MT.1106 - Catalog resources must have valid roles (no stale app roles or deleted SPNs)
Overview
Description
This test identifies Microsoft Entra ID Governance access package catalog resources that reference stale or invalid roles, deleted service principals, or non-existent SharePoint sites. When applications or sites are reconfigured or deleted, catalogs often retain "ghost roles" that cause provisioning failures.
The test validates:
- Service principals referenced by applications are active and accessible
- Application roles assigned in access packages still exist in their service principals
- SharePoint sites have valid URLs and are accessible via Microsoft Graph API
- Resources are properly configured
Note: Group validation is handled by MT.1107. Built-in roles are excluded as they are system-managed. "Default Access" roles are skipped as system defaults.
Stale resources detected:
- Deleted service principals - Application removed from tenant (404 error)
- Stale app roles - Roles removed from service principal but still assigned in packages
- Invalid SharePoint URLs - Site URL format incorrect or site deleted/moved
- Inaccessible sites - Site exists but cannot be accessed via Graph API
Remediation action
For Deleted Service Principals/Applications:
Option 1: Remove from Catalog
- Navigate to Entra Admin Center → Identity Governance → Catalogs
- Select the catalog → Resources section
- Select the stale application resource
- Click Remove from catalog
- Update any access packages that referenced this resource
Option 2: Restore Application
- Check Entra Admin Center → Enterprise applications → Deleted applications
- Restore the application if within recovery window
- Verify catalog resource is now valid
For Stale App Roles:
- Identify the app role from test results
- Find the service principal in Entra portal
- If role removed intentionally:
- Edit the access package
- Remove the stale resource role assignment
- Add a valid app role if needed
- If role should exist:
- Contact application owner to restore role in app manifest
- Update app registration to add role back
For SharePoint Sites:
Option 1: Remove from Catalog
- Navigate to catalog → Resources
- Select the site and click Remove from catalog
- Update access packages
Option 2: Fix Site URL (if moved/renamed)
- Verify correct URL in SharePoint Admin Center
- Remove old site resource from catalog
- Add site with correct URL as new resource
- Update access packages
Option 3: Restore Site
- Check SharePoint Admin Center → Deleted sites
- Restore site if within 93-day recovery window
- Verify accessibility
Related links
- Microsoft Entra ID Governance Documentation
- Manage Catalog Resources
- Service Principal App Roles
- SharePoint Site Resource Type
- Microsoft Graph API - Entitlement Management
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1106 |
| Severity | Medium |
| Suite | Maester |
| Category | Governance |
| PowerShell test | Test-MtEntitlementManagementValidResourceRoles |
| Tags | AccessPackages, Entra, Governance, MT.1106 |
Source
- Pester test:
tests/Maester/Entra/Test-MtEntitlementManagementValidResourceRoles.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtEntitlementManagementValidResourceRoles.ps1