MT.1108 - Access packages should not have inactive or orphaned assignment policies
Overviewβ
Descriptionβ
This test identifies Microsoft Entra ID Governance access packages that contain assignment policies which are disabled, misconfigured, or orphaned. Inactive or misconfigured policies prevent users from successfully requesting access and can break automated provisioning workflows.
The test validates:
- Policies are in "published" state and active
- Requestor scope type is properly configured (not "NoSubjects" or null)
- Required approval settings are complete with designated approvers
- Policies have not expired
- Required questions have proper text configured
Remediation actionβ
For Unpublished Policies:
- Navigate to Entra Admin Center β Identity Governance β Access Packages
- Select the affected access package β Policies tab
- Review the policy state:
- If should be active: Publish it
- If no longer needed: Delete it
For Missing Requestor Settings:
- Edit the problematic policy β Requestor settings
- Configure Who can request with appropriate scope (All users, Specific users, etc.)
- Ensure scope type is valid and not deprecated
For Missing/Invalid Approval Settings:
- Edit the policy β Approval settings
- If approval required:
- Add at least one approval stage
- Configure primary approvers for each stage
- Ensure approver groups exist
- If not required: Disable approval requirement
For Expired Policies:
- Review if expiration was intentional
- If still needed: Edit policy and update expiration date or remove expiration
- If no longer needed: Delete the policy
For Question Configuration Issues:
- Edit the policy β Requestor information section
- Ensure all required questions have proper text configured
- Validate question type and requirements
Related linksβ
- Microsoft Entra ID Governance Documentation
- Access Package Assignment Policies
- Configure Access Package Request Settings
- Microsoft Graph API - Assignment Policies
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1108 |
| Severity | Medium |
| Suite | Maester |
| Category | Governance |
| PowerShell test | Test-MtEntitlementManagementInactivePolicies |
| Tags | AccessPackages, Entra, Governance, MT.1108 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-MtEntitlementManagementInactivePolicies.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtEntitlementManagementInactivePolicies.ps1