microsoft/Entra-POCAdvisor

microsoft/Entra-POCAdvisor

Description: A GitHub Copilot Skill that guides Microsoft Entra administrators through proof-of-concept deployments of the Microsoft Entra Suite

License: MIT

Stars: 6

Forks: 4

Open issues: 0

Created: 2026-04-15T17:24:35Z

Pushed: 2026-06-09T15:42:27Z

Default branch: master

Fork: no

Archived: no

README:

Entra-POCAdvisor

A GitHub Copilot Skill that guides Microsoft Entra administrators through proof-of-concept deployments of the Microsoft Entra Suite. It provides expert advisory, configuration guidance, and documentation generation — all through a conversational-first approach.

Overview

Entra-POCAdvisor is designed for Entra administrators who need to plan, configure, validate, and document POC deployments across the Microsoft Entra Suite. Instead of generating outputs immediately, the assistant engages you in conversation: it asks clarifying questions, surfaces considerations you may not have thought of, recommends best practices, and helps you think through your POC strategy before producing any artifacts.

When you're ready, it generates production-grade documentation, PowerShell scripts, gap analysis reports, and architecture diagrams — all following Microsoft documentation standards.

> [!NOTE] > This skill integrates with the Microsoft MCP Server for Enterprise to read tenant configuration in real time. It also works fully offline in Guidance Only mode.

Products Covered

The assistant covers six Microsoft Entra Suite products:

| Product | Key Capabilities | |---|---| | Global Secure Access | Traffic forwarding profiles, GSA Client deployment, remote networks, traffic logging, Conditional Access integration | | Entra Private Access | Zero Trust network access, application connectors, Quick Access (VPN replacement), Per-App Access, Private DNS | | Entra Internet Access | Web content filtering, security profiles, TLS inspection, Universal Tenant Restrictions | | Entra ID Protection | Risk detection engine, risky users/sign-ins reports, risk-based Conditional Access policies | | Entra ID Governance | Access reviews, entitlement management, lifecycle workflows, Privileged Identity Management | | Entra Verified ID | Digital credential issuance and verification, decentralized identity flows | | Entra External Identities | B2B collaboration (guest users), B2B direct connect (Teams shared channels), CIAM (customer sign-up/sign-in), social identity providers, cross-tenant access policies, self-service sign-up flows |

Detailed product references are available under [.github/skills/entra-poc-advisor/references/products/](.github/skills/entra-poc-advisor/references/products/).

Operation Modes

You select an operation mode at the start of every session. The assistant never escalates beyond the selected mode without your explicit consent.

| Mode | Tenant Connection | What You Get | |---|---|---| | Guidance Only | None | Advisory conversation, documentation, scripts (with placeholder values), architecture diagrams, scenario templates | | Read-Only | Microsoft MCP Server (read) | Everything above, plus live prerequisite validation, current-state configuration reads, and gap analysis reports with real tenant data | | Read-Write | Microsoft MCP Server (read) | Everything above, plus PowerShell scripts and portal instructions pre-populated with your tenant-specific values (group IDs, UPNs, resource references) |

> [!IMPORTANT] > PowerShell 7+ (pwsh.exe) is required for Read-Only and Read-Write modes. The Microsoft Graph PowerShell SDK v2.x is incompatible with PowerShell 5.1 (.NET Framework 4.8) — the MSAL EventSource tracing causes an EventSourceException on Connect-MgGraph. Install PowerShell 7 from https://aka.ms/install-powershell.

> [!IMPORTANT] > Even in Read-Write mode, the assistant never writes directly to your tenant. All changes are performed by you — via PowerShell scripts you review and execute, or portal instructions you follow manually.

See [.github/skills/entra-poc-advisor/references/operation-modes.md](.github/skills/entra-poc-advisor/references/operation-modes.md) for detailed mode transition rules.

POC Lifecycle

Every POC engagement follows a six-phase lifecycle. Phases are iterative — you can loop back at any point.

| Phase | What Happens | |---|---| | 1. Planning | Conversational requirements gathering. You describe your goals, the assistant recommends products and scenarios, and together you refine the approach. Output generation starts only when you say you're ready. | | 2. Prerequisites | Validates licenses, admin roles, and infrastructure. In Read-Only/Read-Write modes, the assistant checks your live tenant via MCP and reports gaps with remediation guidance. | | 3. Configuration | You choose your path — manual (step-by-step Markdown docs), scripted (idempotent PowerShell), or hybrid (docs with embedded scripts). | | 4. Validation | Compares your current tenant configuration against the target state and produces a gap analysis report. Loops back to Configuration if gaps are found. | | 5. Testing | Provides testing checklists and procedures. Validates test outcomes via MCP where possible (e.g., sign-in logs). | | 6. Documentation | Exports the complete POC guide, architecture diagrams, gap analysis, and session audit log. |

See [.github/skills/entra-poc-advisor/references/poc-lifecycle.md](.github/skills/entra-poc-advisor/references/poc-lifecycle.md) for detailed phase guidance.

Pre-Built Scenarios

22 ready-to-use scenarios across six categories, each with prerequisites, architecture diagrams, configuration steps, and validation procedures:

| Category | Scenario | Complexity | Est. Time | |---|---|---|---| | Private Access | Quick Access (VPN replacement) | Medium | 45 min | | | Per-App Access (granular resources) | High | 90 min | | | Private DNS | High | 60 min | | Internet Access | Web Content Filtering | Medium | 30 min | | | Security Profiles | Medium | 45 min | | | TLS Inspection | High | 60 min | | | Universal Tenant Restrictions | Medium | 30 min | | | Source Traffic Type & HTTP Method Filtering (Preview) | Medium | 45 min | | | Network Content Filtering & Purview DLP | High | 60 min | | | Explicit Forward Proxy (Preview) | High | 60 min | | | Remote Network…