microsoft · merill · Oct 14, 2025 · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025
diff --git a/src/powershell/tests/Test-Assessment.21884.md b/src/powershell/tests/Test-Assessment.21884.md
@@ -6,4 +6,3 @@ When workload identities operate without network-based Conditional Access restri
 - [Create named locations](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)
 - [Follow best practices for securing workload identities](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)<!--- Results --->
 %TestResult%
-
diff --git a/src/powershell/tests/Test-Assessment.21884.ps1 b/src/powershell/tests/Test-Assessment.21884.ps1
@@ -1,9 +1,9 @@
 <#
 .SYNOPSIS
-
+    Tests if workload identities are protected by location-based Conditional Access policies.
 #>
 
-function Test-Assessment-21884{
+function Test-Assessment-21884 {
     [ZtTest(
     	Category = 'External collaboration',
     	ImplementationCost = 'Medium',
@@ -16,20 +16,351 @@ function Test-Assessment-21884{
     	UserImpact = 'Low'
     )]
     [CmdletBinding()]
-    param()
+    param(
+        $Database
+    )
 
     Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
 
-    $activity = "Checking Workload identities based on known networks are configured"
-    Write-ZtProgress -Activity $activity -Status "Getting policy"
+    $activity = 'Checking if workload identities are protected by location-based Conditional Access policies'
+    Write-ZtProgress -Activity $activity -Status 'Getting service principals'
+
+    # Check if we have data in the database
+    $sqlCount = 'SELECT COUNT(*) ItemCount FROM ServicePrincipal WHERE ID IS NOT NULL'
+    $resultCount = Invoke-DatabaseQuery -Database $Database -Sql $sqlCount
+    $hasData = $resultCount.ItemCount -gt 0
+
+    if (-not $hasData) {
+        $testResultMarkdown = 'No service principals found in the tenant to evaluate. The test result is inconclusive as there are no workload identities to assess.'
+
+        $params = @{
+            TestId = '21884'
+            Status = [bool]$false
+            Result = $testResultMarkdown
+        }
+        Add-ZtTestResultDetail @params
+        return
+    }
+
+    # Get current tenant ID from context
+    $tenantId = (Get-MgContext).TenantId
+
+    # Q1: Get all service principals with credential information from database
+    $sqlServicePrincipals = @"
+    SELECT
+        id,
+        appId,
+        displayName,
+        servicePrincipalType,
+        passwordCredentials,
+        keyCredentials,
+        appOwnerOrganizationId
+    FROM ServicePrincipal
+    WHERE servicePrincipalType = 'Application'
+        AND cast(appOwnerOrganizationId as varchar) = '$tenantId'
+"@
+
+    $ownedServicePrincipals = Invoke-DatabaseQuery -Database $Database -Sql $sqlServicePrincipals
+
+        if ($ownedServicePrincipals.Count -eq 0) {
+            $testResultMarkdown = 'No service principals found in the tenant to evaluate. The test result is inconclusive as there are no workload identities to assess.'
