Skip to content

Network 25377: Users accessing external applications from corporate devices are blocked unless explicitly authorized by tenant restrictions policies#838

Merged
merill merged 17 commits intomainfrom
Feature-25377
Feb 5, 2026
Merged

Network 25377: Users accessing external applications from corporate devices are blocked unless explicitly authorized by tenant restrictions policies#838
merill merged 17 commits intomainfrom
Feature-25377

Conversation

@ashwinikarke
Copy link
Collaborator

@ashwinikarke ashwinikarke commented Jan 28, 2026

No description provided.

@alexandair alexandair requested a review from Copilot January 28, 2026 06:53
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Network/Global Secure Access assessment (Test ID 25377) to validate that Universal Tenant Restrictions (UTR) are configured to block access to unauthorized external tenants.

Changes:

  • Introduces Test-Assessment-25377 PowerShell test to evaluate Global Secure Access network packet tagging and the tenant restrictions v2 default policy.
  • Adds markdown remediation/description content for the new assessment.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
src/powershell/tests/Test-Assessment.25377.ps1 Implements the assessment logic and detailed markdown reporting for UTR configuration validation.
src/powershell/tests/Test-Assessment.25377.md Provides risk context and remediation guidance with a %TestResult% insertion point.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

alexandair
alexandair requested changes Jan 29, 2026
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashwinikarke Please, address my feedback.

alexandair
alexandair previously requested changes Feb 1, 2026
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashwinikarke
Spec says:

Note: If Users & Groups Target does not equal AllUsers, put Specific users and groups configured in the Current Value column.
Note: If Applications Target does not equal AllApplications, put Specific applications configured in the Current Value column.

Please, address that.

@ashwinikarke
Copy link
Collaborator Author

ashwinikarke commented Feb 2, 2026
edited
Loading

@ashwinikarke Spec says:

Note: If Users & Groups Target does not equal AllUsers, put Specific users and groups configured in the Current Value column. Note: If Applications Target does not equal AllApplications, put Specific applications configured in the Current Value column.

Please, address that.

@alexandair As discussed in the DSM, I’ve updated the table to display up to five applications, with an ellipsis ... shown if there are more than five.

image

merill
merill requested changes Feb 2, 2026
View reviewed changes
Copy link
Collaborator

@merill merill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashwinikarke we need to get the names of the apps and show them. The GUIDs are not going to be helpful. if only the ID is available then you should look up the Service Principals (or Applications) db table by objectid to get the name

@ashwinikarke
Copy link
Collaborator Author

ashwinikarke commented Feb 2, 2026

@ashwinikarke we need to get the names of the apps and show them. The GUIDs are not going to be helpful. if only the ID is available then you should look up the Service Principals (or Applications) db table by objectid to get the name

@merill / @alexandair To retrieve application names from the DB, can I create a shared function in the shared folder so Praneet can also reuse it and include this change in this same PR?

@ashwinikarke ashwinikarke requested a review from merill February 4, 2026 08:54
@alexandair
Copy link
Collaborator

alexandair commented Feb 4, 2026

@ashwinikarke How will this work if assessment test function doesn't have Database parameter?

@ashwinikarke
Copy link
Collaborator Author

ashwinikarke commented Feb 5, 2026

@ashwinikarke How will this work if assessment test function doesn't have Database parameter?

@alexandair It worked without the $Database parameter maybe because the test framework uses $global:Database, but I added the parameter to follow best practices and align with other tests.

@alexandair alexandair requested review from alexandair and removed request for alexandair February 5, 2026 22:20
@alexandair
Copy link
Collaborator

alexandair commented Feb 5, 2026

LGTM

/cc @merill

@alexandair alexandair dismissed their stale review February 5, 2026 22:29

Something went wrong.

@merill merill merged commit 7f8a3d1 into main Feb 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@merill merill Awaiting requested review from merill

@alexandair alexandair Awaiting requested review from alexandair

Assignees

@ashwinikarke ashwinikarke

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ashwinikarke @alexandair @merill