const { useState, useEffect } = React; const COLORS = { bg: "#090e1a", surface: "#0d1526", surfaceAlt: "#111d35", border: "#1e3a5f", accent: "#3b82f6", accentBright: "#60a5fa", success: "#10b981", warning: "#f59e0b", danger: "#ef4444", text: "#e2e8f0", textMuted: "#64748b", textDim: "#94a3b8", }; const CONTROL_COLORS = { phish_mfa: "#a855f7", mfa: "#3b82f6", legacy_auth: "#f97316", compliant_device: "#10b981", hybrid_join: "#059669", app_protection: "#14b8a6", approved_client: "#0d9488", named_locations: "#eab308", sign_in_risk: "#ef4444", user_risk: "#ec4899", session_controls: "#6366f1", terms_of_use: "#8b5cf6", block_unknown_platforms: "#dc2626", require_password_change: "#f97316", }; const ZERO_TRUST_PRINCIPLES = { verify: { label: "Verify Explicitly", color: "#3b82f6", icon: "🔍" }, least: { label: "Least Privilege Access", color: "#8b5cf6", icon: "🔒" }, breach: { label: "Assume Breach", color: "#ef4444", icon: "🛡️" }, }; // MITRE ATT&CK techniques const MITRE_TECHNIQUES = { 'T1078': { name: 'Valid Accounts', tactic: 'Initial Access', severity: 'High' }, 'T1110': { name: 'Brute Force', tactic: 'Credential Access', severity: 'High' }, 'T1528': { name: 'Steal Application Access Token', tactic: 'Credential Access', severity: 'High' }, 'T1539': { name: 'Steal Web Session Cookie', tactic: 'Credential Access', severity: 'Medium' }, 'T1556': { name: 'Modify Authentication Process', tactic: 'Credential Access', severity: 'High' }, 'T1621': { name: 'MFA Request Generation', tactic: 'Credential Access', severity: 'High' }, 'T1098': { name: 'Account Manipulation', tactic: 'Persistence', severity: 'Medium' }, 'T1484': { name: 'Domain Policy Modification', tactic: 'Defense Evasion', severity: 'Medium' }, 'T1557': { name: 'Adversary-in-the-Middle', tactic: 'Credential Access', severity: 'High' }, 'T1606': { name: 'Forge Web Credentials', tactic: 'Credential Access', severity: 'High' }, 'T1133': { name: 'External Remote Services', tactic: 'Persistence', severity: 'Medium' }, 'T1199': { name: 'Trusted Relationship', tactic: 'Initial Access', severity: 'Medium' }, }; const IDENTITY_TYPES = [ { id: "user", label: "Standard User", icon: "👤", desc: "Regular employees, contractors", baseRisk: 45 }, { id: "admin", label: "Administrator", icon: "⚙️", desc: "Global admin, privileged roles", baseRisk: 85 }, { id: "guest", label: "Guest / External", icon: "🌐", desc: "B2B collaborators, partners", baseRisk: 70 }, { id: "workload", label: "Workload Identity", icon: "🤖", desc: "Service principals, managed identities", baseRisk: 60 }, ]; const ACCESS_TARGETS = [ { id: "all_apps", label: "All Cloud Apps", icon: "☁️", desc: "Broadest coverage" }, { id: "admin_portals", label: "Microsoft Admin Portals", icon: "🏛️", desc: "Azure, Entra, Intune" }, { id: "office365", label: "Microsoft 365", icon: "📧", desc: "Exchange, SharePoint, Teams" }, { id: "specific", label: "Specific Applications", icon: "🎯", desc: "Target individual apps" }, ]; const SESSION_TIMEOUT_OPTIONS = [ { value: 1, label: "1 hour", riskReduction: 8, recommended: false }, { value: 4, label: "4 hours", riskReduction: 6, recommended: true }, { value: 8, label: "8 hours", riskReduction: 4, recommended: false }, { value: 12, label: "12 hours", riskReduction: 2, recommended: false }, { value: 24, label: "24 hours", riskReduction: 0, recommended: false }, ]; const SIGN_IN_FREQUENCY_OPTIONS = [ { value: 1, label: "Every sign-in", riskReduction: 5, recommended: true }, { value: 24, label: "Daily", riskReduction: 3, recommended: false }, { value: 168, label: "Weekly", riskReduction: 1, recommended: false }, ]; const RISK_LEVEL_OPTIONS = [ { value: "low", label: "Low and above", riskReduction: 12, recommended: false }, { value: "medium", label: "Medium and above", riskReduction: 18, recommended: true }, { value: "high", label: "High only", riskReduction: 25, recommended: false }, ]; const POLICY_CONTROLS = [ { id: "phish_mfa", label: "Require Phishing-Resistant MFA", category: "authentication", baseRiskReduction: 35, hasSettings: false, ztPrinciples: ["verify"], desc: "FIDO2 security keys or Windows Hello for Business", why: "Cryptographically bound to origin - cannot be phished, relayed, or replayed. Blocks AiTM attacks completely.", mitreBlocked: ['T1621', 'T1110', 'T1557', 'T1078', 'T1606'], warnings: ["Requires FIDO2 hardware keys or WHfB enrollment"], bestPractice: "Mandatory for all administrator accounts. Consider hardware tokens for high-value users.", }, { id: "mfa", label: "Require MFA", category: "authentication", baseRiskReduction: 25, hasSettings: false, ztPrinciples: ["verify"], desc: "Multi-factor authentication (any method)", why: "Blocks 99.9% of automated attacks even with stolen passwords.", mitreBlocked: ['T1110', 'T1078'], warnings: ["Can be bypassed by sophisticated phishing - use phishing-resistant MFA instead"], bestPractice: "Minimum baseline for all users. Upgrade to phishing-resistant for admins.", }, { id: "legacy_auth", label: "Block Legacy Authentication", category: "authentication", baseRiskReduction: 22, hasSettings: false, ztPrinciples: ["verify"], desc: "Block IMAP, POP3, SMTP Auth, older protocols", why: "Legacy protocols bypass MFA. 99% of password spray attacks use legacy auth.", mitreBlocked: ['T1110', 'T1078', 'T1133'], warnings: ["Check for legacy Outlook clients (2010/2013) before enabling"], bestPractice: "Block for all users. No legitimate need for legacy auth in modern environments.", }, { id: "compliant_device", label: "Require Compliant Device", category: "device", baseRiskReduction: 20, hasSettings: false, ztPrinciples: ["verify", "breach"], desc: "Intune-enrolled, policy-compliant devices only", why: "Ensures endpoint security baselines, encryption, and patch compliance before access.", mitreBlocked: ['T1078', 'T1528', 'T1539'], warnings: ["Ensure device enrollment is complete before enforcement"], bestPractice: "Required for accessing sensitive data. Provide enrollment grace period for new devices.", }, { id: "hybrid_join", label: "Require Hybrid Azure AD Joined Device", category: "device", baseRiskReduction: 15, hasSettings: false, ztPrinciples: ["verify"], desc: "Domain-joined devices synced to Azure AD", why: "Ensures devices are managed by corporate AD and Azure AD policies.", mitreBlocked: ['T1078', 'T1199'], warnings: ["Only works for hybrid AD environments"], bestPractice: "Use for on-premises integration scenarios. Prefer Compliant Device for cloud-native.", }, { id: "app_protection", label: "Require App Protection Policy", category: "device", baseRiskReduction: 8, hasSettings: false, ztPrinciples: ["least", "breach"], desc: "Intune App Protection on mobile devices", why: "Containerises corporate data, enables selective wipe on unmanaged BYOD devices.", mitreBlocked: ['T1539'], warnings: [], bestPractice: "Essential for BYOD scenarios. Combine with Compliant Device for corporate-owned.", }, { id: "approved_client", label: "Require Approved Client App", category: "device", baseRiskReduction: 10, hasSettings: false, ztPrinciples: ["verify"], desc: "Only Microsoft-approved mobile apps (Outlook, Teams, etc.)", why: "Prevents data access from unsecured third-party apps that can't enforce protection policies.", mitreBlocked: ['T1539'], warnings: [], bestPractice: "Use for mobile access to email/chat. Prevents unmanaged apps accessing corporate data.", }, { id: "named_locations", label: "Restrict to Trusted Locations", category: "location", baseRiskReduction: 15, hasSettings: false, ztPrinciples: ["verify"], desc: "Allow only from corporate networks or trusted IPs", why: "Geo-fencing reduces credential blast radius. Blocks