Fix missing permission check

[nicolonsky]

Description

Fixes #1422.

Contribution Checklist

Before submitting this PR, please confirm you have completed the following:

• 📖 Read the guidelines for contributing to this repository.
• 🧪 Ensure the build and unit tests pass by running /powershell/tests/pester.ps1 on your local system.

[Copilot]

Pull request overview

This PR addresses issue #1422 by adding a permission check to the MT.1100 test (Test-MtIntuneDiagnosticSettings) to gracefully handle cases where the user lacks Azure RBAC permissions to read Intune diagnostic settings. When a 403 (Forbidden) response is received from the Azure ARM API, the test now skips with an appropriate message instead of failing.

Changes:

• Added permission check that detects 403 status code and throws UnauthorizedAccessException
• Added catch block to handle UnauthorizedAccessException and skip test with custom reason
• Added documentation explaining the Azure RBAC prerequisites and providing PowerShell snippets to create a custom role

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
powershell/public/maester/intune/Test-MtIntuneDiagnosticSettings.ps1	Added 403 status code check and exception handling to skip test when Azure RBAC permissions are insufficient
powershell/public/maester/intune/Test-MtIntuneDiagnosticSettings.md	Added prerequisites section documenting required Azure RBAC permissions and remediation steps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Using throw/catch [UnauthorizedAccessException] for expected authorization failures is inconsistent with other Azure diagnostic-settings tests (e.g., Test-MtCisaDiagnosticSettings uses Add-MtTestResultDetail -SkippedBecause NotAuthorized directly after checking StatusCode -ne '200'). Consider replacing the exception-based control flow with a direct Add-MtTestResultDetail -SkippedBecause NotAuthorized path (and optionally Write-Verbose the response content) to keep skip reasons consistent across reports.

[SamErde]

@copilot open a new pull request to apply changes based on this feedback

[merill]

Do we really need custom catch and write messages for each type?

While it's helpful to distinguish, I feel there could be more types of exceptions and our tests will have more error handling code than the actual business logic.

I'm thinking we should just leave it with a generic catch all and the error message itself will have the details.

For this specific test, I think it's okay to leave it since it's already written.

[SamErde]

Agreed. Copilot sometimes takes defensive code into edge case scenarios!