Skip to content

Add Entitlement Management tests MT.1107-MT.1111 #1381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nicowyss wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add Entitlement Management tests MT.1107-MT.1111 #1381

nicowyss wants to merge 7 commits into from
+1,879 −1

Conversation

@nicowyss
Copy link

@nicowyss nicowyss commented Dec 15, 2025

Summary

Adds 5 new Maester Core Tests for Entra ID Identity Governance Access Packages.

Tests Added

  • MT.1107 – Access packages and catalogs should not reference deleted groups
  • MT.1108 – Access packages should not reference inactive or orphaned assignment policies
  • MT.1109 – Access package approval workflows must have valid approvers
  • MT.1110 – No catalog should contain resources without any associated access packages
  • MT.1111 – Catalog resources must have valid roles (no stale app roles or SPNs)

Notes

  • Read-only tests
  • Tested with Invoke-Maester
  • No tenant modifications

@nicowyss nicowyss requested review from a team as code owners December 15, 2025 09:39
@SamErde SamErde requested review from Copilot and removed request for a team January 31, 2026 23:03
Copilot AI reviewed Jan 31, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds 5 new Maester Core Tests (MT.1107-MT.1111) for Microsoft Entra ID Identity Governance Entitlement Management. These tests validate the configuration and integrity of access packages, catalogs, policies, and resources in Entra ID Governance.

Changes:

  • Adds 5 new PowerShell test functions for entitlement management validation
  • Adds corresponding Pester test wrappers with appropriate tags
  • Adds documentation files for each test with descriptions, remediation steps, and related links
  • Updates module manifest to export the new test functions

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
powershell/Maester.psd1 Adds 5 new test functions to the module exports
powershell/public/maester/entra/Test-MtEntitlementManagementDeletedGroups.ps1 Validates that access packages and catalogs don't reference deleted groups
powershell/public/maester/entra/Test-MtEntitlementManagementDeletedGroups.md Documentation for deleted groups test
powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.ps1 Checks for inactive or misconfigured assignment policies
powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.md Documentation for inactive policies test
powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.ps1 Identifies catalog resources not used in any access package
powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.md Documentation for orphaned resources test
powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.ps1 Validates approval workflows have valid, active approvers
powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.md Documentation for valid approvers test
powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.ps1 Checks catalog resources for stale app roles and deleted service principals
powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.md Documentation for valid resource roles test
tests/Maester/Entra/Test-MtEntitlementManagementDeletedGroups.Tests.ps1 Pester test wrapper for MT.1107
tests/Maester/Entra/Test-MtEntitlementManagementInactivePolicies.Tests.ps1 Pester test wrapper for MT.1108
tests/Maester/Entra/Test-MtEntitlementManagementOrphanedResources.Tests.ps1 Pester test wrapper for MT.1110
tests/Maester/Entra/Test-MtEntitlementManagementValidApprovers.Tests.ps1 Pester test wrapper for MT.1109
tests/Maester/Entra/Test-MtEntitlementManagementValidResourceRoles.Tests.ps1 Pester test wrapper for MT.1111
website/docs/tests/maester/MT.1107.md User-facing documentation for deleted groups test
website/docs/tests/maester/MT.1108.md User-facing documentation for inactive policies test
website/docs/tests/maester/MT.1109.md User-facing documentation for valid approvers test
website/docs/tests/maester/MT.1110.md User-facing documentation for orphaned resources test
website/docs/tests/maester/MT.1111.md User-facing documentation for valid resource roles test

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SamErde
Copy link
Contributor

SamErde commented Feb 2, 2026

@nicowyss, these are great checks! Do you have any thoughts on the suggestions from the Copilot review? I haven't had a chance to review much lately, but this might give you a few things to test. Thanks!

@nicowyss
Fix incomplete array handling and Write-Error patterns
702e44a 
- Add missing elseif branch for single object responses in:
  - Test-MtEntitlementManagementValidResourceRoles (allPackages, roleScopes)
  - Test-MtEntitlementManagementValidApprovers (members)
- Fix Write-Error to use $_.Exception.Message instead of $_ in all 4 files
@nicowyss
Performance: Cache access packages API call outside catalog loop
0d7e503 
- Move Graph API call for access packages before catalog foreach loop
- Reduces API calls from N (per catalog) to 1
- Apply to both OrphanedResources and ValidResourceRoles tests
@SamErde
Copy link
Contributor

SamErde commented Feb 11, 2026

@nicowyss, these are great checks! Do you have any thoughts on the suggestions from the Copilot review? I haven't had a chance to review much lately, but this might give you a few things to test. Thanks!

Just to be clear: you don't have to automatically accept all Copilot suggestions! It's just the best I can offer with my current schedule.

@nicowyss
Copy link
Author

nicowyss commented Feb 11, 2026

@nicowyss, these are great checks! Do you have any thoughts on the suggestions from the Copilot review? I haven't had a chance to review much lately, but this might give you a few things to test. Thanks!

Just to be clear: you don't have to automatically accept all Copilot suggestions! It's just the best I can offer with my current schedule.

@SamErde Yes, of course, I'm currently working my way through the review comments, and many of them make a lot of sense.

@nicowyss
Fix inconsistent array handling for Graph API response
ffd610f 
- Updated line 121 to use the consistent 3-branch pattern for handling
  Graph API responses (Array, .value property, single object)
- Ensures paginated results with .value property are handled correctly
@nicowyss
Fix frontmatter: add missing slug and sidebar_class_name properties
296d49d
@nicowyss
Fix array handling for assignment policies in DeletedGroups test
7660047
@nicowyss
Fix comment: requestApprovalSettings -> requestorSettings
11874d6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nicowyss @SamErde