Fix MT.1005 to exclude Agent Identity CA policies and add tests for Agent ID and Service Principals

[bubbletroubles]

Description

Fix MT.1005 to exclude Agent Identity CA policies and add tests for Agent ID and Service Principals

Fixes #1385

Problem

Test MT.1005 (Test-MtCaEmergencyAccessExists) was incorrectly flagging Agent Identity Conditional Access policies as failing because they don't exclude emergency/break-glass accounts.

Agent Identity policies target non-user identities (managed identities, agents) and cannot have user or group exclusions. The test was already filtering out Service Principal policies using includeServicePrincipals, but was missing the newer includeAgentIdServicePrincipals property, causing false positives for Agent Identity CA policies.

Changes Made

1. Updated Test-MtCaEmergencyAccessExists.ps1 (lines 35-39)

• Added filter to exclude policies with includeAgentIdServicePrincipals (the bug fix)
• Service Principal filtering (includeServicePrincipals) was already working correctly
• Updated comment to reflect both types of policies are now excluded
• Now correctly filters out all non-user-targeted CA policies

Before:

# Remove policies that are scoped to service principals
$policies = $policies | Where-Object { -not $_.conditions.clientApplications.includeServicePrincipals }

After:

# Remove policies that are scoped to service principals or agent identities
$policies = $policies | Where-Object {
    -not $_.conditions.clientApplications.includeServicePrincipals -and
    -not $_.conditions.clientApplications.includeAgentIdServicePrincipals
}

2. Added comprehensive unit tests (Test-MtCaEmergencyAccessExists.Tests.ps1)

• Added Get-PolicyAgentIdentity() helper function to create test Agent Identity policies
• Added Get-PolicyServicePrincipal() helper function to create test Service Principal policies
• Added 3 new test cases in "Agent Identity and Service Principal policies" context:
  • Verifies Agent Identity policies are properly ignored (the new functionality)
  • Verifies Service Principal policies are properly ignored (existing functionality, now tested)
  • Verifies mixed scenarios work correctly (both policy types + user-targeted policies)

Testing

✅ All tests passing:

• Ran full test suite: ./powershell/tests/pester.ps1
• All 17 unit tests for Test-MtCaEmergencyAccessExists pass (including 3 new tests)
• No breaking changes to existing functionality

Impact

• Before: False positives - Agent Identity CA policies incorrectly failed MT.1005 (Service Principal policies were already correctly filtered)
• After: Only user-targeted CA policies are validated for emergency access exclusions
• Backward Compatibility: ✅ No breaking changes - only improves filtering logic

Related Documentation

• Microsoft Docs: Conditional Access for workload identities
• Microsoft Docs: What are workload identities?

Contribution Checklist

Before submitting this PR, please confirm you have completed the following:

• 📖 Read the guidelines for contributing to this repository.
• 🧪 Ensure the build and unit tests pass by running /powershell/tests/pester.ps1 on your local system.

 

Join us at the Maester repository discussions 💬 or Entra Discord 🧑‍💻 for more help and conversations!

[bubbletroubles]

@merill @SamErde any change of a review of this one?

[Copilot]

Pull request overview

This pull request fixes a bug in test MT.1005 (Test-MtCaEmergencyAccessExists) where Agent Identity Conditional Access policies were incorrectly flagged as failing because they don't exclude emergency/break-glass accounts. Agent Identity policies target non-user identities (managed identities, service principals, agents) and cannot have user or group exclusions, so they should be filtered out before checking for emergency access exclusions.

Changes:

• Added filtering logic to exclude Agent Identity CA policies (with includeAgentIdServicePrincipals) from emergency access checks
• Added comprehensive unit tests to verify both Agent Identity and Service Principal policies are properly filtered
• Updated comments to reflect that both types of non-user-targeted policies are now excluded

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
powershell/public/maester/entra/Test-MtCaEmergencyAccessExists.ps1	Added filter to exclude policies with includeAgentIdServicePrincipals alongside existing includeServicePrincipals filter
powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1	Added helper functions and 3 test cases to verify Agent Identity and Service Principal policies are properly filtered

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bubbletroubles]

Hi @SamErde I've updated the wording as per the copilot recomendations. Ready for re-review.