MT.1109 - Access package approval workflows must have valid approvers
Overview
Description
This test identifies Microsoft Entra ID Governance access package assignment policies with approval workflows that reference invalid approvers. Invalid approvers cause approval workflow failures, access request timeouts, and create significant operational overhead.
The test validates:
- User approvers exist in the directory and accounts are enabled
- Group approvers exist and have at least one member
- Policies requiring approval have approval stages with primary approvers configured
- Approval workflows are complete and functional
Note: Manager approvers are noted but not validated (resolved at request time).
Remediation action
For Deleted User Approvers:
- Navigate to Entra Admin Center → Identity Governance → Access Packages
- Select the affected access package → Policies tab
- Edit the affected policy → Approval settings
- Remove deleted users and add valid replacement approvers
- Consider using groups for resilience
- Test the approval workflow
For Disabled User Approvers:
- Determine if user should be re-enabled or replaced
- If temporary: Re-enable the user account in Entra ID
- If permanent: Replace with active user or group
- Update policy Approval settings
For Deleted or Missing Groups:
- Edit the policy → Approval settings
- Remove references to deleted groups
- Create or select a valid approval group with active members
- Update the policy and save
For Empty Approval Groups:
- Navigate to Entra ID → Groups
- Find the approval group and add appropriate members
- Ensure multiple members for redundancy
- Verify the access package policy
For Missing Approval Stages or Primary Approvers:
- Edit the policy → Approval settings
- Add at least one approval stage
- Configure primary approvers (users, groups, or manager)
- Set timeout values and save
Related links
- Microsoft Entra ID Governance Documentation
- Configure Access Package Approval
- Approval Workflow Settings
- Microsoft Graph API - Approval Settings
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1109 |
| Severity | Medium |
| Suite | Maester |
| Category | Governance |
| PowerShell test | Test-MtEntitlementManagementValidApprovers |
| Tags | AccessPackages, Entra, Governance, MT.1109 |
Source
- Pester test:
tests/Maester/Entra/Test-MtEntitlementManagementValidApprovers.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtEntitlementManagementValidApprovers.ps1