Get-MtUser -UserType "EmergencyAccess" causes infinite loop in our tenant

[milanschwartz]

Issue Report

Environment

•   Maester version: 0.3.0

Description

In our tenant, the Get-MtUser -UserType "EmergencyAccess" command results in an infinite loop. This function attempts to select two groups from Entra ID as BreakGlass groups based on exclusion criteria from conditional access policies. In our case, the groups are on-premise synced, not designated as BreakGlass groups, and should not be used as such. Attempting to fetch the members of these groups causes the infinite loop.

Code section

   Write-Verbose "Emergency access group: $EmergencyAccessGroups"
                foreach ( $EmergencyAccessGroup in $EmergencyAccessGroups ) {
                    $TmpUsers = Invoke-MtGraphRequest -RelativeUri "groups/$EmergencyAccessGroup/members" -Select id, userPrincipalName, userType -OutputType Hashtable
                    if ( $TmpUsers.ContainsKey('userType') ) {

Output

VERBOSE: Using graph cache: https://graph.microsoft.com/v1.0/groups/<REDACTED>/members?$select=id%2cuserPrincipalName%2cuserType&$skiptoken=<REDACTED>
(repeated infinitely)

Suggested solutions

1.  Update Get-MtUser to fail gracefully in case of errors.
2.  Allow BreakGlass group IDs to be set as parameters in the following tests:
        - MT.1029-MT.1032
        - BeginDiscovery section in Maester/Entra/Test-ConditionalAccessWhatIf.Tests.ps1

[merill]

This is interesting. I wonder why a hybrid group would cause an infinite loop.

Tagging @f-bader

[milanschwartz]

This is interesting. I wonder why a hybrid group would cause an infinite loop.

Tagging @f-bader

Thanks Merril for picking this up. To clarify further, I don't know if the inifinite loop is caused by the group being hybrid. I just gave it as background info.