MT.1067 - Authentication methods policies should not reference deleted groups.
Overviewβ
Authentication method policies should not reference non-existent groups
This test checks if all groups referenced in authentication method policies still exist in the tenant.
Authentication method policies can reference groups in their includeTargets configuration. If a group is deleted but still referenced in an authentication method policy, it may cause the policy to not apply as expected or result in unexpected behavior.
The test examines includeTargets for all authentication method configurations and validates that any group references are valid and the groups still exist in the tenant.
How to fixβ
If this test fails, you need to:
- Review the failed authentication method policies - Check which policies are referencing non-existent groups
- Remove invalid group references - Edit the authentication method policy to remove references to deleted groups
- Replace with valid groups - If needed, replace the deleted group reference with a valid existing group
To fix the issue:
- Go to the Microsoft Entra admin center
- Navigate to Protection > Authentication methods
- Select the impacted authentication method
- In the Include section, remove the invalid group references
- If needed, add valid replacement groups
- Save the changes
Learn moreβ
- Authentication methods in Microsoft Entra ID
- Manage authentication methods
- Authentication method policies
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1067 |
| Severity | Medium |
| Suite | Maester |
| Category | Authentication |
| PowerShell test | Test-MtAuthenticationPolicyReferencedObjectsExist |
| Tags | Authentication, Maester, MT.1067 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-AuthenticationMethodBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtAuthenticationPolicyReferencedObjectsExist.ps1