🪲 Get-MtGraphScope missing EntitlementManagement.Read.All — MT.1106–1110 error with Forbidden even on Entra ID P2 tenants

[rianbk]

Pre-submission checklist

• I can reproduce this issue using the latest released version of Maester.
• I have searched the existing issues and did not find a similar report.

Note: this is distinct from #1733 (which is the no-P2-license variant of the same symptom). This issue is specifically about the missing scope, reproducible on a tenant that does have Entra ID P2.

Describe the bug

Connect-Maester builds its Graph scope list from Get-MtGraphScope, which does not include EntitlementManagement.Read.All. As a result, the five access-package / catalog hygiene tests added in #1381 always fail at runtime on tenants with Entra ID P2:

• MT.1106 — Test-MtEntitlementManagementValidResourceRoles
• MT.1107 — Test-MtEntitlementManagementDeletedGroups
• MT.1108 — Test-MtEntitlementManagementInactivePolicies
• MT.1109 — Test-MtEntitlementManagementValidApprovers
• MT.1110 — Test-MtEntitlementManagementOrphanedResources

All five surface as:

Error running test: Response status code does not indicate success: Forbidden (Forbidden).

Unlike #1733, this is not the NoLicense variant — the tenant meets the license requirement (Get-MtLicenseInformation -Product EntraID returns P2). The 403 is caused by the missing scope; adding EntitlementManagement.Read.All to the scope set resolves all five tests.

Note on reproduction: Entra user-level consent is sticky for the Microsoft Graph Command Line Tools app — once a user has consented EntitlementManagement.Read.All to that app (for any reason, in any session), subsequent Connect-Maester calls receive an access token that already covers the scope, so the bug appears to "self-heal" and won't reproduce without revoking and re-consenting the app. This may explain why the issue isn't more widely reported. A clean repro requires either a freshly-consented account or revoking consent for the MS Graph CLI enterprise app first.

Steps to reproduce

1. On a tenant with Entra ID P2 (confirmed via Get-MtLicenseInformation -Product EntraID returning P2):
2. Connect-Maester (default scopes)
3. Invoke-Maester
4. Observe MT.1106–1110 all error with Forbidden.
5. Inspect the granted scopes — (Get-MgContext).Scopes does not contain EntitlementManagement.Read.All.

Expected behaviour

Connect-Maester should request EntitlementManagement.Read.All as part of the default read-only scope list, since five shipped tests depend on it. The tests should then run and produce real pass/fail results on P2 tenants.

Workaround

Disconnect-MgGraph
Connect-MgGraph -Scopes ((Get-MtGraphScope) + 'EntitlementManagement.Read.All')
Invoke-Maester

After re-consent the five tests run normally.

Proposed fix

Add 'EntitlementManagement.Read.All' to the default read-only scope list in powershell/public/Get-MtGraphScope.ps1 (alphabetised between Directory.Read.All and IdentityRiskEvent.Read.All). Also update website/docs/sections/permissions.md for parity, per the comment in that file.

Happy to send the PR if helpful — it's a one-line change plus the doc entry.

Module version

Maester 2.1.0

Environment data

PSVersion: 7.5.4
PSEdition: Core
Platform: Unix (macOS Darwin 25.5.0)
Microsoft.Graph.Authentication: 2.36.1

Additional context

EntitlementManagement.Read.All is the canonical scope for reading entitlement-management resources per the Graph permissions reference: https://learn.microsoft.com/en-us/graph/api/resources/entitlementmanagement-overview#authorization

The tests were added in #1381 (merged 2025-12-15) but the scope list in Get-MtGraphScope.ps1 wasn't updated alongside.

[SamErde]

Thanks, @rianbk!