access from unexpected locations.", mitreBlocked: ['T1078'], warnings: ["Must include VPN endpoints and home IPs for remote workers"], bestPractice: "Define trusted locations: corporate offices, VPN exit points, approved remote IPs. Block high-risk countries.", }, { id: "sign_in_risk", label: "Block Risky Sign-ins (Identity Protection)", category: "risk", baseRiskReduction: 0, // Variable based on settings hasSettings: true, settingType: "risk_level", ztPrinciples: ["verify", "breach"], desc: "ML-based detection of anomalous sign-in patterns", why: "Detects leaked credentials, anonymous IPs, impossible travel, and atypical patterns in real-time.", mitreBlocked: ['T1078', 'T1528', 'T1606'], warnings: ["Requires Azure AD Premium P2"], bestPractice: "Block high-risk sign-ins. Challenge medium-risk with MFA. Monitor low-risk.", }, { id: "user_risk", label: "Require Password Change on User Risk", category: "risk", baseRiskReduction: 0, // Variable based on settings hasSettings: true, settingType: "risk_level", ztPrinciples: ["breach"], desc: "Force password reset when account is compromised", why: "When credentials appear in breach databases, immediate remediation prevents account takeover.", mitreBlocked: ['T1078', 'T1098'], warnings: ["Requires Azure AD Premium P2"], bestPractice: "Require secure password change for high-risk users. Medium-risk may need MFA re-authentication.", }, { id: "session_controls", label: "Session Controls & Token Lifetime", category: "session", baseRiskReduction: 0, // Variable based on settings hasSettings: true, settingType: "session_timeout", ztPrinciples: ["least", "breach"], desc: "Limit session duration and sign-in frequency", why: "Short-lived tokens reduce window for replay attacks. Forces periodic re-authentication.", mitreBlocked: ['T1528', 'T1539'], warnings: [], bestPractice: "4-hour sessions for standard users, 1-hour for admins. Disable persistent browser sessions.", }, { id: "terms_of_use", label: "Require Terms of Use Acceptance", category: "compliance", baseRiskReduction: 2, hasSettings: false, ztPrinciples: ["verify"], desc: "Periodic acceptance of usage policies", why: "Legal requirement for compliance. Ensures users acknowledge security policies.", mitreBlocked: [], warnings: [], bestPractice: "Require re-acceptance every 90 days. Critical for guest users and contractors.", }, { id: "block_unknown_platforms", label: "Block Unknown/Unsupported Platforms", category: "device", baseRiskReduction: 8, hasSettings: false, ztPrinciples: ["verify"], desc: "Block access from Linux, ChromeOS, or unknown devices", why: "Reduces attack surface from potentially unmanaged platforms.", mitreBlocked: ['T1078'], warnings: ["May block legitimate developer workstations - review exceptions"], bestPractice: "Block for standard users. Create exceptions for DevOps teams as needed.", }, { id: "require_password_change", label: "Require Password Change (First Sign-in)", category: "compliance", baseRiskReduction: 5, hasSettings: false, ztPrinciples: ["verify"], desc: "Force password change on first sign-in for new accounts", why: "Ensures default/temporary passwords are replaced immediately.", mitreBlocked: ['T1078'], warnings: [], bestPractice: "Always enable for new user accounts and password resets.", }, ]; const ZERO_TRUST_MATURITY = { traditional: { level: "Traditional", color: COLORS.danger, desc: "Perimeter-based security, limited identity verification", }, advanced: { level: "Advanced", color: COLORS.warning, desc: "Some cloud-based controls, basic MFA", }, optimal: { level: "Optimal", color: COLORS.success, desc: "Full Zero Trust implementation with phishing-resistant MFA", }, }; const DEFENSE_IN_DEPTH_LAYERS = [ { layer: "Perimeter", example: "Network firewalls, WAF", color: "#ef4444" }, { layer: "Network", example: "Named locations, geo-blocking", color: "#f97316" }, { layer: "Identity", example: "MFA, phishing-resistant auth", color: "#eab308" }, { layer: "Device", example: "Compliant devices, app protection", color: "#10b981" }, { layer: "Application", example: "App controls, session limits", color: "#3b82f6" }, { layer: "Data", example: "Encryption, DLP policies", color: "#8b5cf6" }, ]; const BEST_PRACTICES = [ { id: "breakglass", title: "Break-Glass Accounts", icon: "🚨", desc: "Maintain 2+ emergency access accounts excluded from ALL Conditional Access policies", why: "Prevents complete lockout if policies misconfigure. Critical for disaster recovery.", steps: [ "Create 2 cloud-only global admin accounts (not synced from AD)", "Use 25+ character random passwords stored in secure physical safe", "Exclude from ALL CA policies including MFA", "Monitor with dedicated alerts - any use triggers investigation", "Rotate passwords quarterly", "Document in security runbook", ], critical: true, msReference: "Microsoft Zero Trust Deployment Guide - Emergency Access", }, { id: "report_only", title: "Report-Only Mode Testing", icon: "📊", desc: "Always test new policies in report-only mode first", why: "Identifies potential lockout scenarios before enforcement. See who would be impacted.", steps: [ "Create policy in 'Report-only' state", "Monitor sign-in logs for 7-14 days", "Review 'What If' tool results for different scenarios", "Check for unexpected user/app combinations", "Only enable after validation", ], critical: true, msReference: "Microsoft Conditional Access Deployment Best Practices", }, { id: "named_locations", title: "Named Locations Configuration", icon: "📍", desc: "Define trusted locations for geo-fencing policies", why: "Enables location-based access controls and blocks access from unexpected regions.", steps: [ "Add corporate office IP ranges", "Include VPN exit points", "Add approved remote work locations (home IPs for executives)", "Mark trusted locations for MFA bypass (only for low-risk scenarios)", "Block known high-risk countries (match your threat intelligence)", "Use 'Trusted' flag carefully - limits its security benefit", ], critical: false, msReference: "Zero Trust Principle: Verify Explicitly - Network Controls", }, { id: "policy_exclusions", title: "Exclusion Groups Best Practices", icon: "👥", desc: "Manage policy exceptions safely", why: "Exclusions create security gaps. Must be tightly controlled and audited.", steps: [ "Use groups for exclusions (never individual users)", "Name clearly: 'CA-Exclusion-[PolicyName]-[Reason]'", "Require approval workflow for adding members", "Review quarterly - remove when no longer needed", "Alert on membership changes", "Document business justification for each exclusion", "Prefer time-limited exceptions where possible", ], critical: false, msReference: "Microsoft Conditional Access Framework - Exception Management", }, { id: "admin_protection", title: "Administrator Protection Strategy", icon: "🛡️", desc: "Separate policies for privileged accounts", why: "Admin accounts are highest-value targets. Require strictest controls.", steps: [ "Phishing-resistant MFA mandatory (no exceptions)", "Require compliant devices only", "1-hour session lifetime maximum", "Block legacy authentication entirely", "Restrict to trusted locations only", "Separate admin accounts from daily-use accounts", "Consider Privileged Access Workstations (PAWs)", ], critical: true, msReference: "Zero Trust - Least Privilege & Microsoft Privileged Access Strategy", }, { id: "monitoring", title: "Policy Monitoring & Alerts", icon: "🔔", desc: "Continuous monitoring of policy effectiveness", why: "Policies must be monitored for gaps, failures, and abuse attempts.", steps: [ "Monitor sign-in logs for policy failures/successes", "Alert on break-glass