How to find deleted Approvers in Entra ID Governance Access Packages Using PowerShell

ByChristian Frohn August 14, 2025October 26, 2025

When you offboard users and ultimately delete their user accounts, something that can easily be forgotten is that the user may be an approver in an access package in Entra ID Governance. What happens is when you delete the user in Entra ID (via AD Connect sync or otherwise), the user will still be present on the list of approvers even though the user has been deleted. There is of course the fallback approver, but that can significantly slow down the approval process.

If you have never thought about this or don’t have a process for handling approvers that get offboarded, it can be hard to get an overview of which access package policies have approvers that are no longer found in Entra ID.

I decided to create a PowerShell script to go over every access package policy and check if the approvers still exist in Entra ID, because Microsoft Graph will output the approvers even though one or more users are not found in Entra ID.

You can use the below PowerShell script to find approvers that are no longer found in Entra ID.

I hope this PowerShell scripts can help you clean up your access packages! 😊

Post Views: 1,138

Microsoft Entra

Create onboarding Lifecycle Workflows using Microsoft Entra ID Governance
ByChristian Frohn May 24, 2024May 24, 2024

Onboarding of users is something that should not be taken lightly as it’s a first impressions matter as lot and it says a great deal about an IT department for new users when the start that they have everything need to get started for the job they were hired to do. There are of course…

Read More Create onboarding Lifecycle Workflows using Microsoft Entra ID Governance
Microsoft Entra | Sentinel

Automate user Reprocess in Entra ID Governance Entitlement Management using Sentinel and PowerShell
ByChristian Frohn January 22, 2025October 30, 2025

Access packages in Entra ID Governance are a great way to bundle resources together and then provide a user or multiple users access to these resources or access to resources via security groups. But what happens when a user gets removed from a security group that is part of an access package? The answer to…

Read More Automate user Reprocess in Entra ID Governance Entitlement Management using Sentinel and PowerShell
Teams

Connect to Microsoft Teams PowerShell using Azure App reg. (Service principal)
ByChristian Frohn November 13, 2022June 22, 2024

IntroNot long ago Microsoft finally release a new version for the Microsoft Teams PowerShell module (4.8.0) that adds the ability to authenticate to Microsoft Teams using a Azure App reg. Using a Azure App reg. Is in my opnion the most secure way to authenticate when you are running scheduled task (or simlar). So if you…

Read More Connect to Microsoft Teams PowerShell using Azure App reg. (Service principal)
Microsoft Entra

Configure EmployeeHireDate and EmployeeLeaveDateTime in Active Directory to be used with Microsoft Entra ID Governance.
ByChristian Frohn May 2, 2024June 2, 2024

To fully use Microsoft Entra ID Governance – more precisely lifecycle workflows -, you do need to configure a few things, although it is not mandatory to do it since all the lifecycle workflows can be run on-demand. But the whole purpose of lifecycle workflows is that they should run automatically based on attribute changes…

Read More Configure EmployeeHireDate and EmployeeLeaveDateTime in Active Directory to be used with Microsoft Entra ID Governance.
Microsoft Entra | PowerShell

Finding and Cleaning Up Deleted Resources in Entra ID Access Packages
ByChristian Frohn November 5, 2025November 7, 2025

Did you know that if you delete an Entra ID security group, it will still remain under resources in an Access Package in Entra ID Governance? Well, now you know it does. This can lead to delivery of access packages being partially delivered when a user gets an access package assigned. This is something that…

Read More Finding and Cleaning Up Deleted Resources in Entra ID Access Packages
Microsoft Entra

Getting started with API-driven Inbound User Provisioning to On-Premises AD
ByChristian Frohn April 10, 2024July 23, 2025

API-driven Inbound User Provisioning to On-Premises AD is a feature that I personally have been really excited about for quite some time. I started working with it when it was in public preview around June 2023 and it went to General Availability in early 2024.API-driven Inbound User Provisioning is streamlined way of managing users in…

Read More Getting started with API-driven Inbound User Provisioning to On-Premises AD

Similar Posts