MT.1038 - Conditional Access policies should not include or exclude deleted groups.
Overview
This test checks if there are any Conditional Access policies that target deleted security groups.
This usually happens when a group is deleted but is still referenced in a Conditional Access policy.
Deleted groups in your policy can lead to unexpected gaps. This may result in Conditional Access policies not being applied to the users you intended or the policy not being applied at all.
To fix this issue:
- Open the impacted Conditional access policy.
- If the group is no longer needed, click Save to remove the referenced group from the policy.
- If the group is still needed, update the policy to target a valid group.
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1038 |
| Severity | Medium |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaReferencedGroupsExist |
| Tags | CA, Maester, MT.1038 |
Source
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaReferencedGroupsExist.ps1