Pre-Session Homework: Entra Security Admin
This page lists the 16 control(s) you are responsible for as Entra Security Admin. Please review each control and bring the requested evidence to your assessment session.
For the full assessment experience, see the Readiness Assessment.
Control 1.11 — Conditional Access and Phishing-Resistant MFA
Security · Zone 1, Zone 2, Zone 3
Pass criteria: CA policies require phishing-resistant MFA (FIDO2/passkey/WHfB/CBA) for agent makers, owners, and admins; break-glass excluded; CA for Workload Identities applied to agent service principals.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.15 — Encryption: Data in Transit and at Rest
Security · Zone 1, Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.17 — Endpoint Data Loss Prevention (Endpoint DLP)
Security · Zone 2, Zone 3
Pass criteria: Devices onboarded via Defender for Endpoint with Endpoint DLP blocking restricted apps, USB/removable media, personal cloud uploads, and Edge for Business AI-paste rules for unmanaged AI.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.2 — Agent Registry and Integrated Apps Management
Security · Zone 1, Zone 2, Zone 3
Pass criteria: All agents and integrated apps registered with named owner and backup owner, admin consent workflow enabled, and no orphaned service principals across Entra, Integrated Apps, and Copilot Studio.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.20 — Network Isolation and Private Connectivity
Security · Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.22 — Information Barriers for AI Agents
Security · Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.23 — Step-Up Authentication for AI Agent Operations
Security · Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.24 — Defender AI Security Posture Management (AI-SPM)
Security · Zone 1, Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.5 — Data Loss Prevention (DLP) and Sensitivity Labels
Security · Zone 1, Zone 2, Zone 3
Pass criteria: Purview DLP covers SharePoint, OneDrive, Exchange, Teams, Endpoint, and Copilot/Copilot Chat, plus Power Platform data policies for Copilot Studio agents, all using FSI-tuned SITs.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 1.7 — Comprehensive Audit Logging and Compliance
Security · Zone 1, Zone 2, Zone 3
Pass criteria: Unified Audit Log on; Audit Premium with the 10-year retention add-on enabled and a custom audit retention policy targets Copilot/agent events for the applicable 6-year FINRA/SEC window.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 2.15 — Environment Routing and Auto-Provisioning
Management · Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 2.17 — Multi-Agent Orchestration Limits
Management · Zone 2, Zone 3
Pass criteria: Multi-agent designs document delegation depth limits, circuit breakers, HITL triggers, and the 128-tool ceiling; A2A/MCP cross-protocol chains tracked in the agent inventory.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 2.26 — Entra Agent ID — Identity Governance for Agents
Management · Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 3.7 — PPAC Security Posture Assessment
Reporting · Zone 1, Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 3.9 — Microsoft Sentinel Integration
Reporting · Zone 2, Zone 3
Pass criteria: Sentinel ingests Power Platform Admin Activity, CopilotInteraction, Entra and service-principal sign-ins, and Defender connectors with FSI analytics rules, workbooks, and Logic Apps playbooks.
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Control 4.4 — Guest and External User Access Controls
SharePoint · Zone 1, Zone 2, Zone 3
Verify in: See control documentation.
Full control documentation · Portal walkthrough
Generated from assessment/manifest/controls.json by scripts/generate_homework_pages.py. Edit the manifest, then re-run.