Rolling up changes for next release

[astaykov]

Rolling up changes for next release

Release roll-up introducing a comprehensive AI security pillar and an Infrastructure pillar, plus a set of correctness and performance fixes.

🤖 AI pillar assessments

New AI agent & threat-detection checks

AI Threat Detection

• 61002 — Microsoft Sentinel is onboarded on at least one Log Analytics workspace
• 61016 — Entra ID Protection risk events are flowing to the Sentinel workspace
• 61018 — Purview Information Protection data connector enabled on Sentinel
• 61021 — Microsoft 365 Copilot data connector enabled on Sentinel
• 61022 — Defender for AI Services enabled on every subscription hosting Azure OpenAI / AI Services
• 61024 — Defender XDR (unified) data connector enabled on Sentinel

AI Cloud Posture

• 61004 — Defender for Cloud CSPM plan enabled on all Azure subscriptions

AI Authentication & Access

• 61006 — AI administrative roles have assigned principals
• 61009 — Conditional Access covers both agent identities and agent users
• 61011 — Require users to use Entra ID auth to interact with agents
• 61012 — Risk-based Conditional Access blocks risky agent identities
• 61013 — Identity governance for agents (sponsors, entitlement management, lifecycle automation)
• 61008 — Agent identity lifecycle tagging (custom security attributes present)

AI Inventory & Lifecycle

• 61005 — Copilot agents are discoverable in the Agent Registry
• 61014 — Agent identities & blueprint principals have technical owners; no disabled agents remain

Global Secure Access

• 25415 — AI Gateway protects enterprise generative AI apps from prompt-injection attacks

Data security & information-protection checks in the AI pillar

• 35003–35008 — Sensitivity label configuration, publishing, SharePoint/OneDrive labeling, PDF labeling, IRM, default library labels
• 35010–35017 — Double Key Encryption, super-user membership, container labels, encryption labels, attachment inheritance, mandatory & default labeling
• 35019–35025 — Auto-labeling (config, enforcement, SharePoint/OneDrive), on-demand scans, OCR, Azure RMS activation & licensing
• 35030–35036 — DLP policies, Adaptive Protection, custom SITs, Exact Data Match, named entities, trainable classifiers
• 35037–35041 — M365 audit logging, Insider Risk for risky AI usage, communication compliance for Copilot & enterprise AI tools, browser DLP for AI apps via Edge for Business

🏗️ Infrastructure pillar

• Surfaces Microsoft Defender for Cloud recommendations identified in the connected/scanned environment (50001), presenting them directly in the report's Infrastructure view.

🧩 Zero Trust Workshop integration (experimental)

• Assessment results now project onto Zero Trust Workshop tasks and emit a ZeroTrustWorkshop.json for direct import into the Workshop app (best-effort; never fails the run).

🔑 Graph permissions

Added the scopes required by the new AI checks (Lifecycle Workflows, privileged assignment/eligibility schedules, Copilot packages).

🐞 Fixed issues

• Test-21835: performance, correctness, and reporting cleanups for emergency access account check required #1194 — Test 21835: performance, correctness, and reporting cleanups for the emergency-access account check (deduplicated auth methods; skip per-user CA evaluation when no enabled policies exist; precompute role template IDs to avoid quadratic lookups; GA table sorts by underlying values instead of emoji).
• Test 24552 erroring #1274 — Test 24552 erroring: explicit null guard so firewall status is detected correctly (requires firewall enabled before passing).
• Test-25392 shows passed with no private access connectors installed. It should be "skipped" #1264 — Test 25392 incorrectly reported "passed" with no private-access connectors installed; now correctly "skipped".
• ZTA 2.3.0 completes successfully with clean export/database/test logs, but generated HTML report crashes when renderering #1235 — HTML report crashed on render despite a clean run; rendering safety fixes applied.
• Enhancement: Use -UseSystemBrowser for SharePoint Online interactive authentication in Connect-ZtAssessment #1193 — Use the system browser (-UseSystemBrowser) for SharePoint Online interactive auth in Connect-ZtAssessment.
• #687 — Truncate large results tables (applied to 61014) to keep the report readable.
• 21816 — PIM privileged-role assignment check now accounts for JIT access into role-assignable groups.

🛠️ Tooling & docs

• New support-package analyzer skill and Copilot review instructions.
• New troubleshooting guide with PII/OII/EUII sanitization guidance.