+
+            $params = @{
+                TestId = '21884'
+                Status = [bool]$false
+                Result = $testResultMarkdown
+            }
+            Add-ZtTestResultDetail @params
+            return
+        }
+
+        $servicePrincipalsWithCreds = @()
+        foreach ($sp in $ownedServicePrincipals) {
+            $hasCreds = $false
+
+            # Check direct credentials
+            $hasPassword = ($sp.passwordCredentials -ne '[]') -and ($null -ne $sp.passwordCredentials)
+            $hasCertificate = ($sp.keyCredentials -ne '[]') -and ($null -ne $sp.keyCredentials)
+            if ($hasPassword -or $hasCertificate) {
+                $hasCreds = $true
+            } else {
+                # Q3: Check associated application for credentials from database
+                $sqlApp = @"
+                SELECT
+                    id,
+                    appId,
+                    displayName,
+                    passwordCredentials,
+                    keyCredentials,
+                    signInAudience
+                FROM Application
+                WHERE appId = '$($sp.appId)'
+"@
+                $app = Invoke-DatabaseQuery -Database $Database -Sql $sqlApp
+                if ($app -and $app.Count -gt 0) {
+                    $appRecord = $app[0]
+                    $appHasPassword = ($appRecord.passwordCredentials -ne '[]') -and ($null -ne $appRecord.passwordCredentials)
+                    $appHasCertificate = ($appRecord.keyCredentials -ne '[]') -and ($null -ne $appRecord.keyCredentials)
+                    if ($appRecord.signInAudience -eq 'AzureADMyOrg' -and ($appHasPassword -or $appHasCertificate)) {
+                        $hasCreds = $true
+                    }
+                }
+            }
+
+            if ($hasCreds) {
+                $servicePrincipalsWithCreds += $sp
+            }
+        }
+
+        # Q4: Get CA policies targeting workload identities from Graph API
+        # (Conditional Access policies are not stored in the database, so we still need to use Graph API)
+        $policies = Invoke-ZtGraphRequest -RelativeUri 'identity/conditionalAccess/policies' -Filter 'conditions/clientApplications/includeServicePrincipals/any(x:x eq ''ServicePrincipalsAndManagedIdentities'')' -ApiVersion 'beta'
+
+        # Check for a global policy that covers all service principals
+        $allSpPolicy = $policies | Where-Object {
+            $_.state -eq 'enabled' -and
+            $_.conditions.clientApplications.includeServicePrincipals -contains 'ServicePrincipalsInMyTenant' -and
+            (-not $_.conditions.clientApplications.excludeServicePrincipals)
+        }
+
+        if ($allSpPolicy) {
+            # Verify location conditions in the global policy
+            $hasValidLocations = $false
+            foreach ($policy in $allSpPolicy) {
+                $policyDetails = Invoke-ZtGraphRequest -RelativeUri "identity/conditionalAccess/policies/$($policy.id)" -ApiVersion 'beta'
+
+                if ($policyDetails.conditions.locations.includeLocations -or
+                    $policyDetails.conditions.locations.excludeLocations) {
+                    $hasValidLocations = $true
+                    break
+                }
+            }
+
+            if ($hasValidLocations) {
+                $testResultMarkdown = 'All workload identities are protected by global service principal policies with location restrictions.'
+
+                $params = @{
+                    TestId = '21884'
+                    Status = [bool]$true
+                    Result = $testResultMarkdown
+                }
+                Add-ZtTestResultDetail @params
+                return
+            }
+        }
+
+        if ($servicePrincipalsWithCreds.Count -gt 0 -and $policies.Count -eq 0) {
+            $testResultMarkdown = @"
+No Conditional Access policies found that protect workload identities.
+
+## Unprotected service principals
+
+| Service principal display name | Credential type | Applied policy names | Location restrictions |
+|-------------------------------|-----------------|---------------------|---------------------|
+"@
+
+            foreach ($sp in $servicePrincipalsWithCreds) {
+                $credTypes = @()
+                if (($sp.passwordCredentials -ne '[]') -and ($null -ne $sp.passwordCredentials)) { $credTypes += 'Password' }
+                if (($sp.keyCredentials -ne '[]') -and ($null -ne $sp.keyCredentials)) { $credTypes += 'Certificate' }
+
+                # Create portal link for service principal
+                $spPortalLink = "[$($sp.displayName)](https://portal.azure.com/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/$($sp.id)/appId/$($sp.appId))"
+                $testResultMarkdown += "`n| $spPortalLink | $($credTypes -join ', ') | None | None |"
+            }
+
+            $passed = $false
+
+            $params = @{
+                TestId              = '21884'
+                Title              = "Workload identities based on known networks are configured"
+                UserImpact         = "Low"
+                Risk               = "High"
+                ImplementationCost = "Medium"
+                AppliesTo          = "Identity"
+                Tag                = "Identity"
+                Status             = $passed
+                Result             = $testResultMarkdown
+            }
+
+            Add-ZtTestResultDetail @params
+            return
+        }
+
+        # Q6: Get named locations from Graph API (not stored in database)
+        $namedLocations = Invoke-ZtGraphRequest -RelativeUri 'identity/conditionalAccess/namedLocations' -ApiVersion 'beta'
+
+        if ($namedLocations.Count -eq 0) {
+            $testResultMarkdown = 'No named locations found. Cannot implement network-based restrictions without defined locations.'
