Finding and Cleaning Up Deleted Resources in Entra ID Access Packages
Did you know that if you delete an Entra ID security group, it will still remain under resources in an Access Package in Entra ID Governance? Well, now you know it does. This can lead to delivery of access packages being partially delivered when a user gets an access package assigned. This is something that happened to me the other day when I was troubleshooting an issue where an access package assignment was partially delivered for a user. I looked over the resources for the access package, and it was all groups, but I couldn’t quite spot the “wrong” group. In order to help me identify which group was wrong, I recalled that I had encountered before that Exchange Online mail-enabled security groups could be added to an access package and then lead to the partially delivered status for a user assignment. So I decided to create a PowerShell script that went over every group that was added as a resource to the access package to check what type it was and if it still exists at all.
When I ran the script, it output that all the groups existed and were all security groups except for one group that was deleted. So, I removed that group from the resources list of the access package and then reprocessed the user, and then the delivery was successful.
Link to the script to find deleted groups in an Access package: Entra/Governance/Entitlement Management/Find-DeletedEMResourcesInAccessPackage.ps1
But that got me thinking, what if there are more groups like this that I haven’t discovered yet?
I decided to build a new PowerShell script that would go over all the catalogs and access packages in Entra ID Governance to check for resources that had been deleted, and then another script to actually perform the cleanup.
Prerequisites
- Microsoft Graph PowerShell module
- Microsoft Graph Beta PowerShell module
- Permissions
Group.Read.All
Application.Read.All
EntitlementManagement.Read.All
Mail.Send (Optional) - Azure Automation Account (Optional)
Finding the deleted resources in Entra ID Governance
The first thing we need to do before we can actually remove the deleted resources from our access packages and catalogs is to find them. This will be done by using the PowerShell script below. It will go over every group and application that are found in every catalog in Entra ID Governance entitlement management and then output the orphaned resources.
Removing the deleted resources from Entra ID Governance
Now that we know what resources are no longer found in Entra, we can then proceed to remove them from our access packages and catalogs. The below PowerShell script will do that for us. The script will start by removing the resources from the access packages and then the catalogs last. That is because you can’t remove a resource from a catalog before you have removed it from the access package first.
Please note that the removal script uses the Beta Microsoft Graph PowerShell module.
Setting up monitoring
Now we have cleaned up Entra ID Governance entitlement management for deleted resources, but what about 4 weeks from now when another group gets deleted? You can, of course, choose to run this at your own pace whenever you feel the need, or you can use the following script to get notified when deleted resources are found in Entra ID Governance entitlement management.
This PowerShell script is much like the first one, except this script is designed to run on Azure Automation and will send an email to you (or a group/distribution list) whenever a deleted resource is discovered. It’s built to run every 24 hours (or once a week – this is up to you). The PowerShell script won’t send you an email if nothing is found, only when there is one or more deleted resources found.
PowerShell script to send report: Entra/Governance/Entitlement Management/SendEmail-ReportOnDeletedEMResources.ps1
PowerShell script to grant permissions to Automation account: Entra/Governance/Entitlement Management/SendEmail-ReportOnDeletedEMResources.ps1
I hope this helps you maintain clean access packages and avoid delivery issues for your users.
You can find more PowerShell scripts related to Microsoft Entra in my GitHub repo: ChrFrohn/Entra: PowerShell scripts for Microsoft Entra ID administration and automation
