MT.1110 - No catalog should contain resources without any associated access packages
Overviewβ
Descriptionβ
This test identifies Microsoft Entra ID Governance access package catalogs that contain resources (groups, applications, SharePoint sites) that are not used in any access package within that catalog. Orphaned resources indicate incomplete configuration or drift.
The test validates:
- All catalog resources are referenced in at least one access package
- No orphaned or unused resources exist in catalogs
- Resources serve their intended governance purpose
Common scenarios detected:
- Resources added to catalog but package not yet configured
- Access package was deleted but resource remained in catalog
- Resources removed from packages but not from catalog
- Test resources added and never cleaned up
Remediation actionβ
Option 1: Add to Access Package (if resource should be governed)
- Navigate to Entra Admin Center β Identity Governance β Catalogs
- Open an existing access package or create a new one
- Add the resource to the package's resource roles
- Configure appropriate roles and permissions
- Update package policies as needed
Option 2: Remove from Catalog (if resource no longer needed)
- Navigate to Entra Admin Center β Identity Governance β Catalogs
- Select the catalog β Resources section
- Select the unused resource
- Click Remove from catalog
- Confirm removal
Bulk Remediation Process:
- Review with stakeholders to identify which resources are still needed
- Create access packages for resources that should be governed
- Clean up catalog by removing resources no longer needed
- Document decisions and update procedures
Related linksβ
- Microsoft Entra ID Governance Documentation
- Access Package Catalogs
- Manage Catalog Resources
- Microsoft Graph API - Entitlement Management
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1110 |
| Severity | Medium |
| Suite | Maester |
| Category | Governance |
| PowerShell test | Test-MtEntitlementManagementOrphanedResources |
| Tags | AccessPackages, Entra, Governance, MT.1110 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-MtEntitlementManagementOrphanedResources.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtEntitlementManagementOrphanedResources.ps1