Network - 27001 - TLS inspection bypass policies are regularly reviewed to prevent security protection gaps

[praneeth-0000]

https://github.com/microsoft/ztspecs/issues/319

[Copilot]

Pull request overview

This PR adds a new test (Test-Assessment.27001) for Global Secure Access that validates TLS inspection bypass policies are regularly reviewed to prevent security protection gaps. The test checks whether TLS inspection policies containing custom bypass rules have been reviewed (modified) within the last 90 days, as stale bypass rules can create security blind spots.

Changes:

• New PowerShell test function that queries TLS inspection policies via Microsoft Graph beta API, filters custom bypass rules (excluding auto-created system rules), and reports policies not modified in over 90 days
• Markdown documentation explaining the security rationale and providing remediation guidance
• Test metadata indicating Medium risk level, Medium implementation cost, and requires Entra Premium Internet Access license

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/powershell/tests/Test-Assessment.27001.ps1	Implements the test logic to retrieve TLS inspection policies and their rules, filter custom bypass rules, calculate days since last modification, and generate pass/fail results with detailed markdown reporting
src/powershell/tests/Test-Assessment.27001.md	Provides security context explaining why regular review of TLS bypass rules is critical and lists remediation steps including links to Microsoft Learn documentation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexandair]

@praneeth-0000 Please, address my feedback.

Current Behavior: The Invoke-ZtGraphRequest call is wrapped in a try/catch block that logs a warning. If the call fails (e.g., due to 403 Forbidden or API outage), $tlsInspectionPolicies remains $null. The subsequent check if (-not $tlsInspectionPolicies ...) then causes the test to return SkippedBecause NotApplicable.

Problem: This masks actual errors (like missing permissions) as "Not Applicable," which falsely implies the feature is not in use. "Not Applicable" should only be returned when the API successfully returns 0 items.

Remediation: Use the variable $errorMsg to capture the exception in the catch block. In the Assessment Logic, check if $errorMsg is populated. If it is, fail the test or report the error explicitly, rather than skipping it.

Suggestion: Check if networkAccess/tlsInspectionPolicies?$expand=policyRules is supported to fetch all data in one query, reducing execution time and API throttling risk.