AI - 61006 - AI administrative roles have assigned principals#1237
Draft
aahmed-spec wants to merge 1 commit into
Draft
AI - 61006 - AI administrative roles have assigned principals#1237aahmed-spec wants to merge 1 commit into
aahmed-spec wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new AI pillar assessment (61006) that evaluates whether key Microsoft Entra AI-adjacent administrative roles have at least one assigned principal (active or PIM-eligible), and includes a companion markdown explanation/remediation block for report output.
Changes:
- Introduces
Test-Assessment-61006PowerShell test to query exported Entra role definition/assignment tables and compute Pass/Investigate/Fail outcomes per role. - Generates a markdown results summary table with deep links to the Entra role assignment UI for non-passing roles.
- Adds end-user documentation describing scope, rationale, and remediation links for the new check.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
src/powershell/tests/Test-Assessment.61006.ps1 |
New assessment test that queries role definition/assignment exports and produces per-role outcomes + report markdown. |
src/powershell/tests/Test-Assessment.61006.md |
New documentation text and remediation links for test 61006 output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+129
to
+147
| # Build the set of non-empty groups by (roleDefinitionId, groupId). Groups with zero | ||
| # expanded transitive members do not appear in the *Group tables and therefore do not | ||
| # satisfy the "named principal" requirement. | ||
| $nonEmptyGroupSelects = @() | ||
| if ($existingTables -contains 'RoleAssignmentScheduleInstanceGroup') { | ||
| $nonEmptyGroupSelects += @" | ||
| SELECT DISTINCT cast(roleDefinitionId AS varchar) AS roleDefinitionId, | ||
| cast(privilegedGroupId AS varchar) AS groupId | ||
| FROM main."RoleAssignmentScheduleInstanceGroup" | ||
| WHERE roleDefinitionId IN ($roleIdInClause) | ||
| "@ | ||
| } | ||
| if ($existingTables -contains 'RoleEligibilityScheduleInstanceGroup') { | ||
| $nonEmptyGroupSelects += @" | ||
| SELECT DISTINCT cast(roleDefinitionId AS varchar) AS roleDefinitionId, | ||
| cast(privilegedGroupId AS varchar) AS groupId | ||
| FROM main."RoleEligibilityScheduleInstanceGroup" | ||
| WHERE roleDefinitionId IN ($roleIdInClause) | ||
| "@ |
Comment on lines
+75
to
+81
| # Q1 equivalent: which role definitions are present in this tenant / cloud / SKU. | ||
| Write-ZtProgress -Activity $activity -Status 'Loading role definitions' | ||
| $presentRoleIds = @() | ||
| if ($existingTables -contains 'RoleDefinition') { | ||
| $defSql = "SELECT cast(id AS varchar) AS id FROM main.""RoleDefinition"" WHERE id IN ($roleIdInClause)" | ||
| $presentRoleIds = @(Invoke-DatabaseQuery -Database $Database -Sql $defSql | Select-Object -ExpandProperty id) | ||
| } |
Comment on lines
+235
to
+243
| if ($passed) { | ||
| $headline = '✅ Every AI administrative role in Microsoft Entra has at least one tenant-scoped assigned principal.' | ||
| } | ||
| elseif ($customStatus -eq 'Investigate') { | ||
| $headline = '🟡 One or more AI administrative roles have assignments only at administrative-unit or app scope, or a reader-tier role has no assigned principal. Confirm this matches your delegated-administration model.' | ||
| } | ||
| else { | ||
| $headline = '❌ One or more AI administrative roles in Microsoft Entra have no assigned principal (or only empty role-assignable groups).' | ||
| } |
Comment on lines
+7
to
+13
| Assign an Entra ID role via the admin center | ||
| - [Assign an Entra ID role via the admin center](https://learn.microsoft.com/entra/identity/role-based-access-control/manage-roles-portal) | ||
|
|
||
| Create a PIM-eligible assignment for an Entra ID role | ||
| - [Create a PIM-eligible assignment for an Entra ID role](https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-how-to-add-role-to-user) | ||
|
|
||
| Assign Microsoft Purview roles and role groups |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AI administrative roles have assigned principals