Made changes as per copilot's suggestions

aahmed-spec · aahmed-spec · commit 0e92659d913e · 2026-04-30T21:41:11.000+05:30
diff --git a/src/powershell/public/Invoke-ZtAssessment.ps1 b/src/powershell/public/Invoke-ZtAssessment.ps1
@@ -249,6 +249,10 @@ $titleLine
 	#region Preparation
 	Show-ZtiBanner
 
+	# Always reset emergency access accounts at the start of each run to prevent stale
+	# config from a previous Invoke-ZtAssessment call carrying over (Issue #266 follow-up).
+	Set-PSFConfig -FullName 'ZeroTrustAssessment.EmergencyAccessAccounts' -Value $null
+
 	$effectiveIgnore = $IgnoreLanguageMode -or $script:IgnoreLanguageMode
 	if (-not (Test-ZtLanguageMode -IgnoreLanguageMode:$effectiveIgnore)) {
 		Stop-PSFFunction -Message "PowerShell is running in Constrained Language Mode, which is not supported." -EnableException $true -Cmdlet $PSCmdlet
@@ -314,10 +318,7 @@ $titleLine
 				Write-Host "🔐 " -NoNewline -ForegroundColor Cyan
 				Write-Host "Loaded $($emergencyAccounts.Count) emergency access account(s) from configuration." -ForegroundColor White
 			}
-			else {
-				# Clear any previously loaded emergency accounts to prevent stale config in multi-run sessions
-				Set-PSFConfig -FullName 'ZeroTrustAssessment.EmergencyAccessAccounts' -Value $null
-			}
+			# Note: stale-clear is now performed unconditionally at the start of Invoke-ZtAssessment.
 
 			Write-Host "✅ " -NoNewline -ForegroundColor Green
 			Write-Host "Configuration loaded successfully. Command line parameters will override configuration file values." -ForegroundColor White
diff --git a/src/powershell/tests/Test-Assessment.21815.ps1 b/src/powershell/tests/Test-Assessment.21815.ps1
@@ -49,12 +49,15 @@ from vwRole
     $results = @($permanentPrivileged | Where-Object { $emergencyAccountIds -notcontains $_.principalId })
     $excludedEmergencyAccounts = @($permanentPrivileged | Where-Object { $emergencyAccountIds -contains $_.principalId })
 
+    # Count of *distinct* excluded emergency accounts (one user can have multiple permanent role assignments)
+    $excludedAccountCount = @($excludedEmergencyAccounts | Select-Object -ExpandProperty principalId -Unique).Count
+
     $testResultMarkdown = ""
 
     if ($results.Count -eq 0) {
         $passed = $true
-        if ($excludedEmergencyAccounts.Count -gt 0) {
-            $testResultMarkdown += "No privileged users have permanent role assignments (excluding $($excludedEmergencyAccounts.Count) emergency access account(s) which are expected to have permanent assignments)."
+        if ($excludedAccountCount -gt 0) {
+            $testResultMarkdown += "No privileged users have permanent role assignments (excluding $excludedAccountCount emergency access account(s) which are expected to have permanent assignments)."
         }
         else {
             $testResultMarkdown += "No privileged users have permanent role assignments."
