Add missing EntitlementManagement.Read.All to default Graph scopes

[Copilot]

📑 Description

Connect-Maester was not requesting EntitlementManagement.Read.All via Get-MtGraphScope, causing MT.1106–MT.1110 entitlement-management tests to fail with Forbidden on properly licensed Entra ID P2 tenants. This PR adds the missing scope and locks the behavior with focused unit tests.

• Scope list update

  • Added EntitlementManagement.Read.All to the default read-only scope set in powershell/public/Get-MtGraphScope.ps1.
  • Kept alphabetical ordering in the scope array.

• Regression coverage

  • Added powershell/tests/functions/Get-MtGraphScope.Tests.ps1 to verify:
    • the default scope list contains EntitlementManagement.Read.All
    • ordering is preserved around adjacent entries.

$scopes = Get-MtGraphScope
$scopes | Should -Contain 'EntitlementManagement.Read.All'

✅ Checks

• My pull request adheres to the code style of this project.
• My code requires changes to the documentation.
• I have updated the documentation as required.
• The build and unit tests pass after running /powershell/tests/pester.ps1 locally.

ℹ️ Additional Information

No breaking changes.
This is a minimal permissions fix for existing entitlement-management checks (MT.1106–MT.1110).

---

How to Contribute

🏗️ Read our full contributing guide for the Maester project.
🧪 We also have additional instructions and a checklist for creating tests.

Join us at the Maester repository discussions or Entra Discord for more help and conversations!
While you wait for a review, why not spread some Maester love on social media? Thank you! 💖

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• management.azure.com
  • Triggering command: /usr/bin/pwsh pwsh -NoLogo -NoProfile -File ./powershell/tests/pester.ps1 (dns block)
• us.i.posthog.com
  • Triggering command: /usr/bin/pwsh pwsh -NoLogo -NoProfile -File ./powershell/tests/pester.ps1 (dns block)
• www.powershellgallery.com
  • Triggering command: /usr/bin/pwsh pwsh -NoLogo -NoProfile -File ./powershell/tests/pester.ps1 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[cloudflare-workers-and-pages]

Deploying maester with    Cloudflare Pages

Latest commit:	ba6429d
Status:	✅  Deploy successful!
Preview URL:	https://a873d9a5.maester.pages.dev
Branch Preview URL:	https://copilot-fix-mtgraphscope-mis.maester.pages.dev

View logs

[Copilot]

Pull request overview

This PR fixes missing Microsoft Graph permissions for Maester’s entitlement-management tests by adding the EntitlementManagement.Read.All scope to the default Get-MtGraphScope read-only scope set, and introduces a small Pester test suite to prevent regressions.

Changes:

• Added EntitlementManagement.Read.All to the default scope array returned by Get-MtGraphScope.
• Added Pester unit tests ensuring the scope is present and remains alphabetically ordered relative to nearby scopes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
powershell/public/Get-MtGraphScope.ps1	Adds the missing default Graph scope used by entitlement-management tests.
powershell/tests/functions/Get-MtGraphScope.Tests.ps1	Adds regression tests for presence and ordering of the new scope.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.