Create new Entra baseline policy to block high risk Entra AI agents (#2154)

* Initial changes to support policy 9.1v1 Block high risk AI agents

* Updated 9.1v1 policy name and CreateReportStubs file

* Updated baseline and rego to handle Environment and License issues. Added some functional and unit tests

* Added whitespace and fixed unit test

* Removed trailing spaces

* Enabled App Exclusions and added more unit tests

* Updated CreateReportStubs file

* Updated TestResults.json

* Removed unnecessary import in unit tests

* Auto-generate ScubaBaselines.json from markdown baselines

This file was automatically generated by the GitHub Actions workflow.

Workflow: generate_baseline_json.yaml
Trigger: Baseline markdown file changes in PR #2154
Generated: 2026-05-14 18:46:38 UTC

* Temporary functional test changes to test handling different tenant environments

* Fixed linter issues

* Fixes for functional test updates

* Updated Rego logic and associated tests

* Fixed functional test for g5

* Fixed identation and converted object from list to string

* Updated the rego logic, corresponding tests, and comments to prioritize license issues

* Report details adjustment and updates to support app exclusions

* Updated rego to match util function name change

* Updates to fix Regal Linter errors

* Fix typo in rationale for AI agent policy

Corrected the spelling of 'permissiona' to 'permissions' in the rationale section.

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Dick Tracy II <54296228+DickTracyII@users.noreply.github.com>

Author: 3 people

PowerShell/ScubaGear/Rego/AADConfig.rego

@@ -22,6 +22,7 @@ import data.utils.aad.CAPLINK
 import data.utils.aad.DomainReportDetails
 import data.utils.aad.INT_MAX
 import data.utils.key.Count
+import data.utils.aad.EnsureTrimmedArray
 
 
 #############
@@ -1605,3 +1606,84 @@ tests contains {
     "RequirementMet": false
 }
 #--
+
+############
+# MS.AAD.9 #
+############
+
+#
+# MS.AAD.9.1v1
+#--
+
+# If policy matches basic conditions, special conditions,
+# & all exclusions are intentional, save the policy name
+AIAgents contains CAPolicy.DisplayName if {
+    some CAPolicy in input.conditional_access_policies
+
+    ### Common checks for conditional access policies
+    ContainsValue(CAPolicy.Conditions.Applications.IncludeApplications, "All") == true
+    CAPolicy.State == "enabled"
+    ###
+
+    ### Conditional access checks specific to this policy
+    "all" in CAPolicy.Conditions.ClientAppTypes
+    # CAPolicy.Conditions.AgentIdRiskLevels is a string, which can contain multiple values
+    # The helper function EnsureTrimmedArray turns the string into a comma delimited list
+    # with leading and trailing spaces removed
+    "high" in EnsureTrimmedArray(CAPolicy.Conditions.AgentIdRiskLevels)
+    "block" in CAPolicy.GrantControls.BuiltInControls
+    "All" in CAPolicy.Conditions.ClientApplications.IncludeAgentIdServicePrincipals
+    ###
+
+    # Only match policies with user and group exclusions per the confile file
+    AppExclusionsFullyExempt(CAPolicy, "MS.AAD.9.1v1") == true
+}
+
+default AAD_9_1_Not_Applicable_Due_To_Environment := false
+
+# Returns true if the M365 Environment used by the tenant does not support AI Agents
+AAD_9_1_Not_Applicable_Due_To_Environment  := true if {
+    # Check for an environment the feature is not available in
+    input.scuba_config.M365Environment in {"gcchigh", "dod"}
+    # Only N/A if no valid policies are found, future proofing in case the feature becomes available
+    Count(AIAgents) == 0
+    # Only N/A if the tenant does have the required license, otherwise results in a license error
+    Count(Aad2P2Licenses) > 0
+}
+
+# First test is for N/A case
+tests contains {
+    "PolicyId": PolicyId,
+    "Criticality": "Shall/Not-Implemented",
+    "Commandlet": ["Get-MgBetaIdentityConditionalAccessPolicy"],
+    "ActualValue": [],
+    "ReportDetails": CheckedSkippedDetails(PolicyId, Reason),
+    "RequirementMet": false
+} if {
+    PolicyId := "MS.AAD.9.1v1"
+    Reason := concat(" ", [
+    "This policy is not applicable to GCC High or DOD environments because the feature",
+    "is not yet available. See %v for more info"
+    ])
+    AAD_9_1_Not_Applicable_Due_To_Environment == true
+}
+
+# Pass if at least 1 policy meets all conditions & has correct
+# license.
+tests contains {
+    "PolicyId": "MS.AAD.9.1v1",
+    "Criticality": "Shall",
+    "Commandlet": ["Get-MgBetaIdentityConditionalAccessPolicy"],
+    "ActualValue": AIAgents,
+    "ReportDetails": ReportDetailsArrayLicenseWarningCap(AIAgents, DescriptionString),
+    "RequirementMet": Status
+} if {
+    DescriptionString := "conditional access policy(s) found that meet(s) all requirements"
+    AAD_9_1_Not_Applicable_Due_To_Environment == false
+    Conditions := [
+        Count(Aad2P2Licenses) > 0,
+        Count(AIAgents) > 0
+    ]
+    Status := Count(FilterArray(Conditions, false)) == 0
+}
+#--