account usage", "Track policy exclusion group changes", "Review risk detections (Identity Protection)", "Monitor for policy conflicts or gaps", "Weekly review of blocked sign-ins", "Quarterly policy effectiveness audit", ], critical: false, msReference: "Zero Trust - Assume Breach & Continuous Verification", }, ]; const Btn = ({ label, onClick, disabled, danger, secondary, small }) => ( ); const RiskMeter = ({ score, size = 80 }) => { const getColor = () => { if (score < 25) return COLORS.success; if (score < 50) return COLORS.warning; return COLORS.danger; }; return (
{score}
RISK
); }; const ThreatAnalyticsSidebar = ({ identity, target, controls, controlSettings }) => { const calculateRisk = () => { if (!identity) return 100; let base = IDENTITY_TYPES.find(i => i.id === identity)?.baseRisk || 50; controls.forEach(id => { const ctrl = POLICY_CONTROLS.find(p => p.id === id); if (!ctrl) return; if (ctrl.hasSettings && controlSettings[id]) { // Variable risk reduction based on settings if (id === 'session_controls') { const setting = controlSettings[id]; const timeoutOption = SESSION_TIMEOUT_OPTIONS.find(o => o.value === setting.timeout); const freqOption = SIGN_IN_FREQUENCY_OPTIONS.find(o => o.value === setting.frequency); base -= (timeoutOption?.riskReduction || 0) + (freqOption?.riskReduction || 0); } else if (id === 'sign_in_risk' || id === 'user_risk') { const riskOption = RISK_LEVEL_OPTIONS.find(o => o.value === controlSettings[id].level); base -= riskOption?.riskReduction || 0; } } else { base -= ctrl.baseRiskReduction; } }); return Math.max(0, base); }; const getCoveredTechniques = () => { const covered = new Set(); controls.forEach(controlId => { const ctrl = POLICY_CONTROLS.find(c => c.id === controlId); if (ctrl?.mitreBlocked) { ctrl.mitreBlocked.forEach(t => covered.add(t)); } }); return covered; }; const covered = getCoveredTechniques(); const riskScore = calculateRisk(); const baseRisk = identity ? IDENTITY_TYPES.find(i => i.id === identity)?.baseRisk || 50 : 100; const coverage = Math.round((covered.size / Object.keys(MITRE_TECHNIQUES).length) * 100); return (
{/* Risk Score */}
REAL-TIME RISK ANALYSIS
BASELINE
CURRENT
↓ {baseRisk - riskScore} POINTS REDUCED
{/* MITRE Coverage */}
MITRE ATT&CK COVERAGE
TECHNIQUES MITIGATED {covered.size}/{Object.keys(MITRE_TECHNIQUES).length}
{coverage}%
{/* Coverage by Severity */}
{['High', 'Medium'].map(severity => { const total = Object.values(MITRE_TECHNIQUES).filter(t => t.severity === severity).length; const coveredCount = Object.entries(MITRE_TECHNIQUES) .filter(([id, t]) => t.severity === severity && covered.has(id)) .length; return (
{severity.toUpperCase()}
{coveredCount}/{total}
); })}
{/* Active Controls */}
ACTIVE CONTROLS ({controls.length})
{controls.length === 0 ? (
No controls selected
) : (
{controls.map(id => { const c = POLICY_CONTROLS.find(p => p.id === id); const col = CONTROL_COLORS[id] || COLORS.accent; return (
{c?.label}
); })}
)}
{/* Uncovered Threats */} {covered.size < Object.keys(MITRE_TECHNIQUES).length && (
⚠ GAPS IDENTIFIED
{Object.keys(MITRE_TECHNIQUES).length - covered.size} techniques not mitigated
{Object.entries(MITRE_TECHNIQUES) .filter(([id]) => !covered.has(id)) .slice(0, 3) .map(([id, t]) => (
• {id}: {t.name}
))} {Object.keys(MITRE_TECHNIQUES).length - covered.size > 3 && (
+{Object.keys(MITRE_TECHNIQUES).length - covered.size - 3} more...
)}
)}
