Network - 25415 - Enterprise generative AI applications are protected from prompt injection attacks through AI Gateway #835
Conversation
Manoj-Kesana
changed the title
There was a problem hiding this comment.
Pull request overview
Adds a new Network/Global Secure Access assessment (25415) to verify that Prompt Shield (AI Gateway) prompt-injection protections are configured and enforced.
Changes:
- Introduces
Test-Assessment-25415PowerShell test that queries prompt policies and evaluates enforcement via Baseline Profile or CA-assigned Security Profiles. - Adds accompanying markdown guidance content and a
%TestResult%insertion point for reporting.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25415.ps1 | Implements the assessment logic, Graph data collection, enforcement evaluation, and detailed markdown report tables. |
| src/powershell/tests/Test-Assessment.25415.md | Provides remediation steps and embeds the %TestResult% placeholder for generated output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Q2: Get filtering profiles with linked policies and Conditional Access policies | ||
| Write-ZtProgress -Activity $activity -Status 'Querying security profiles and linked policies' | ||
| $filteringProfiles = Invoke-ZtGraphRequest -RelativeUri 'networkAccess/filteringProfiles' -QueryParameters @{ | ||
| '$expand' = 'policies($expand=policy),conditionalAccessPolicies' |
There was a problem hiding this comment.
The filteringProfiles Graph request expands full policy and conditionalAccessPolicies objects but this test only needs each profile’s id/name/state/priority plus policy-link state and linked policy id for Find-ZtProfilesLinkedToPolicy. The current query’s broad $expand (and lack of $select shaping) can significantly increase payload size and latency; the conditionalAccessPolicies expansion is also unused in this script. Shape the request like other GSA tests (e.g., Test-Assessment.25411.ps1:38-41) by selecting only required profile fields and expanding policies with a minimal $select/$expand, and drop conditionalAccessPolicies from $expand.
| # Q2: Get filtering profiles with linked policies and Conditional Access policies | |
| Write-ZtProgress -Activity $activity -Status 'Querying security profiles and linked policies' | |
| $filteringProfiles = Invoke-ZtGraphRequest -RelativeUri 'networkAccess/filteringProfiles' -QueryParameters @{ | |
| '$expand' = 'policies($expand=policy),conditionalAccessPolicies' | |
| # Q2: Get filtering profiles with linked policies | |
| Write-ZtProgress -Activity $activity -Status 'Querying security profiles and linked policies' | |
| $filteringProfiles = Invoke-ZtGraphRequest -RelativeUri 'networkAccess/filteringProfiles' -QueryParameters @{ | |
| '$select' = 'id,displayName,state,priority' | |
| '$expand' = 'policies($select=id,state;$expand=policy($select=id))' |
| $allPromptPolicyIds = @() | ||
|
|
||
| # Collect all prompt policy IDs from Q1 | ||
| if ($promptPolicies) { | ||
| $allPromptPolicyIds = $promptPolicies | ForEach-Object { $_.id } | ||
| } | ||
|
|
There was a problem hiding this comment.
$allPromptPolicyIds is collected but never used, which adds noise and can confuse future maintenance. Remove the variable and the collection loop unless it’s needed for a later check/report.
| $allPromptPolicyIds = @() | |
| # Collect all prompt policy IDs from Q1 | |
| if ($promptPolicies) { | |
| $allPromptPolicyIds = $promptPolicies | ForEach-Object { $_.id } | |
| } |
Enterprise generative AI applications are protected from prompt injection attacks through AI Gateway