You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Duplicate authentication methods rendered in Emergency access accounts table
O(n²) role lookups in CA policy loop
No short-circuit when there are zero enabled CA policies
memberOf is non-transitive for directory roles
users/{id}/memberOf/microsoft.graph.directoryRole only returns directly assigned roles. Users effectively assigned roles via role-assignable groups are missed, making CA includeRoles/excludeRoles evaluation (and the new "CA policies missing exclusion" column) inaccurate. Switch to transitiveMemberOf/microsoft.graph.directoryRole
Sort-Object -Property CAExcluded, PhishingResistant, CloudOnly sorts on emoji glyphs.
Pre-existing, not introduced here, but the comment "users that have passed every criteria first" is true only because U+2705 (✅) < U+274C (❌) in code-point order and PowerShell's culture-sensitive default happens to agree on Windows. Brittle. Consider sorting by booleans stored alongside the row, but out of scope for this PR.
Status thresholds disagree with the spec.
$accountCount -ge 2 -and $accountCount -le 4 → Pass, > 4 → Fail. Spec says == 2 → Pass, > 2 → Investigate, < 2 → Fail, and the test currently has no Investigate path. Pre-existing — out of scope for this PR but worth a follow-up.
Some of these issues were reported in PR review comments: bugfix/issue-1162: list CA policies missing exclusions #1182
issues:
users/{id}/memberOf/microsoft.graph.directoryRole only returns directly assigned roles. Users effectively assigned roles via role-assignable groups are missed, making CA includeRoles/excludeRoles evaluation (and the new "CA policies missing exclusion" column) inaccurate. Switch to transitiveMemberOf/microsoft.graph.directoryRole
Pre-existing, not introduced here, but the comment "users that have passed every criteria first" is true only because U+2705 (✅) < U+274C (❌) in code-point order and PowerShell's culture-sensitive default happens to agree on Windows. Brittle. Consider sorting by booleans stored alongside the row, but out of scope for this PR.
$accountCount -ge 2 -and $accountCount -le 4 → Pass, > 4 → Fail. Spec says == 2 → Pass, > 2 → Investigate, < 2 → Fail, and the test currently has no Investigate path. Pre-existing — out of scope for this PR but worth a follow-up.
Some of these issues were reported in PR review comments: bugfix/issue-1162: list CA policies missing exclusions #1182