MT.1029 catching break glass accounts

[dnsinit]

The below check is catching break the glass accounts even if they've been accurately discovered. Is this by design or should it perhaps exclude break the glass accounts as they're almost always "stale"?

MT.1029: Stale accounts are not assigned to privileged roles.

[merill]

MT.1029 does check for break glass and excludes them.

Can you run with -verbose and investigate?

  # Filtering based on (EntraOps) Enterprise Access Model Tiering
    if ($null -ne $FilteredAccessLevel) {
      Write-Verbose "Filtering based on Enterprise Access Model Tiering"
      $EamClassification = Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json' | ConvertFrom-Json -Depth 10
      $FilteredClassification = ($EamClassification | Where-Object { $_.Classification.EAMTierLevelName -eq $FilteredAccessLevel }).RoleId
      $AffectedRoleAssignments = $AffectedRoleAssignments | Where-Object { $_.RoleTemplateId -in $FilteredClassification }
    }

    # Exclude Break Glass from Alerts
    if ($null -ne $FilteredBreakGlass -and $null -ne $AffectedRoleAssignments) {
      $AffectedRoleAssignments | Where-Object { $_.AssigneeId -in $($FilteredBreakGlass).Id } | ForEach-Object {
        Write-Verbose "$($_.AssigneeUserPrincipalName) has been defined as Break Glass and removed from $($Alert.id)"
      }
      $AffectedRoleAssignments = $AffectedRoleAssignments | Where-Object { $_.AssigneeId -notin $($FilteredBreakGlass).Id }

      # Set number of affected Items to value of filtered items (for example, original alert has two affected items, but all of them are break glass and excluded from the test)
      $Alert.numberOfAffectedItems = $AffectedRoleAssignments.Count
    }