[Copilot]

Pull request overview

This PR prepares the next release by expanding the assessment and report pipeline to support AI pillar content, including multi-pillar test tagging, additional AI assessment tests/docs, and new Workshop-export output generation alongside the existing assessment JSON/HTML report artifacts.

Changes:

• Update the React report UI to handle multi-pillar TestPillar values, adjust Infrastructure-specific labeling (“Risk” → “Severity”), and harden Sankey inputs.
• Add/extend PowerShell AI pillar assessments, introduce shared helpers (Sentinel workspace enumeration, AI admin role catalog), and support multi-pillar pillars end-to-end (metadata, filtering, exports, results shaping).
• Add Zero Trust Workshop export generation (ZeroTrustWorkshop.json) plus mapping + tests, and update build/demo/docs/support tooling accordingly.

Reviewed changes

Copilot reviewed 99 out of 102 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/report/src/pages/Infrastructure.tsx	Updates Infrastructure results description text.
src/report/src/config/report-data.ts	Allows TestPillar to be a string or string-array.
src/report/src/components/test-table/data-table.tsx	Supports multi-pillar filtering; dynamic “Risk/Severity” labeling; selection behavior update.
src/report/src/components/test-table/columns.tsx	Makes the “Risk” column header use table meta label.
src/report/src/components/nivo/sankey.tsx	Strongly-types links and sanitizes/filters invalid Sankey link values; adds empty-state.
src/powershell/tests/Test-Assessment.61024.ps1	Adds AI test for Defender XDR Content Hub solution on Sentinel workspaces.
src/powershell/tests/Test-Assessment.61024.md	Adds remediation/why-it-matters content for test 61024.
src/powershell/tests/Test-Assessment.61022.ps1	Adds AI test for Defender for AI Services plan coverage across subscriptions hosting AI accounts.
src/powershell/tests/Test-Assessment.61022.md	Adds remediation/why-it-matters content for test 61022.
src/powershell/tests/Test-Assessment.61021.ps1	Adds/updates AI test for Microsoft 365 Copilot content package presence on Sentinel workspaces.
src/powershell/tests/Test-Assessment.61021.md	Adds remediation/why-it-matters content for test 61021.
src/powershell/tests/Test-Assessment.61018.ps1	Adds/updates AI test for Purview Information Protection content package on Sentinel workspaces.
src/powershell/tests/Test-Assessment.61018.md	Adds remediation/why-it-matters content for test 61018.
src/powershell/tests/Test-Assessment.61016.md	Adds remediation/why-it-matters content for test 61016.
src/powershell/tests/Test-Assessment.61014.ps1	Adds AI test for agent identity ownership/disabled state using exported DB data.
src/powershell/tests/Test-Assessment.61014.md	Adds remediation/why-it-matters content for test 61014.
src/powershell/tests/Test-Assessment.61013.md	Adds remediation/why-it-matters content for test 61013.
src/powershell/tests/Test-Assessment.61012.ps1	Adds AI test for risk-based Conditional Access blocking risky agent identities.
src/powershell/tests/Test-Assessment.61012.md	Adds remediation/why-it-matters content for test 61012.
src/powershell/tests/Test-Assessment.61011.ps1	Adds AI test for Entra-mediated auth evidence for agents using sign-in logs + exported DB.
src/powershell/tests/Test-Assessment.61011.md	Adds remediation/why-it-matters content for test 61011.
src/powershell/tests/Test-Assessment.61009.ps1	Adds AI test for CA coverage of both agent identities and agent users.
src/powershell/tests/Test-Assessment.61009.md	Adds remediation/why-it-matters content for test 61009.
src/powershell/tests/Test-Assessment.61008.ps1	Adds AI test for custom security attributes presence on agent identities + blueprints.
src/powershell/tests/Test-Assessment.61008.md	Adds remediation/why-it-matters content for test 61008.
src/powershell/tests/Test-Assessment.61006.md	Adds remediation/why-it-matters content for test 61006.
src/powershell/tests/Test-Assessment.61005.ps1	Adds AI test for Microsoft 365 Agent Registry discovery.
src/powershell/tests/Test-Assessment.61005.md	Adds remediation/why-it-matters content for test 61005.
src/powershell/tests/Test-Assessment.61004.ps1	Adds/updates AI test for Defender for Cloud CSPM plan coverage.
src/powershell/tests/Test-Assessment.61004.md	Adds remediation/why-it-matters content for test 61004.
src/powershell/tests/Test-Assessment.61002.ps1	Adds/updates AI precondition test for Sentinel onboarding using shared helper.
src/powershell/tests/Test-Assessment.61002.md	Adds remediation/why-it-matters content for test 61002.
