maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Test-ConditionalAccessWhatIf.Tests.ps1 Hangs on EmergencyAccessUsers check

Open cleif opened this issue 1 year ago • 1 comments

Summary

Executing Test Test-ConditionalAccessWhatIf.Tests.ps1 hangs on the following line:

BeforeDiscovery {
...
    $EmergencyAccessUsers = Get-MtUser -Count 1 -UserType "EmergencyAccess"
...
    # Remove emergency access users from regular users

It hangs because it cannot find any users in my tenant that are "emergency access" users, albeit, we have 2, and I've updated the script to just call 1 for validation. Example of it hanging running the script line-by-line.

image

Failures

This hangs on the ADO Pipeline and in an Azure Automation, I am assuming to the same issue, but its more difficult to test than local/ADO

Success on non-CA WhatIf test:

image

When CA WhatIf test is included:

image

Troubleshooting

I've modified the Test-ConditionalAccessWhatIf.Tests.ps1 to utilize a native Graph call to get past this calling our explicit emergency account:

BeforeDiscovery {
    $EntraIDPlan = Get-MtLicenseInformation -Product "EntraID"
    $RegularUsers = Get-MtUser -Count 5 -UserType "Member"
    $AdminUsers = Get-MtUser -Count 5 -UserType "Admin"
    #$EmergencyAccessUsers = Get-MtUser -Count 1 -UserType "EmergencyAccess"
    $EmergencyAccessUsers = Get-MgUser -UserId "[email protected]" | Select-Object id, userType,UserPrincipalName #This UserType field I'm not finding how you're defining it.
    # Remove emergency access users from regular users
    $RegularUsers = $RegularUsers | Where-Object { $_.id -notin $EmergencyAccessUsers.id }
    # Remove emergency access users from admin users
    $AdminUsers = $AdminUsers | Where-Object { $_.id -notin $EmergencyAccessUsers.id }
    Write-Verbose "EntraIDPlan: $EntraIDPlan"
    Write-Verbose "RegularUsers: $($RegularUsers.id)"
    Write-Verbose "AdminUsers: $($AdminUsers.id)"
}

Unfortunately, this just causes the whole test to be excluded for some reason (both in ADO & if being ran Ad-Hoc on my client)

image

image

cleif avatar Aug 23 '24 13:08 cleif

Will be good to find out why it's hanging. If at all it should return with no users found.

merill avatar Aug 27 '24 11:08 merill

@cleif we haven't seen this being reported by anyone else. Are you still seeing this? Please reopen if you it's still happening. Tx

merill avatar Mar 18 '25 07:03 merill