Skip to content

Add Entitlement Management tests MT.1107-MT.1111#1381

Merged
merill merged 11 commits intomaester365:mainfrom
nicowyss:main
Feb 18, 2026
Merged

Add Entitlement Management tests MT.1107-MT.1111#1381
merill merged 11 commits intomaester365:mainfrom
nicowyss:main

Conversation

@nicowyss
Copy link
Contributor

@nicowyss nicowyss commented Dec 15, 2025

Summary

Adds 5 new Maester Core Tests for Entra ID Identity Governance Access Packages.

Tests Added

  • MT.1107 – Access packages and catalogs should not reference deleted groups
  • MT.1108 – Access packages should not reference inactive or orphaned assignment policies
  • MT.1109 – Access package approval workflows must have valid approvers
  • MT.1110 – No catalog should contain resources without any associated access packages
  • MT.1111 – Catalog resources must have valid roles (no stale app roles or SPNs)

Notes

  • Read-only tests
  • Tested with Invoke-Maester
  • No tenant modifications

@nicowyss nicowyss requested review from a team as code owners December 15, 2025 09:39
@SamErde SamErde requested review from Copilot and removed request for a team January 31, 2026 23:03
Copilot AI reviewed Jan 31, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds 5 new Maester Core Tests (MT.1107-MT.1111) for Microsoft Entra ID Identity Governance Entitlement Management. These tests validate the configuration and integrity of access packages, catalogs, policies, and resources in Entra ID Governance.

Changes:

  • Adds 5 new PowerShell test functions for entitlement management validation
  • Adds corresponding Pester test wrappers with appropriate tags
  • Adds documentation files for each test with descriptions, remediation steps, and related links
  • Updates module manifest to export the new test functions

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
powershell/Maester.psd1 Adds 5 new test functions to the module exports
powershell/public/maester/entra/Test-MtEntitlementManagementDeletedGroups.ps1 Validates that access packages and catalogs don't reference deleted groups
powershell/public/maester/entra/Test-MtEntitlementManagementDeletedGroups.md Documentation for deleted groups test
powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.ps1 Checks for inactive or misconfigured assignment policies
powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.md Documentation for inactive policies test
powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.ps1 Identifies catalog resources not used in any access package
powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.md Documentation for orphaned resources test
powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.ps1 Validates approval workflows have valid, active approvers
powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.md Documentation for valid approvers test
powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.ps1 Checks catalog resources for stale app roles and deleted service principals
powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.md Documentation for valid resource roles test
tests/Maester/Entra/Test-MtEntitlementManagementDeletedGroups.Tests.ps1 Pester test wrapper for MT.1107
tests/Maester/Entra/Test-MtEntitlementManagementInactivePolicies.Tests.ps1 Pester test wrapper for MT.1108
tests/Maester/Entra/Test-MtEntitlementManagementOrphanedResources.Tests.ps1 Pester test wrapper for MT.1110
tests/Maester/Entra/Test-MtEntitlementManagementValidApprovers.Tests.ps1 Pester test wrapper for MT.1109
tests/Maester/Entra/Test-MtEntitlementManagementValidResourceRoles.Tests.ps1 Pester test wrapper for MT.1111
website/docs/tests/maester/MT.1107.md User-facing documentation for deleted groups test
website/docs/tests/maester/MT.1108.md User-facing documentation for inactive policies test
website/docs/tests/maester/MT.1109.md User-facing documentation for valid approvers test
website/docs/tests/maester/MT.1110.md User-facing documentation for orphaned resources test
website/docs/tests/maester/MT.1111.md User-facing documentation for valid resource roles test

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SamErde
Copy link
Contributor

SamErde commented Feb 2, 2026

@nicowyss, these are great checks! Do you have any thoughts on the suggestions from the Copilot review? I haven't had a chance to review much lately, but this might give you a few things to test. Thanks!

@nicowyss
Fix incomplete array handling and Write-Error patterns
702e44a 
- Add missing elseif branch for single object responses in:
  - Test-MtEntitlementManagementValidResourceRoles (allPackages, roleScopes)
  - Test-MtEntitlementManagementValidApprovers (members)
- Fix Write-Error to use $_.Exception.Message instead of $_ in all 4 files
@nicowyss
Performance: Cache access packages API call outside catalog loop
0d7e503 
- Move Graph API call for access packages before catalog foreach loop
- Reduces API calls from N (per catalog) to 1
- Apply to both OrphanedResources and ValidResourceRoles tests
@SamErde
Copy link
Contributor

SamErde commented Feb 11, 2026

@nicowyss, these are great checks! Do you have any thoughts on the suggestions from the Copilot review? I haven't had a chance to review much lately, but this might give you a few things to test. Thanks!

Just to be clear: you don't have to automatically accept all Copilot suggestions! It's just the best I can offer with my current schedule.

@nicowyss
Copy link
Contributor Author

nicowyss commented Feb 11, 2026

@nicowyss, these are great checks! Do you have any thoughts on the suggestions from the Copilot review? I haven't had a chance to review much lately, but this might give you a few things to test. Thanks!

Just to be clear: you don't have to automatically accept all Copilot suggestions! It's just the best I can offer with my current schedule.

@SamErde Yes, of course, I'm currently working my way through the review comments, and many of them make a lot of sense.

