maester365
🙏 Handling non-existent permissions
Describe the feature
Currently, the script is not executed if an API permission is missing. This only affects Graph API permissions.
Accordingly, at the start of the Invoke-Maester run, I would like to check which rights are available in the connected services and store them in an object. These should then be checked in the “BeforAll” section or in the tests, as is also the case with the connection. In tests where such authorization checks are possible, this can replace the check whether the service is connected, as this test is already performed in the authorization check. Where an authorization check is not possible, we can leave it at the connection check.
For the Orca tests that use Get-AlertPolicies, you can also see a problem with the current implementation, as the command is executed because the rights are not checked.
A separate function written specifically for this purpose should be used for the test.
Expansion options:
- Entra ID
- API permissions (Application)
- API permissions (Delegated)
- Entra ID Role Actions (User + Service Principal)
- Exchange
- Roles
- Teams
- Entra ID Role Actions (User + Service Principal)
- Intune
- not tested
- Azure
- Azure Role Actions
- Defender
- not tested
I have roughly implemented my idea. This is only intended to show the possible structure and is only partially functional. So far, only the exchange rights check is working properly. However, I believe that the other services in the test can also be mapped correctly. https://github.com/l-gosling/maester/tree/Skip-tests-instead-of-stop-test-execution
I would ask you to discuss this idea and let me know whether you think it makes sense. Ideally, you could also tell me how you think it should be implemented. For example, whether the connection check should take place in BeforAll (and if so, how the skip of the tests should be made visible in Maester) or in the tests. If the idea is well received, I would be grateful for any feedback that would ensure that I only have to implement it once for all tests.
How will this feature enhance your project and further the project’s overall goals? Who will benefit from this feature (i.e. all users, the project team)?
I would like to see tests that have the necessary rights being executed rather than no tests being executed at all. This is particularly advantageous when a new test also requires a new API permission.
Describe alternatives you've considered
Alternative 1: Leave it as it is. Advantages:
- No effort required
- Supports Entra and parts of other services
Disadvantages:
- Scripts may no longer run after module updates without manual intervention, as permissions must be added.
- Permission checks are not sufficient to say with certainty that the tests will work
- Errors in tests that are not covered by Graph API permissions are possible, as checks are insufficient
Alternative 2: No permission checks. Advantages:
- Scripts will definitely work after a module update
- No more maintenance of rights necessary.
Disadvantages:
- Error messages in the tests and thus errors in the resulting tests.
Alternative 3: Use of a configuration file for the improvement suggestion. Advantages:
- Tests remain leaner
- Customization possible in a custom json
Disadvantages:
- json becomes too confusing for the user
The following disadvantages apply to the current approach and alternative 3:
- There is no guarantee that rights can be checked in every service. This still needs to be tested with the existing connections.
- More effort required for test development
- More expertise is required for good test development
- Performing the check in invoke-maester takes time (how much or how little still needs to be tested)
Additional context
The idea roughly presented to @f-bader
Updated: 07.09.2025