src/powershell/tests/Test-Assessment.35041.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35040.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35039.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35038.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35037.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35036.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35035.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35034.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35033.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35032.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35030.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35025.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35024.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35023.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35022.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35021.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35020.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35019.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35017.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35016.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35015.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35014.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35013.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35012.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35011.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35010.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35008.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35007.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35006.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35005.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35004.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.35003.ps1	Tags an existing Data test as both Data + AI.
src/powershell/tests/Test-Assessment.25415.ps1	Tags an existing Network test as both Network + AI.
src/powershell/tests/Test-Assessment.25392.ps1	Changes “no connectors” behavior to NotApplicable skip and adjusts flow.
src/powershell/tests/Test-Assessment.24552.ps1	Refactors macOS firewall policy evaluation to PowerShell-side JSON filtering.
src/powershell/tests/Test-Assessment.21835.ps1	Refines emergency access account logic, performance, and “Investigate” outcome handling.
src/powershell/public/Invoke-ZtAssessment.ps1	Generates ZeroTrustWorkshop.json (best-effort) during report-writing stage.
src/powershell/public/Get-ZtTest.ps1	Updates pillar filtering to support multi-pillar (array) metadata.
src/powershell/public/Get-ZtGraphScope.ps1	Adds additional Graph scopes to requested permission set.
src/powershell/public/Connect-ZtAssessment.ps1	Adjusts SharePoint Online connection parameters.
src/powershell/private/tests/Invoke-ZtTests.ps1	Supports array-valued pillar metadata; stores requested pillar in session.
src/powershell/private/tests-shared/Get-ZtAiAdminRoleDefinitions.ps1	Adds shared AI admin role definition catalog.
src/powershell/private/tests-shared/Get-SentinelWorkspaceData.ps1	Adds shared Sentinel workspace enumeration + onboarding-state helper.
src/powershell/private/tenantinfo/devices/Add-ZtDeviceOverview.ps1	Makes totalDevices null-safe when summing counts.
src/powershell/private/export/Export-Database.ps1	Refactors table import logic per pillar; adds AI-specific tables and removes duplication.
src/powershell/private/core/Get-ZtAssessmentResults.ps1	Normalizes multi-pillar TestPillar output based on requested pillar + preview flag.
src/powershell/private/core/Convert-ZtAssessmentToWorkshop.ps1	Adds conversion from assessment results to Workshop import format.
src/powershell/private/core/Clear-ZtModuleVariable.ps1	Clears stored requested pillar at session reset.
src/powershell/doc/readme.md	Updates documented required Graph permissions list.
src/powershell/classes/ZtTest.ps1	Changes Pillar attribute type to string[] to support multi-pillar tagging.
src/powershell/assets/ztw-task-mapping.json	Adds assessment-to-workshop task mapping.
src/powershell/assets/export-tenant.config.psd1	Adds dedicated AgentIdentity* exports with sponsors expanded; adjusts related properties.
src/powershell/assets/export-model/AgentIdentityBlueprintPrincipal-model.json	Adds export model stub for AgentIdentityBlueprintPrincipal.
src/powershell/assets/export-model/AgentIdentityBlueprint-model.json	Adds export model stub for AgentIdentityBlueprint.
src/powershell/assets/export-model/AgentIdentity-model.json	Adds export model stub for AgentIdentity.
docs/troubleshooting.md	Adds troubleshooting guidance and PSFramework support-package workflow.
docs/license-attribute-values.md	Adds documentation summarizing license attribute values used by tests.
code-tests/test-assessments/Test-Assessment.25392.Tests.ps1	Updates tests to match new NotApplicable behavior for “no connectors”.
code-tests/commands/Convert-ZtAssessmentToWorkshop.Tests.ps1	Adds Pester coverage for Workshop export conversion logic.
build/powershell/Install-Prerequisites.ps1	Reworks prerequisite installation flow using Install-Module.
build/demo-report/New-DemoReport.ps1	Adds optional overlay of Network/AI pillars from a secondary source report with scrubbing.
.github/skills/psf-support-package-analyzer/SKILL.md	Adds a Copilot skill definition for PSFramework support package analysis.