@nicowyss
Fix inconsistent array handling for Graph API response
ffd610f 
- Updated line 121 to use the consistent 3-branch pattern for handling
  Graph API responses (Array, .value property, single object)
- Ensures paginated results with .value property are handled correctly
@nicowyss
Fix frontmatter: add missing slug and sidebar_class_name properties
296d49d
@nicowyss
Fix array handling for assignment policies in DeletedGroups test
7660047
@nicowyss
Fix comment: requestApprovalSettings -> requestorSettings
11874d6
@SamErde
Copy link
Contributor

SamErde commented Feb 16, 2026

This is looking good! FYI, the build validation tests produced the following items to resolve:

PSUseBOMForUnicodeEncodedFile

The following files are missing a BOM for UTF-8 encoding, which can cause issues when the file is opened in certain editors or environments.

  • powershell/public/maester/entra/Test-MtEntitlementManagementDeletedGroups.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.ps1

To fix PSUseBOMForUnicodeEncodedFile, run the following script with the affected file or re-save the file in an editor that supports UTF-8 with BOM encoding.

$AffectedFilePath = 'powershell/public/maester/entra/Test-MtTenantCreationRestricted.ps1'
$Content = Get-Content $AffectedFilePath -Raw; $Content | Out-File $AffectedFilePath -Encoding UTF8BOM

PSUseDeclaredVarsMoreThanAssignments

The following files have variables that are declared but not used anywhere in the code, which can lead to confusion and maintenance issues.

  • powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.ps1

PSUseSingularNouns

The following files contain functions that do not follow the recommended naming convention of using singular nouns, which can lead to confusion and inconsistency in the codebase.

  • powershell/public/maester/entra/Test-MtEntitlementManagementDeletedGroups.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.ps1
  • powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.ps1

HasValidLinkSection

The following functions have links in their documentation that do not point to the expected location. Links in this section should point to the command documentation at https://maester.dev/docs/commands/ followed by the command name.

Block : Function Test-MtEntitlementManagementDeletedGroups
Expected: 'https://maester.dev/docs/commands/Test-MtEntitlementManagem...'
But was: 'https://maester.dev/docs/tests/MT.1107'

Block : Function Test-MtEntitlementManagementInactivePolicies
Expected: 'https://maester.dev/docs/commands/Test-MtEntitlementManagem...'
But was: 'https://maester.dev/docs/tests/MT.1108'

Block : Function Test-MtEntitlementManagementOrphanedResources
Expected: 'https://maester.dev/docs/commands/Test-MtEntitlementManagem...'
But was: 'https://maester.dev/docs/tests/MT.1110'

Block : Function Test-MtEntitlementManagementValidApprovers
Expected: 'https://maester.dev/docs/commands/Test-MtEntitlementManagem...'
But was: 'https://maester.dev/docs/tests/MT.1109'

Block : Function Test-MtEntitlementManagementValidResourceRoles
Expected: 'https://maester.dev/docs/commands/Test-MtEntitlementManagem...'
But was: 'https://maester.dev/docs/tests/MT.1111'

These tests run automatically on PRs but you can also run them yourself locally! In your fork of the project, run powershell/tests/pester.ps1 to see the tests and validation of your additions. 👍

@nicowyss
Copy link
Contributor Author

nicowyss commented Feb 16, 2026

@SamErde Thanks for your patience, I run the tests locally and fixed the warnings/errors.

SamErde
SamErde requested changes Feb 16, 2026
View reviewed changes
Copy link
Contributor

@SamErde SamErde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking and working great! I don't cover every pass/fail scenario in my tenant yet, but my testing so far returns accurate results. I think this only needs 2 things before merging:

  • Please remove the 'Security' tag from the test script tags. We have been moving away from using any tag that applies to every (or almost every) test.
  • Add these test titles and their Severity ratings to tests\maester-config.json. They are not listed yet, so the final report shows no severity ratings for these new tests.

Thank you! 🙏

@SamErde SamErde self-assigned this Feb 16, 2026
@SamErde SamErde added maester-test Related to a Maester test entra Microsoft Entra labels Feb 16, 2026
@nicowyss
Copy link
Contributor Author

nicowyss commented Feb 17, 2026

@SamErde
Thanks for the feedback, I'm really looking forward to sharing these tests with everyone. I would like to point out that there may be a conflict with the Maester test numbers, which is shown here as a conflict. Two test numbers: MT.1111

Although I claimed my numbers according to the procedure, see: “#️⃣ Pick next Maester test sequence number #697

@SamErde
Copy link
Contributor

SamErde commented Feb 17, 2026

@SamErde Thanks for the feedback, I'm really looking forward to sharing these tests with everyone. I would like to point out that there may be a conflict with the Maester test numbers, which is shown here as a conflict. Two test numbers: MT.1111

Although I claimed my numbers according to the procedure, see: “#️⃣ Pick next Maester test sequence number #697

Ah, sorry to see that! Looks like innocent human error. You can take MT.1106 to replace MT.1111.

@merill
Copy link
Contributor

merill commented Feb 18, 2026

Awesome work @nicowyss

I believe these are the first ones around ID Governance in Maester. Thanks so much!!

@merill merill merged commit 4b70192 into maester365:main Feb 18, 2026
3 checks passed
@nicowyss
Copy link
Contributor Author

nicowyss commented Feb 18, 2026
edited
Loading

Awesome work @nicowyss

I believe these are the first ones around ID Governance in Maester. Thanks so much!!
@merill
Yes they are and hopefully this encourage more people to collaborate. Very welcome when are those url's reachable?
https://maester.dev/docs/tests/MT.1108
https://maester.dev/docs/next/tests/MT.1106 (looks different then the others)

I would like to post something about thoose tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SamErde SamErde SamErde requested changes

Assignees

@SamErde SamErde

Labels

entra Microsoft Entra maester-test Related to a Maester test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nicowyss @SamErde @merill