MT.1106 - Catalog resources must have valid roles (no stale / removed app roles or SPNs)

Description

This test identifies catalog resources in Microsoft Entra ID Governance that reference stale or invalid roles, deleted service principals, or non-existent SharePoint sites. Stale resources can cause:

• Access provisioning failures when users request access
• Broken approval workflows
• User assignment errors preventing access
• Manual intervention required to fix failed provisioning

How to fix

1. Navigate to Entra ID Governance
2. Review the test results to identify which catalog resources have stale roles or deleted SPNs
3. For each affected resource:
   • For deleted applications: Remove from catalog or restore the application
   • For stale app roles: Update access packages to remove invalid roles or contact app owner to restore roles
   • For SharePoint sites: Remove from catalog, fix the URL, or restore deleted sites
4. Update access packages that referenced the stale resources
5. Re-run the test to verify the issue is resolved

Learn more

• Manage catalog resources
• Service principal app roles
• SharePoint site resource type

%TestResult%