain service tickets for on-premises resources without multifactor authentication or device compliance validation. Once initial access is established through weak authentication to domain controllers, threat actors can request Kerberos tickets for privileged resources such as file shares, database servers, and remote desktop services. This enables lateral movement across the on-premises environment. The absence of identity-centric access controls on domain controllers allows threat actors to bypass conditional access policies. Kerberos authentication traditionally operates within a perimeter-based trust model where any authenticated user can request tickets regardless of authentication strength or device posture. This creates opportunities for threat actors to maintain persistence by continuously requesting service tickets from compromised or unmanaged devices, escalating privileges by targeting Service Principal Names associated with sensitive systems, and exfiltrating data from resources that rely solely on Kerberos authentication without additional security layers. The gap becomes particularly problematic when threat actors compromise user credentials through phishing or credential theft, as they can immediately leverage those credentials to access domain-authenticated resources. This can occur without triggering conditional access policies or multifactor authentication requirements that would normally apply to cloud-based access scenarios.
+
+**Remediation Resources**
+
+- [Configure Microsoft Entra Private Access for Active Directory domain controllers](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-domain-controllers)
+
+<!--- Results --->
+%TestResult%
diff --git a/src/powershell/tests/Test-Assessment.25403.ps1 b/src/powershell/tests/Test-Assessment.25403.ps1
@@ -0,0 +1,130 @@
+<#
+.SYNOPSIS
+    Validates that Private Access Sensors are deployed on domain controllers and enforcing strong authentication policies.
+
+.DESCRIPTION
+    This test checks if Microsoft Entra Private Access Sensors are deployed to domain controllers
+    and configured to enforce strong authentication policies (status active and not in audit mode).
+
+.NOTES
+    Test ID: 25403
+    Category: Private Access
+    Required API: onPremisesPublishingProfiles/privateAccess/sensors (beta)
+#>
+
+function Test-Assessment-25403 {
+    [ZtTest(
+        Category = 'Private Access',
+        ImplementationCost = 'Medium',
+        MinimumLicense = ('Entra_Suite', 'Entra_Premium_Private_Access'),
+        Pillar = 'Network',
+        RiskLevel = 'High',
+        SfiPillar = 'Protect networks',
+        TenantType = ('Workforce'),
+        TestId = 25403,
+        Title = 'DC Agent is deployed and enforcing strong authentication policies',
+        UserImpact = 'Medium'
+    )]
+    [CmdletBinding()]
+    param()
+
+    #region Data Collection
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    $activity = 'Checking Private Access Sensors on domain controllers'
+    Write-ZtProgress -Activity $activity -Status 'Getting Private Access Sensors'
+
+    # Query all Private Access Sensors
+    $sensors = Invoke-ZtGraphRequest -RelativeUri 'onPremisesPublishingProfiles/privateAccess/sensors' -ApiVersion beta
+    #endregion Data Collection
+
+    #region Assessment Logic
+    # Initialize test variables
+    $testResultMarkdown = ''
+    $passed = $false
+
+    if ($null -eq $sensors -or $sensors.Count -eq 0) {
+        # No sensors found - fail
+        $passed = $false
+        $testResultMarkdown = "❌ Microsoft Entra Private Access Sensors for domain controllers is not deployed.`n`n%TestResult%"
+    }
+    else {
+        # Identify sensors that are active and enforcing (not in audit mode)
+        $enforcingSensors = $sensors | Where-Object { $_.status -eq 'active' -and $_.isAuditMode -eq $false }
+        $nonEnforcingSensors = $sensors | Where-Object { $_.status -ne 'active' -or $_.isAuditMode -eq $true }
+
+        # Determine pass/fail status
+        if ($enforcingSensors.Count -gt 0 -and $nonEnforcingSensors.Count -eq 0) {
+            # All sensors are active and enforcing - pass
+            $passed = $true
+            $testResultMarkdown = "✅ Microsoft Entra Private Access for domain controllers is deployed and enforcing strong authentication policies.`n`n%TestResult%"
+        }
+        elseif ($enforcingSensors.Count -eq 0) {
+            # No sensors are enforcing - fail
+            $passed = $false
+            $testResultMarkdown = "❌ Microsoft Entra Private Access Sensors are deployed but strong authentication policies are not configured.`n`n%TestResult%"
+        }
+        else {
+            # Some sensors enforcing, some not - partial deployment warning (fail)
+            $passed = $false
+            $testResultMarkdown = "⚠️ Microsoft Entra Private Access Sensors are partially configured. Some domain controllers are not enforcing strong authentication policies.`n`n%TestResult%"
+        }
+    }
+    #endregion Assessment Logic
+
+    #region Report Generation
+    # Build detailed markdown information
+    $mdInfo = ''
+
+    if ($sensors -and $sensors.Count -gt 0) {
+        $reportTitle = "Private Access Sensors"
+
+        $mdInfo += "`n## $reportTitle`n`n"
+        $mdInfo += "[Open Private Access in Entra Portal](https://entra.microsoft.com/#view/Microsoft_Azure_Network_Access/PrivateAccessOverview.ReactView)`n`n"
+
+        # Summary statistics
+        $mdInfo += "- **Total sensors**: $($sensors.Count)`n"
+        $mdInfo += "- **Active and enforcing**: $($enforcingSensors.Count)`n"
+        $mdInfo += "- **Not enforcing**: $($nonEnforcingSensors.Count)`n`n"
+
+        # Show warning for sensors not enforcing
+        if ($nonEnforcingSensors.Count -gt 0) {
+            $mdInfo += "**⚠️ Sensors not enforcing policies:** $($nonEnforcingSensors.Count)`n`n"
+        }
+
+        # Build table rows - show problematic sensors first
+        $allSensors = @()
+        $allSensors += $nonEnforcingSensors | ForEach-Object { $_ | Add-Member -NotePropertyName 'Priority' -NotePropertyValue 1 -PassThru -Force }
+        $allSensors += $enforcingSensors | ForEach-Object { $_ | Add-Member -NotePropertyName 'Priority' -NotePropertyValue 2 -PassThru -Force }
+
+        $tableRows = $allSensors | Sort-Object -Property Priority, machineName | ForEach-Object {
+            $statusIcon = if ($_.status -eq 'active') { '✅' } else { '❌' }
+            $auditModeIcon = if ($_.isAuditMode) { '⚠️ Yes' } else { '✅ No' }
+            $machineName = Get-SafeMarkdown $_.machineName
+            $version = Get-SafeMarkdown $_.version
+            $externalIp = Get-SafeMarkdown $_.externalIp
+
+            "| $machineName | $statusIcon $($_.status) | $auditModeIcon | $version | $externalIp |"
+        }
+
+        $mdInfo += @'
+| Machine name | Status | Audit mode | Version | External IP |
+| :----------- | :----- | :--------- | :------ | :---------- |
+{0}
+
+'@ -f ($tableRows -join "`n")
+    }
+
+    # Replace the placeholder with detailed information
+    $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo
+    #endregion Report Generation
+
+    $params = @{
+        TestId = '25403'
+        Title  = 'DC Agent is deployed and enforcing strong authentication policies'
+        Status = $passed
+        Result = $testResultMarkdown
+    }
+
+    Add-ZtTestResultDetail @params
+}