PowerShell/ScubaGear/Rego/Utils/AAD.rego

@@ -233,6 +233,22 @@ IsGeneralMFA(Policy) := true if {
     Count(Strengths - PRMFA) > 0
 } else := false
 
+# Returns a json object as a list. This is used to future proof against changes microsoft 
+# may make to the input where a field may change from a string to an array of strings. 
+# The function ensures that the output is always an array of strings, whether the input 
+# is null, a string, or an array of strings.
+# Case 1: Input is null -> output is empty array
+# Case 2: Input is an array -> output is the same array
+# Case 3: Input is a string -> output is an array of trimmed items split by commas
+EnsureTrimmedArray(JsonObject) := [] if {
+    JsonObject == null
+} else := JsonObject if {
+    is_array(JsonObject)
+} else := arr if {
+    is_string(JsonObject)
+    parts := split(JsonObject, ",")
+    arr = [trim(y, " ") | some y in parts]
+}
 
 ############################################################################
 # Report formatting functions for MS.AAD.6.1v1                             #

PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json

@@ -464,6 +464,18 @@
         "ReportDetails":  "1 conditional access policy(s) found that meet(s) all requirements:\u003cbr/\u003eLive - MFA SHALL be required for Highly Privileged Roles. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.",
         "RequirementMet":  true
     },
+    {
+        "ActualValue":  [
+
+                        ],
+        "Commandlet":  [
+                           "Get-MgBetaIdentityConditionalAccessPolicy"
+                       ],
+        "Criticality":  "Shall",
+        "PolicyId":  "MS.AAD.9.1v1",
+        "ReportDetails":  "0 conditional access policy(s) found that meet(s) all requirements. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.",
+        "RequirementMet":  false
+    },
     {
         "ActualValue":  true,
         "Commandlet":  [

PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/aad.md

@@ -799,6 +799,47 @@ Guest invites SHOULD only be allowed to specific external domains that have been
 
 4. Click **Save**.
 
+## 9. AI Security
+
+This section provides policies that help reduce security risks related to the usage of AI Agents and automated services that interact with tenant resources.
+
+### Policies
+#### MS.AAD.9.1v1
+Risky AI agents SHALL be blocked.
+
+[![Automated Check](https://img.shields.io/badge/Automated_Check-5E9732)](#key-terminology)
+
+<!--Policy: MS.AAD.9.1v1; Criticality: SHALL -->
+- _Rationale:_ AI agents may access tenant resources using application permissions and can perform actions autonomously. Blocking high-risk AI agents reduces the risk of unauthorized access and automated misuse of resources.
+- _Last modified:_ March 2026
+- _Note:_ This policy is not applicable to Government Community Cloud (GCC) High, and Department of Defense (DoD) tenants.
+- _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ AC-3, AC-6, CM-7(4)
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+    - [T1078.004: Cloud Account](https://attack.mitre.org/techniques/T1078/004/)
+
+### Resources
+
+- [Block access by high-risk agent identities](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-agent-block-high-risk)
+
+### License Requirements
+
+- Requires a Microsoft Entra ID P2 license
+
+### Implementation
+
+#### MS.AAD.9.1v1 Instructions
+
+1. Create a conditional access policy blocking High Risk AI Agents. Configure the following policy settings in the new conditional access policy, per the values below:
+
+<pre>
+  Assignments > Users, agents (Preview) or workload identities > What does this policy apply to? > Agents (Preview) > Include > <b>All agent identities (Preview) </b>
+
+  Target resources > Include > <b>All resources (formerly 'All cloud apps') </b>
+
+  Conditions > Agent risk (Preview) > Configure > Yes > Configure agent risk levels needed for policy to be enforced > <b>High </b>
+</pre>
+
 
 # Acknowledgements