Unhandled exceptions in Get-MtRoleMember.ps1:121

[vegazbabz]

When running "invoke-maester" I get the following exception that is unhandled.
Actually, it seems like it is a weird behavior in Entra ID. I will get back to that.

So the script, writes the exception 4 times with the same group id, so I assume that I have a deleted group that is used 4 times by different roles.

https://maester.dev/docs/commands/Get-MtRoleMember

Exception from "invoke-maester":

Line |
 121 |            $assignments += Get-MtGroupMember -GroupId $_.id
     |                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error obtaining group (8a318244-c039-4295-98e4-f4e9e063a16d) from
     | Microsoft Graph. Confirm the group exists in your tenant.
Get-MtGroupMember: C:\x\PowerShell\Modules\Maester\1.0.0\public\Get-MtRoleMember.ps1:121

Then I ran the PS script with verbose for the User Administrator role (I found that role from running invoke-maester -verbose):

PS C:\Temp\maester-tests> Get-MtRoleMember -verbose

cmdlet Get-MtRoleMember at command pipeline position 1
Supply values for the following parameters:
Role[0]: UserAdministrator
Role[1]:
VERBOSE: Retrieving license information for Entra ID
VERBOSE: Using graph cache: https://graph.microsoft.com/v1.0/subscribedSkus
VERBOSE: Using graph cache: https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId+eq+%27fe930be7-5e62-47db-91af-98c3a49a38b1%27&expand=principal
VERBOSE: Invoking Graph: https://graph.microsoft.com/v1.0/groups/8a318244-c039-4295-98e4-f4e9e063a16d/
VERBOSE: True
VERBOSE: GET https://graph.microsoft.com/v1.0/groups/8a318244-c039-4295-98e4-f4e9e063a16d/ with 0-byte payload
VERBOSE: received 341-byte response of content type application/json
Get-MtGroupMember: C:\x\PowerShell\Modules\Maester\1.0.0\public\Get-MtRoleMember.ps1:121
Line |
 121 |            $assignments += Get-MtGroupMember -GroupId $_.id
     |                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error obtaining group (8a318244-c039-4295-98e4-f4e9e063a16d) from
     | Microsoft Graph. Confirm the group exists in your tenant.
VERBOSE: Using graph cache: https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests?$filter=roleDefinitionId+eq+%27fe930be7-5e62-47db-91af-98c3a49a38b1%27+and+NOT(status+eq+%27Canceled%27+or+status+eq+%27Denied%27+or+status+eq+%27Failed%27+or+status+eq+%27Revoked%27)&expand=principal
VERBOSE: No role assignments found

Back to the weird behavior in Entra ID:
When I go to the User Administrator role, then there is a group assigned.
However, this group does not exist in Entra anymore (was deleted), but I can still see the content of the group under the role assignment:

This behavior seems very strange to me.
The group is deleted (months ago), but the content of the group is saved under the assignment of the role it was assigned to... what?!

[merill]

This happens in Entra because the different objects can have a reference to other objects that are deleted.

A common scenario is conditional access policies that refer to users and groups that have been deleted.

You are seeing something similar here with the roles.

You can fix this by removing the reference and saving the role.

[vegazbabz]

I believe there is still some exception handling in the script that needs to be done?

I have created a support ticket, as I cannot remove group from the role assignment, as it was a previous admin partner group.

[merill]

Does Maester not generate the report? I believe we show these errors in the console but still go ahead and generate the report.

[vegazbabz]

Does Maester not generate the report? I believe we show these errors in the console but still go ahead and generate the report.

That is correct. The report is generated. So it is only a matter of having a cleaner script / console output.