+
+            $params = @{
+                TestId = '21884'
+                Status = [bool]$false
+                Result = $testResultMarkdown
+            }
+            Add-ZtTestResultDetail @params
+            return
+        }
+
+        $unprotectedSPs = @()
+        $protectedSPs = @()
+
+        foreach ($sp in $servicePrincipalsWithCreds) {
+            $credTypes = @()
+            if (($sp.passwordCredentials -ne '[]') -and ($null -ne $sp.passwordCredentials)) { $credTypes += 'Password' }
+            if (($sp.keyCredentials -ne '[]') -and ($null -ne $sp.keyCredentials)) { $credTypes += 'Certificate' }
+
+            $appliedPolicies = @()
+            $locationRestrictions = @()
+            $isProtected = $false
+
+            # Check each policy for this SP
+            foreach ($policy in $policies) {
+                # Q5: Get detailed policy information
+                $policyDetails = Invoke-ZtGraphRequest -RelativeUri "identity/conditionalAccess/policies/$($policy.id)" -ApiVersion 'beta'
+
+                if ($policyDetails.state -eq 'enabled') {
+                    $policyApplies = $false
+                    $hasLocationRestriction = $false
+                    $locationDetails = ""
+
+                    # Check if policy applies to this service principal
+                    if ($policyDetails.conditions.clientApplications.includeServicePrincipals -contains 'ServicePrincipalsInMyTenant' -and
+                        (-not $policyDetails.conditions.clientApplications.excludeServicePrincipals)) {
+                        $policyApplies = $true
+                        # Special callout for global policy
+                        $appliedPolicies += "$($policyDetails.displayName) (Global - covers ServicePrincipalsInMyTenant)"
+                    } elseif ($policyDetails.conditions.clientApplications.includeServicePrincipals -contains $sp.id) {
+                        $policyApplies = $true
+                        $appliedPolicies += $policyDetails.displayName
+                    }
+
+                    # Check location conditions if policy applies
+                    if ($policyApplies) {
+                        if ($policyDetails.conditions.locations.includeLocations -or $policyDetails.conditions.locations.excludeLocations) {
+                            $hasLocationRestriction = $true
+
+                            # Build location details
+                            $locationParts = @()
+                            if ($policyDetails.conditions.locations.includeLocations) {
+                                $includeLocations = $policyDetails.conditions.locations.includeLocations
+                                if ($includeLocations -contains 'All') {
+                                    $locationParts += 'Include: All Locations'
+                                } else {
+                                    $locationNames = @()
+                                    foreach ($locId in $includeLocations) {
+                                        $location = $namedLocations | Where-Object { $_.id -eq $locId }
+                                        if ($location) {
+                                            $locationNames += $location.displayName
+                                        } else {
+                                            $locationNames += $locId
+                                        }
+                                    }
+                                    $locationParts += "Include: $($locationNames -join ', ')"
+                                }
+                            }
+                            if ($policyDetails.conditions.locations.excludeLocations) {
+                                $excludeLocations = $policyDetails.conditions.locations.excludeLocations
+                                if ($excludeLocations -contains 'All') {
+                                    $locationParts += 'Exclude: All Locations'
+                                } else {
+                                    $locationNames = @()
+                                    foreach ($locId in $excludeLocations) {
+                                        $location = $namedLocations | Where-Object { $_.id -eq $locId }
+                                        if ($location) {
+                                            $locationNames += $location.displayName
+                                        } else {
+                                            $locationNames += $locId
