Skip to content

Add persistent input validation logging (Microsoft.Security.SystemsADM.10031)#1604

Open
KenitoInc wants to merge 1 commit into
mainfrom
kemunga/fix-input-validation-logging
Open

Add persistent input validation logging (Microsoft.Security.SystemsADM.10031)#1604
KenitoInc wants to merge 1 commit into
mainfrom
kemunga/fix-input-validation-logging

Conversation

@KenitoInc

@KenitoInc KenitoInc commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

Adds persistent logging of input validation failures to satisfy compliance requirement.

Problem

Validation failures were only displayed to the user via Write-Warning/Write-Error/throw without being persisted for security audit purposes.

Solution

Created Write-EntraInputValidationLog function that:

  • Writes structured log entries to %LOCALAPPDATA%/Microsoft.Entra/Logs/InputValidation-{date}.log
  • On Windows: also writes to Windows Event Log (Application, source 'Microsoft.Entra', EventId 1001)
  • On Linux/macOS: also writes to syslog via logger command
  • Masks sensitive values (first 4 chars + **** for values >8 chars)
  • Is non-fatal — logging failures never block cmdlet execution

Changes

  • 9 new files: Write-EntraInputValidationLog.ps1 in each submodule folder (5 Entra + 4 EntraBeta)
  • 23 modified cmdlets: Added logging calls at all validation failure points
  • 5 test files: 15 unit tests + 8 integration tests (23 total, all passing)

Cross-platform

  • Uses [System.Environment]::UserName on non-Windows (instead of WindowsIdentity)
  • Syslog fallback on Linux/macOS instead of Windows Event Log
  • File logging path uses [Environment]::GetFolderPath('LocalApplicationData') (works on all platforms)

Testing

  • Build: ✅ passes
  • Tests: ✅ 23/23 pass
  • No regressions in existing tests

@KenitoInc
Add persistent input validation logging (Microsoft.Security.SystemsAD…
e4d0bd2 
…M.10031)

Implements Write-EntraInputValidationLog function to persistently log all user
input that fails validation, satisfying security requirement
Microsoft.Security.SystemsADM.10031 from threat model review.

Changes:
- Add Write-EntraInputValidationLog.ps1 to each submodule folder that performs
  input validation (Applications, CertificateBasedAuthentication,
  DirectoryManagement, SignIns, Users, Governance)
- Integrate logging calls into all 23 cmdlets with validation failure paths
- Logs written to %LOCALAPPDATA%\Microsoft.Entra\Logs\ (file-based, no admin)
- Attempts Windows Event Log (Application, EventId 1001) as secondary store
- Sensitive values automatically masked in log output
- Non-blocking: logging failures never interrupt cmdlet execution
- Add unit tests (15 tests) and integration tests (8 tests) - all passing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@KenitoInc KenitoInc requested a review from a team as a code owner June 10, 2026 08:02
@learn-build-service-prod

learn-build-service-prod Bot commented Jun 11, 2026

Copy link
Copy Markdown

Learn Build status updates of commit e4d0bd2:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

File Status Preview URL Details
❌Error Details

  • Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed] Failed to load file: C:/LocalRun/W/5gyz-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KenitoInc