Network 25410: Internet traffic is protected by web content filtering policies in Global Secure Access

[ashwinikarke]

No description provided.

[Copilot]

Pull request overview

This pull request introduces a new security assessment test (Test ID 25410) for validating web content filtering policies in Microsoft Entra Global Secure Access. The test verifies that internet traffic is protected by checking if web content filtering policies exist and are properly enforced either through the Baseline Profile or through security profiles assigned to Conditional Access policies.

Changes:

• Adds PowerShell test script to assess web content filtering policy configuration and enforcement
• Includes markdown documentation with threat context and remediation guidance

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/powershell/tests/Test-Assessment.25410.ps1	New test function that queries filtering policies and security profiles via Microsoft Graph API, validates enforcement through Baseline Profile or CA-linked security profiles, and generates detailed markdown reports with policy and profile information
src/powershell/tests/Test-Assessment.25410.md	Documentation explaining the security risks of missing web content filtering, including threat actor exploitation scenarios, and providing comprehensive remediation steps with links to Microsoft Learn documentation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexandair]

LGTM

[alexandair]

@ashwinikarke
In Test-Assessment.25410.ps1, if the API calls fail, the test fails gracefully but potentially misleadingly.

Here is the exact sequence of events based on the code:

1. Exceptions are Caught: The API calls to Invoke-ZtGraphRequest are wrapped in try...catch blocks.
2. Warnings Logged: If an call fails, it logs a warning (e.g., Write-PSFMessage "Failed to get filtering policies...").
3. Variables Set to Empty: The variables $policies and $profiles default to empty arrays @{} when the API calls return $null or fail.

   $policies = if ($filteringPolicies) { $filteringPolicies } else { @() }
   $profiles = if ($securityProfiles) { $securityProfiles } else { @() }

4. Test Fails on Count Check: The assessment logic checks if items exist:

   if ($policies.Count -gt 0 -and $profiles.Count -gt 0) { ... }

   Since the arrays are empty, this block is skipped.
5. Result is False: The test defaults to $passed = $false with the standard failure message:

   "❌ Web content filtering is not properly configured - either no policies exist..."

Impact: The test will report a Failure (Red) rather than an Error state, which might confuse a user into thinking they haven't configured the feature, when in reality the script just couldn't talk to the API.

[ashwinikarke]

@ashwinikarke In Test-Assessment.25410.ps1, if the API calls fail, the test fails gracefully but potentially misleadingly.

Here is the exact sequence of events based on the code:

1. Exceptions are Caught: The API calls to Invoke-ZtGraphRequest are wrapped in try...catch blocks.

2. Warnings Logged: If an call fails, it logs a warning (e.g., Write-PSFMessage "Failed to get filtering policies...").

3. Variables Set to Empty: The variables $policies and $profiles default to empty arrays @{} when the API calls return $null or fail.

   $policies = if ($filteringPolicies) { $filteringPolicies } else { @() }
   $profiles = if ($securityProfiles) { $securityProfiles } else { @() }

4. Test Fails on Count Check: The assessment logic checks if items exist:

   if ($policies.Count -gt 0 -and $profiles.Count -gt 0) { ... }

   Since the arrays are empty, this block is skipped.

5. Result is False: The test defaults to $passed = $false with the standard failure message:

   "❌ Web content filtering is not properly configured - either no policies exist..."

Impact: The test will report a Failure (Red) rather than an Error state, which might confuse a user into thinking they haven't configured the feature, when in reality the script just couldn't talk to the API.

@alexandair Added $customStatus = 'Investigate' when the API call fails (with the message "Unable to determine web content filtering status due to API connection failure or insufficient permissions").