+                                        }
+                                    }
+                                    $locationParts += "Exclude: $($locationNames -join ', ')"
+                                }
+                            }
+                            $locationDetails = $locationParts -join '; '
+                            $locationRestrictions += $locationDetails
+                        }
+
+                        if ($hasLocationRestriction) {
+                            $isProtected = $true
+                        }
+                    }
+                }
+            }
+
+            # Build SP information object
+            $spInfo = @{
+                DisplayName = $sp.displayName
+                AppId = $sp.appId
+                PortalLink = "[$($sp.displayName)](https://portal.azure.com/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/$($sp.id)/appId/$($sp.appId))"
+                CredentialTypes = $credTypes -join ', '
+                AppliedPolicies = if ($appliedPolicies.Count -gt 0) { $appliedPolicies -join '; ' } else { 'None' }
+                LocationRestrictions = if ($locationRestrictions.Count -gt 0) { $locationRestrictions -join '; ' } else { 'None' }
+                IsProtected = $isProtected
+            }
+
+            if ($isProtected) {
+                $protectedSPs += $spInfo
+            } else {
+                $unprotectedSPs += $spInfo
+            }
+        }
+
+        $result = $unprotectedSPs.Count -eq 0
+
+        if ($result) {
+            $testResultMarkdown = @"
+All workload identities with credentials are protected by location-based Conditional Access policies.
+
+"@
+            if ($protectedSPs.Count -gt 0) {
+                $testResultMarkdown += @"
+## Protected service principals
+
+| Service principal display name | Credential type | Applied policy names | Location restrictions |
+|-------------------------------|-----------------|---------------------|---------------------|
+"@
+                foreach ($sp in $protectedSPs) {
+                    $testResultMarkdown += "`n| $($sp.PortalLink) | $($sp.CredentialTypes) | $($sp.AppliedPolicies) | $($sp.LocationRestrictions) |"
+                }
+            }
+        } else {
+            $testResultMarkdown = @"
+Found workload identities with credentials that lack network-based access restrictions.
+
+"@
+
+            if ($unprotectedSPs.Count -gt 0) {
+                $testResultMarkdown += @"
+## Unprotected service principals
+
+| Service principal display name | Credential type | Applied policy names | Location restrictions |
+|-------------------------------|-----------------|---------------------|---------------------|
+"@
+                foreach ($sp in $unprotectedSPs) {
+                    $testResultMarkdown += "`n| $($sp.PortalLink) | $($sp.CredentialTypes) | $($sp.AppliedPolicies) | $($sp.LocationRestrictions) |"
+                }
+            }
+
+            if ($protectedSPs.Count -gt 0) {
+                $testResultMarkdown += @"
+
+## Protected service principals (for reference)
 
-    $result = $false
-    $testResultMarkdown = "Planned for future release."
-    $passed = $result
+| Service principal display name | Credential type | Applied policy names | Location restrictions |
+|-------------------------------|-----------------|---------------------|---------------------|
+"@
+                foreach ($sp in $protectedSPs) {
+                    $testResultMarkdown += "`n| $($sp.PortalLink) | $($sp.CredentialTypes) | $($sp.AppliedPolicies) | $($sp.LocationRestrictions) |"
+                }
+            }
+        }
 
+    $passed = [bool]$result
 
-    Add-ZtTestResultDetail -TestId '21884' -Title "Workload identities based on known networks are configured" `
-        -UserImpact Low -Risk Medium -ImplementationCost Medium `
-        -AppliesTo Identity -Tag Identity `
-        -Status $passed -Result $testResultMarkdown -SkippedBecause UnderConstruction
+    $params = @{
+        TestId = '21884'
+        Status = $passed
+        Result = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @params
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,4 +6,3 @@ When workload identities operate without network-based Conditional Access restri
		- [Create named locations](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)
		- [Follow best practices for securing workload identities](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)<!--- Results --->
		%TestResult%