MT.1066 - Conditional Access policies should not include or exclude deleted users, groups, or roles.
Overviewβ
Conditional Access policies should not reference non-existent users, groups, or roles
This test checks if there are any Conditional Access policies that reference non-existent users, groups, or roles.
This usually happens when a user, group, or role is deleted but is still referenced in a Conditional Access policy.
Non-existent objects in your policy can lead to unexpected gaps or behavior. This may result in Conditional Access policies not being applied to the intended users or the policy not functioning as expected.
How to fixβ
To fix this issue:
- Open the impacted Conditional Access policy.
- Remove the non-existent user, group, or role from the policy.
- If the object is still needed, recreate it or replace it with a valid alternative.
- Click Save to apply the changes.
Learn moreβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1066 |
| Severity | Medium |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaReferencedObjectsExist |
| Tags | CA, Maester, MT.1066 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaReferencedObjectsExist.ps1