Network - 25398 - Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access#873
Network - 25398 - Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access#873Manoj-Kesana wants to merge 7 commits intomainfrom
Conversation
… into Feature-25398
There was a problem hiding this comment.
Pull request overview
Adds a new Network assessment (25398) to evaluate whether Entra Private Access (Global Secure Access) RDP access to domain controllers is protected by Conditional Access requiring phishing-resistant authentication.
Changes:
- Introduces a new PowerShell test (25398) that discovers Private Access apps/segments with RDP (3389) and correlates them with CA policies requiring “Phishing-resistant MFA”.
- Generates markdown reporting tables for identified DC-like hosts, RDP apps, and relevant CA policies.
- Adds the corresponding remediation documentation markdown page for assessment 25398.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25398.ps1 | New assessment logic to discover Private Access RDP exposure and evaluate CA phishing-resistant auth coverage, plus report generation. |
| src/powershell/tests/Test-Assessment.25398.md | New assessment documentation describing risk and remediation steps with a results placeholder. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@Manoj-Kesana I've opened a new pull request, #900, to work on those changes. Once the pull request is ready, I'll request review from you. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $hostsWith389 = @() | ||
|
|
||
| foreach ($segment in $segments) { | ||
| $ports = $segment.port |
There was a problem hiding this comment.
The property name should be ports (plural), not port (singular). Based on Test-Assessment.25395.ps1, the applicationSegments schema uses $segment.ports to access the port list. Using $segment.port will result in null values and the DC host identification logic will fail to detect ports 88 and 389.
| $ports = $segment.port | |
| $ports = $segment.ports |
|
|
||
| foreach ($segment in $appData.Segments) { | ||
| $destinationHost = $segment.destinationHost | ||
| $ports = $segment.port |
There was a problem hiding this comment.
The property name should be ports (plural), not port (singular). This should be $segment.ports to match the applicationSegments API schema used elsewhere in the codebase (e.g., Test-Assessment.25395.ps1). Using $segment.port will result in null values and the RDP app detection logic will fail.
| $ports = $segment.port | |
| $ports = $segment.ports |
| $appData = $allAppSegments[$appId] | ||
|
|
||
| foreach ($segment in $appData.Segments) { | ||
| $ports = $segment.port |
There was a problem hiding this comment.
The property name should be ports (plural), not port (singular). This should be $segment.ports to match the applicationSegments API schema. Using $segment.port will result in null values and the RDP app detection logic will fail.
… into Feature-25398
No description provided.