AI 61015 : Microsoft Entra ID data connector is enabled on the Microsoft Sentinel workspace with all log categories#1288
AI 61015 : Microsoft Entra ID data connector is enabled on the Microsoft Sentinel workspace with all log categories#1288ashwinikarke wants to merge 5 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new AI pillar assessment (61015) to evaluate whether Microsoft Entra ID diagnostic settings route the required Entra log categories into at least one Microsoft Sentinel–onboarded Log Analytics workspace, along with the accompanying markdown description used in reporting.
Changes:
- Introduces
Test-Assessment-61015to enumerate Sentinel-onboarded workspaces and correlate them with tenant-level Entra diagnostic settings. - Generates a per-workspace/per-category markdown report (truncated) to show coverage status.
- Adds the
Test-Assessment.61015.mddescription template with remediation links and%TestResult%placeholder.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.61015.ps1 | New assessment implementation and report generation for Entra→Sentinel log-category coverage. |
| src/powershell/tests/Test-Assessment.61015.md | New docs/result template content for assessment 61015. |
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@ashwinikarke Please, address my feedback.
| } | ||
|
|
||
| # No workspaces found — skip, matching 61002. | ||
| if ($workspaceResults -eq 'NoWorkspaces') { |
There was a problem hiding this comment.
NoWorkspaces mapped to NotApplicable skip — spec implies Fail
The spec defines only one Skip condition: "Q1 returned zero enabled subscriptions." When Get-SentinelWorkspaceData returns 'NoWorkspaces' (subscriptions exist but no Log Analytics workspaces found), the code silently skips with NotApplicable. The spec's Fail condition is "No Sentinel-onboarded workspace has an Entra diagnostic setting covering it" — which a tenant with zero workspaces satisfies. This should arguably be a Fail.
| Select-Object -ExpandProperty category -Unique | ||
| ) | ||
|
|
||
| # ADFSSignInLogs is N/A when no AD FS is federated to the tenant. |
There was a problem hiding this comment.
ADFSSignInLogs applicability inferred from diagnostic settings content
$adfsApplicable = 'ADFSSignInLogs' -in $categoriesInMatchingSettingsIf no diagnostic setting targets a workspace (or the settings omit the ADFS category key entirely), $adfsApplicable = $false, so the ADFS row is silently marked Skipped even when the tenant does have AD FS. The spec requires Skipped only "when the tenant has no federated AD FS server" — not when the category is absent from the settings. This could hide a missing ADFS category as N/A rather than Fail.
There was a problem hiding this comment.
I will work with spec author to change it, but as we cannot check for presence of ADFS, we should actually fail if ADFSSignInLogs are not enabled on any sentinel enabled log analytics workspace.
We should avoid extra applicability checks in this particular case.
I just checked the API, the setting can be enabled/disabled regardless of actual ADFS configuration.
No description provided.