SecOps - 41002 - Microsoft Defender for Identity sensor is installed and healthy on every domain controller

[Manoj-Kesana]

No description provided.

[Copilot]

Pull request overview

Adds a new SecOps assessment (41002) that queries Microsoft Graph for Microsoft Defender for Identity (MDI) sensor inventory and reports whether domain controller–integrated sensors appear healthy, running, and up-to-date, along with a companion markdown description/remediation page.

Changes:

• Introduces Test-Assessment-41002, calling security/identities/sensors and generating a summarized markdown table of sensors.
• Adds Test-Assessment.41002.md to provide the report description and remediation guidance content.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/powershell/tests/Test-Assessment.41002.ps1	New assessment implementation for evaluating MDI sensor inventory via Graph and producing result markdown.
src/powershell/tests/Test-Assessment.41002.md	New markdown content used by reporting to describe/remediate the assessment outcome.

[alexandair]

@Manoj-Kesana Please, address my feedback.

Standalone DC sensors (domainControllerStandalone) are excluded, producing wrong verdicts.

Test-Assessment.41002.ps1 filters only domainControllerIntegrated:

$allDcSensors = @($sensors | Where-Object { $_.sensorType -eq 'domainControllerIntegrated' })

The security.sensorType enum contains two DC-monitoring values: domainControllerIntegrated and domainControllerStandalone. Microsoft docs confirm the standalone sensor "monitors domain controller traffic via port mirroring" and the FAQ recommends "a Defender for Identity sensor or standalone sensor for each one of your domain controllers" (commonly used for virtual DCs the integrated sensor can't cover). Consequences:

• False FAIL — a tenant whose DCs are covered by standalone sensors hits $allDcSensors.Count -eq 0 → "MDI onboarded but no domain controller sensors registered" → Fail, despite full coverage.
• False PASS — an unhealthy standalone DC sensor is never evaluated; if integrated sensors are healthy the test reports Pass.

Note this gap originates in the spec (it scopes only to domainControllerIntegrated and its Challenges list adfs/adcs/adConnect but omit domainControllerStandalone). Recommend updating both spec and code to include domainControllerStandalone in the DC sensor set — e.g. $_.sensorType -in @('domainControllerIntegrated','domainControllerStandalone') — or explicitly justifying the exclusion in the spec.

Warning

"Every domain represented in the workspace" is not enforced.

The spec's Pass condition requires at least one DC sensor for every domain represented in the workspace. The code treats all DC sensors as a single pool with no per-domainName grouping, so a domain present only via a non-DC sensor (e.g., an AD FS sensor in domain B while DC sensors exist only in domain A) is never flagged. The spec's Challenges acknowledge the API limitation, but the per-domain check that is feasible (every domain appearing in the inventory should have ≥1 DC sensor) isn't implemented. Consider grouping by domainName, or align the spec wording with what's actually checked.

[alexandair]

404 - Page not found