🪲 - MT.1005 incorrectly fails for Entra ID Agent Identity Conditional Access policies #1385
Description
Bug: MT.1005 incorrectly fails for Entra ID Agent Identity Conditional Access policies
Thanks for reporting the bug. Please ensure you've gone through the following checklist before opening an issue:
- Make sure you can reproduce this issue using the latest released version of
Maester. - Please search the existing issues to see if there has been a similar issue filed.
Describe the bug
Test MT.1005 (Test-MtCaEmergencyAccessExists) incorrectly reports that Agent Identity Conditional Access policies are missing emergency/break-glass account exclusions.
Root Cause: Agent Identity CA policies target service principals and agents (not users), so they cannot have user or group exclusions. The test should skip these policies, but currently only filters out policies using includeServicePrincipals and doesn't check for includeAgentIdServicePrincipals.
Agent Identity CA policies are a relatively new feature in Entra ID that allow organizations to apply Conditional Access policies to managed identities, service principals, and other non-user identities. These policies use the clientApplications.includeAgentIdServicePrincipals property instead of targeting users.
To Reproduce
Steps to reproduce the behavior:
- Create an Agent Identity Conditional Access policy in Entra ID:
- Target:
clientApplications.includeAgentIdServicePrincipals: ["All"] - Users:
includeUsers: ["None"](Agent Identity policies don't target users) - Example: Block all agent identities from accessing resources
- Target:
- Run
Test-MtCaEmergencyAccessExistsorInvoke-Maester -Tag 'MT.1005' - See the test fail with an error indicating the Agent Identity policy doesn't exclude emergency access accounts
Example policy structure:
{
"displayName": "Block Agent Identities",
"state": "enabled",
"conditions": {
"users": {
"includeUsers": ["None"],
"excludeUsers": [],
"excludeGroups": []
},
"clientApplications": {
"includeServicePrincipals": [],
"includeAgentIdServicePrincipals": ["All"],
"excludeServicePrincipals": []
}
}
}Expected behavior
Agent Identity CA policies should be excluded from the MT.1005 emergency access check because:
- They target service principals/agents, not users
- They cannot have user or group exclusions (users.includeUsers is set to "None")
- Emergency/break-glass accounts are user accounts, not service principals
- It's impossible to add emergency account exclusions to these policies
The test should only validate user-targeted CA policies for emergency access exclusions.
Debug Output
⚠ ATTENTION: Be sure to remove any sensitive information that may be in the logs.
Debug Output
The test fails because the Agent Identity policy is included in the policies to check, and it has no user/group exclusions (which is correct for its purpose).
The issue is in Test-MtCaEmergencyAccessExists.ps1 at line 36:
# Remove policies that are scoped to service principals
$policies = $policies | Where-Object { -not $_.conditions.clientApplications.includeServicePrincipals }This only checks for includeServicePrincipals but not includeAgentIdServicePrincipals.
Module Version
Latest version from main branch (tested with fix)
Environment Data
Windows 11, PowerShell 7.x
Screenshots
N/A - Code issue
Additional context
Proposed Fix
Update the filter in Test-MtCaEmergencyAccessExists.ps1 (line 35-39) to also exclude Agent Identity policies:
# Remove policies that are scoped to service principals or agent identities
$policies = $policies | Where-Object {
-not $_.conditions.clientApplications.includeServicePrincipals -and
-not $_.conditions.clientApplications.includeAgentIdServicePrincipals
}Impact
- Current behavior: False positives - Agent Identity policies incorrectly fail MT.1005
- Fixed behavior: Only user-targeted CA policies are checked for emergency access exclusions
- Backward compatibility: No breaking changes - only affects the filtering logic
Related Documentation
- Microsoft Docs: Conditional Access for workload identities
- Microsoft Docs: What are agent identities?
🤝 Thank you for taking the time to submit this report!