); }; const ThreatCoverageMap = ({ controls, controlSettings, identity }) => { const [selectedTechnique, setSelectedTechnique] = useState(null); const [view, setView] = useState('matrix'); // 'matrix', 'zerotrust', 'defense' const getCoveredTechniques = () => { const covered = new Set(); controls.forEach(controlId => { const ctrl = POLICY_CONTROLS.find(c => c.id === controlId); if (ctrl?.mitreBlocked) { ctrl.mitreBlocked.forEach(t => covered.add(t)); } }); return covered; }; const getZeroTrustMaturity = () => { const hasPhishResistantMFA = controls.includes('phish_mfa'); const hasDeviceCompliance = controls.includes('compliant_device'); const hasSessionControls = controls.includes('session_controls'); const hasRiskPolicies = controls.includes('sign_in_risk') || controls.includes('user_risk'); if (hasPhishResistantMFA && hasDeviceCompliance && hasSessionControls && hasRiskPolicies && controls.length >= 6) { return 'optimal'; } else if (controls.includes('mfa') || controls.includes('phish_mfa')) { return 'advanced'; } return 'traditional'; }; const getDefenseLayerCoverage = () => { const layers = {}; DEFENSE_IN_DEPTH_LAYERS.forEach(l => { layers[l.layer] = 0; }); if (controls.includes('named_locations')) layers['Network'] += 1; if (controls.includes('phish_mfa') || controls.includes('mfa')) layers['Identity'] += 1; if (controls.includes('legacy_auth')) layers['Identity'] += 1; if (controls.includes('sign_in_risk') || controls.includes('user_risk')) layers['Identity'] += 1; if (controls.includes('compliant_device') || controls.includes('hybrid_join')) layers['Device'] += 1; if (controls.includes('app_protection') || controls.includes('approved_client')) layers['Device'] += 1; if (controls.includes('session_controls') || controls.includes('terms_of_use')) layers['Application'] += 1; return layers; }; const covered = getCoveredTechniques(); const coverage = Math.round((covered.size / Object.keys(MITRE_TECHNIQUES).length) * 100); const maturityLevel = getZeroTrustMaturity(); const layerCoverage = getDefenseLayerCoverage(); return (
Comprehensive Threat Coverage Analysis
MITRE ATT&CK mapping, Zero Trust maturity, and Defense in Depth visualization
setView('matrix')} secondary={view !== 'matrix'} small /> setView('zerotrust')} secondary={view !== 'zerotrust'} small /> setView('defense')} secondary={view !== 'defense'} small />
{/* Overall Coverage Stats */}
MITRE COVERAGE
{coverage}%
{covered.size}/{Object.keys(MITRE_TECHNIQUES).length} techniques
ZERO TRUST MATURITY
{ZERO_TRUST_MATURITY[maturityLevel].level}
{ZERO_TRUST_MATURITY[maturityLevel].desc}
DEFENSE LAYERS
{Object.values(layerCoverage).filter(v => v > 0).length}/6
Active layers
CONTROLS ACTIVE
{controls.length}
Security controls
{/* MITRE Matrix View */} {view === 'matrix' && (
📊 MITRE ATT&CK Technique Coverage Matrix
Click any technique for detailed mitigation information. Green = Mitigated, Red = Gap
{Object.entries(MITRE_TECHNIQUES).map(([id, tech]) => { const isCovered = covered.has(id); const coveringControls = POLICY_CONTROLS.filter(c => controls.includes(c.id) && c.mitreBlocked?.includes(id)); const isSelected = selectedTechnique === id; return (
setSelectedTechnique(isSelected ? null : id)} style={{ background: isCovered ? `${COLORS.success}08` : `${COLORS.danger}08`, border: `2px solid ${isSelected ? COLORS.accentBright : isCovered ? `${COLORS.success}40` : `${COLORS.danger}40`}`, borderRadius: 8, padding: 12, cursor: "pointer", transition: "all 0.2s", transform: isSelected ? "scale(1.02)" : "scale(1)", }} >
{id} {tech.severity}
{isCovered ? "✓" : "✗"}
{tech.name}
{tech.tactic}
{!isSelected &&
{tech.desc}
} {isSelected && (
{isCovered ? (
✓ MITIGATED BY:
{coveringControls.map(c => (
• {c.label}
))}
) : (
⚠ VULNERABILITY GAP
No active controls mitigate this technique. Consider adding relevant controls.
)}
)}
); })}
{covered.size < Object.keys(MITRE_TECHNIQUES).length && (
⚠ {Object.keys(MITRE_TECHNIQUES).length - covered.size} Technique Gap{Object.keys(MITRE_TECHNIQUES).length - covered.size > 1 ? 's' : ''} Identified
Your current policy configuration does not mitigate all known identity-based attack techniques. Review uncovered (red) techniques above and consider adding controls to close these gaps.
)}
)} {/* Zero Trust View */} {view === 'zerotrust' && (
🔍 Zero Trust Maturity Assessment
Based on Microsoft Zero Trust deployment framework and CISA Zero Trust Maturity Model
{/* Current Maturity Level */}
🏆
CURRENT MATURITY LEVEL
{ZERO_TRUST_MATURITY[maturityLevel].level}
{ZERO_TRUST_MATURITY[maturityLevel].desc}
{/* Zero Trust Principles Coverage */}
Microsoft Zero Trust Principles Coverage
{Object.entries(ZERO_TRUST_PRINCIPLES).map(([key, principle]) => { const relevantControls = POLICY_CONTROLS.filter(c => controls.includes(c.id) && c.ztPrinciples.includes(key)); const coveragePercent = Math.min(100, (relevantControls.length / 3) * 100); return (
{principle.icon}
{principle.label}
{relevantControls.length} controls
{relevantControls.length > 0 && (
{relevantControls.map(c => (
• {c.label}
))}
)}
); })}
{/* Maturity Recommendations */} {maturityLevel !== 'optimal' && (
📈 Path to Optimal Zero Trust Maturity
To achieve Optimal maturity level, consider implementing:
{!controls.includes('phish_mfa') &&
• Phishing-resistant MFA for all users (especially admins)
} {!controls.includes('compliant_device') &&
• Device compliance requirements
} {!controls.includes('session_controls') &&
• Session controls with limited token lifetime
} {!controls.includes('sign_in_risk') && !controls.includes('user_risk') &&
• Identity Protection risk policies
} {controls.length < 6 &&
• Additional layered controls for defense in depth
}
)}
)} {/* Defense in Depth View */} {view === 'defense' && (
🛡️ Defense in Depth Layer Analysis
Microsoft security framework: Multiple layers of protection ensure no single point of failure
{/* Layer Visualization */}
{DEFENSE_IN_DEPTH_LAYERS.map((layer, idx) => { const controlCount = layerCoverage[layer.layer] || 0; const isActive = controlCount > 0; const size = 60 + (idx * 30); return (
{layer.layer}
{layer.example}
{isActive && (
{controlCount} control{controlCount > 1 ? 's' : ''} active
)}
); })}
{/* Layer Details */}
{DEFENSE_IN_DEPTH_LAYERS.map(layer => { const controlCount = layerCoverage[layer.layer] || 0; const isActive = controlCount > 0; return (
{layer.layer} Layer
{isActive ? ( ) : ( )}
{layer.example}
{isActive ? `${controlCount} control${controlCount > 1 ? 's' : ''} protecting this layer` : 'No controls - vulnerability gap'}
); })}
{/* Defense in Depth Best Practice */}
📚 Microsoft Defense in Depth Principle
Defense in Depth is a layered approach to security. If one layer is compromised, subsequent layers provide continued protection. Microsoft recommends implementing controls across ALL layers - from network perimeter to data encryption - to ensure comprehensive security posture. Each layer reduces the attack surface and provides additional opportunities to detect and prevent threats.
)}
); }; function ConditionalAccessBuilder() { const [step, setStep] = useState(0); const [identity, setIdentity] = useState(null); const [target, setTarget] = useState(null); const [selectedControls, setSelectedControls] = useState([]); const [controlSettings, setControlSettings] = useState({}); const [showBestPractices, setShowBestPractices] = useState(false); const handleReset = () => { setStep(0); setIdentity(null); setTarget(null); setSelectedControls([]); setControlSettings({}); setShowBestPractices(false); }; const toggleControl = (id) => { const ctrl = POLICY_CONTROLS.find(c => c.id === id); if (id === "phish_mfa" && selectedControls.includes("mfa")) { setSelectedControls(prev => [...prev.filter(c => c !== "mfa"), id]); } else if (id === "mfa" && selectedControls.includes("phish_mfa")) { return; // Don't allow downgrade } else if (selectedControls.includes(id)) { setSelectedControls(prev => prev.filter(c => c !== id)); const newSettings = { ...controlSettings }; delete newSettings[id]; setControlSettings(newSettings); } else { setSelectedControls(prev => [...prev, id]); // Set default recommended settings if (ctrl.hasSettings) { if (id === 'session_controls') { setControlSettings(prev => ({ ...prev, [id]: { timeout: 4, frequency: 1 } })); } else if (id === 'sign_in_risk' || id === 'user_risk') { setControlSettings(prev => ({ ...prev, [id]: { level: 'medium' } })); } } } }; const updateControlSetting = (controlId, setting, value) => { setControlSettings(prev => ({ ...prev, [controlId]: { ...prev[controlId], [setting]: value } })); }; const phishMfaActive = selectedControls.includes("phish_mfa"); return (
{/* Header */}
🛡️ Entra ID Conditional Access Policy Builder
Zero Trust-aligned policy design with real-time MITRE ATT&CK threat analysis
setShowBestPractices(!showBestPractices)} secondary small />
{/* Best Practices Modal */} {showBestPractices && (
Microsoft Best Practices & Guidance
{BEST_PRACTICES.map(bp => (
{bp.icon}
{bp.title}
{bp.critical && ( CRITICAL )}
{bp.desc}
Why: {bp.why}
📚 {bp.msReference}
IMPLEMENTATION STEPS:
{bp.steps.map((step, idx) => (
{idx + 1}. {step}
))}
))}
)} {/* Main Layout - Sidebar + Content */}
{/* Main Content */}
{/* Progress */}
{["1. IDENTITY", "2. ACCESS SCOPE", "3. CONTROLS"].map((label, idx) => (
idx ? COLORS.success : step === idx ? COLORS.accent : COLORS.surfaceAlt, color: step >= idx ? "#fff" : COLORS.textMuted, border: `2px solid ${step > idx ? COLORS.success : step === idx ? COLORS.accent : COLORS.border}`, }}> {step > idx ? "✓" : idx + 1}
= idx ? COLORS.text : COLORS.textMuted }}> {label}
{idx < 2 &&
idx ? COLORS.success : COLORS.border, borderRadius: 1 }} />}
))}
{/* Step 0: Identity */} {step === 0 && (
Select Identity Type
{IDENTITY_TYPES.map(i => (
{ setIdentity(i.id); setStep(1); }} style={{ background: identity === i.id ? COLORS.surfaceAlt : COLORS.surface, border: `1px solid ${identity === i.id ? COLORS.accent : COLORS.border}`, borderRadius: 12, padding: 20, cursor: "pointer", transition: "all 0.15s", }} >
{i.icon}
{i.label}
{i.desc}
BASE RISK: 70 ? COLORS.danger : i.baseRisk > 50 ? COLORS.warning : COLORS.success }}> {i.baseRisk}
))}
)} {/* Step 1: Access Target */} {step === 1 && (
Select Access Scope
{ACCESS_TARGETS.map(t => (
{ setTarget(t.id); setStep(2); }} style={{ background: target === t.id ? COLORS.surfaceAlt : COLORS.surface, border: `1px solid ${target === t.id ? COLORS.accent : COLORS.border}`, borderRadius: 12, padding: 20, cursor: "pointer", transition: "all 0.15s", }} >
{t.icon}
{t.label}
{t.desc}
))}
setStep(0)} secondary />
)} {/* Step 2: Controls */} {step === 2 && (
Configure Security Controls
{/* Admin MFA warning */} {identity === "admin" && !phishMfaActive && (
🚨 CRITICAL: Phishing-resistant MFA required for administrators
Standard MFA can be bypassed via AiTM attacks. FIDO2/WHfB is mandatory for admin accounts.
)}
{POLICY_CONTROLS.map(c => { const isSelected = selectedControls.includes(c.id); const col = CONTROL_COLORS[c.id] || COLORS.accent; const isDisabled = c.id === "mfa" && phishMfaActive; return (
!isDisabled && toggleControl(c.id)} style={{ width: 18, height: 18, borderRadius: 4, border: `2px solid ${isSelected ? col : COLORS.border}`, background: isSelected ? col : "transparent", display: "flex", alignItems: "center", justifyContent: "center", flexShrink: 0, marginTop: 2, cursor: isDisabled ? "not-allowed" : "pointer", }} > {isSelected && }
{c.label}
{!c.hasSettings && (
-{c.baseRiskReduction}% RISK
)}
{c.desc}
{c.why}
{c.mitreBlocked.map(m => ( {m} ))}
{c.bestPractice && (
💡 Best Practice: {c.bestPractice}
)}
{/* Settings for controls */} {c.hasSettings && isSelected && (
{c.id === 'session_controls' && (
SESSION TIMEOUT
{SESSION_TIMEOUT_OPTIONS.map(opt => ( ))}
SIGN-IN FREQUENCY
{SIGN_IN_FREQUENCY_OPTIONS.map(opt => ( ))}
)} {(c.id === 'sign_in_risk' || c.id === 'user_risk') && (
RISK THRESHOLD
{RISK_LEVEL_OPTIONS.map(opt => ( ))}
)}
)}
); })}
setStep(1)} secondary />
)}
{/* Threat Analytics Sidebar */}
{/* Threat Coverage Map - shown on all screens */}
); } const root = ReactDOM.createRoot(document.getElementById("root")); root.render();