AI 61013 - Identity governance for agents — sponsors assigned, entitlement-management channel exists, and lifecycle automation in place#1240
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new AI pillar assessment (61013) to evaluate Microsoft Entra Agent ID identity governance readiness by validating agent sponsorship coverage, presence of entitlement-management policies targeting agent identities, and lifecycle workflow automation for sponsorship changes.
Changes:
- Introduces
Test-Assessment-61013PowerShell test implementing the three sub-conditions and detailed markdown reporting. - Adds the accompanying markdown guidance/remediation content for assessment 61013.
- Updates the global Graph scopes list to include a lifecycle workflows permission.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.61013.ps1 | New assessment logic and reporting for agent identity governance (sponsors, access packages, lifecycle workflows). |
| src/powershell/tests/Test-Assessment.61013.md | New end-user guidance/remediation text for assessment 61013 results. |
| src/powershell/public/Get-ZtGraphScope.ps1 | Adds a lifecycle workflows permission to the assessment’s required Graph scopes list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@ashwinikarke Please, address my feedback.
| $agentTargetingPolicies = @() | ||
| Write-ZtProgress -Activity $activity -Status 'Getting entitlement management assignment policies (Q4)' | ||
| try { | ||
| $agentTargetingPolicies = @(Invoke-ZtGraphRequest ` |
There was a problem hiding this comment.
The spec is explicit (Q4 section):
"The value
allDirectoryAgentIdentitiesis the beta enum value... not yet exposed on the v1.0 enum. Q4 and Q5 therefore target/beta/identityGovernance/entitlementManagement/...intentionally."
(They provide v1.0 endpoint. :( However, we use beta endpoint everywhere.)
The code calls the endpoint without specifying an API version — defaulting to v1.0 per every other test in this repo that calls assignmentPolicies:
# CURRENT (WRONG) — no -ApiVersion, defaults to v1.0
$agentTargetingPolicies = @(Invoke-ZtGraphRequest `
-RelativeUri 'identityGovernance/entitlementManagement/assignmentPolicies' `
-QueryParameters @{ '$select' = 'id,displayName,allowedTargetScope'; '$expand' = 'accessPackage'; '$filter' = "allowedTargetScope eq 'allDirectoryAgentIdentities'" } `
-ErrorAction Stop)# CORRECT — must add -ApiVersion beta
$agentTargetingPolicies = @(Invoke-ZtGraphRequest `
-RelativeUri 'identityGovernance/entitlementManagement/assignmentPolicies' `
-ApiVersion beta `
-QueryParameters @{ '$select' = 'id,displayName,allowedTargetScope'; '$expand' = 'accessPackage'; '$filter' = "allowedTargetScope eq 'allDirectoryAgentIdentities'" } `
-ErrorAction Stop)The code comment on this block also incorrectly says v1.0, server-side filtered — this needs to be corrected to beta.
No description provided.