Skip to content

Add tests for privileged users linked to identities #1394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Cloud-Architekt wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add tests for privileged users linked to identities #1394

Cloud-Architekt wants to merge 5 commits into from

Conversation

@Cloud-Architekt
Copy link
Collaborator

@Cloud-Architekt Cloud-Architekt commented Jan 6, 2026

Enhance the UnifiedIdentityInfo to support linkable identifiers between privileged/regular user accounts and checks to ensure they are linked to their primary identities. This new tests aims to improve security by verifying that enabled privileged accounts do not remain active when their associated primary accounts are disabled, thereby reducing the risk of orphaned accounts. Additionally, it establishes a clear linkage between privileged and regular user accounts for better visibility and incident response.

Contribution Checklist

Before submitting this PR, please confirm you have completed the following:

  • 📖 Read the guidelines for contributing to this repository.
  • 🧪 Ensure the build and unit tests pass by running /powershell/tests/pester.ps1 on your local system.

 

Join us at the Maester repository discussions 💬 or Entra Discord 🧑‍💻 for more help and conversations!

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 6, 2026
edited
Loading

Deploying maester with  Cloudflare Pages  Cloudflare Pages

Latest commit: 58604cd
Status: ✅  Deploy successful!
Preview URL: https://cee15025.maester.pages.dev
Branch Preview URL: https://tnh-privilegeduserlinkediden.maester.pages.dev

View logs

@Cloud-Architekt
Enhance data retrieval by including AccountStatus in associated prima…
20f1ac7 
…ry account details; update test conditions for privileged users linked to disabled identities.
@SamErde
Copy link
Contributor

SamErde commented Jan 6, 2026
edited
Loading

Does this require the new [preview] identity linking feature or does it also work with account correlation in IDG?

@SamErde
Copy link
Contributor

SamErde commented Jan 6, 2026

Does this effectively check all license requirements (and potentially feature activation in the tenant) so it can fail/skip gracefully?

@Cloud-Architekt
Copy link
Collaborator Author

Cloud-Architekt commented Jan 6, 2026

Does this effectively check all license requirements (and potentially feature activation in the tenant) so it can fail/skip gracefully?

Yes, the license check is integrated for all Exposure Management checks. There's only a dependency to the XDR license.
The feature will be available by default. I'm not aware of any preview or feature flag for this functionality.

@Cloud-Architekt
Copy link
Collaborator Author

Cloud-Architekt commented Jan 6, 2026

Does this require the new [preview] identity linking feature or does it also work with account correlation in IDG?

Yes, it's require the new identity linking feature in XDR. Which particular account correlation feature did you mean in IDG (= Identity Governance?)?

@Cloud-Architekt Cloud-Architekt marked this pull request as ready for review January 6, 2026 19:24
@Cloud-Architekt Cloud-Architekt requested a review from a team as a code owner January 6, 2026 19:24
@SamErde
Copy link
Contributor

SamErde commented Jan 6, 2026

Does this require the new [preview] identity linking feature or does it also work with account correlation in IDG?

Yes, it's require the new identity linking feature in XDR. Which particular account correlation feature did you mean in IDG (= Identity Governance?)?

I did some more digging on that and (according to Copilot) the identity correlation feature in Identity Governance was removed.

@Cloud-Architekt
Copy link
Collaborator Author

Cloud-Architekt commented Jan 7, 2026

@SamErde : Do you have any tenant in Access that can be used for QA of this Maester check?

@SamErde
Copy link
Contributor

SamErde commented Jan 7, 2026

@SamErde : Do you have any tenant in Access that can be used for QA of this Maester check?

I don't have time to go too deep today, but after a quick test, they both look good.

For this test, I added the 'Azure AD Joined Device Local Administrator', 'Cloud Device Administrator', and 'Global Reader' roles to my standard account. My CA (cloud admin) account was linked to my standard user account, which caused the test to fail because it was not linked to an un-privileged account.
image

I will have to create additional test accounts later this week to validate all relevant scenarios.
image

SamErde
SamErde reviewed Jan 7, 2026
View reviewed changes
SamErde
SamErde reviewed Jan 7, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SamErde SamErde SamErde left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Cloud-Architekt @SamErde