How to list users excluded from a conditional access policy in AAD via MG graph PS cmdlets

Question

Hello everyone,

once again I am in dire need of assistance

I have a script, executed as AAD runbook, that sends me email message that contains all users, that are excluded from our currently valid and generally applied Conditional Access policy. Just to know who is excluded because of some problems, lost cellphone etc.
But now, the script has problems with new CA policy that I want to use, and when I use this

((Get-AzureADMSConditionalAccessPolicy -PolicyId 'XY').Conditions).Users | select -ExpandProperty ExcludeUsers

its telling me this

Error converting value "linux" to type 'Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms'. Path 'conditions.platforms.excludePlatforms[3]', line 1, position 1391.

So basically, I need to use MG Graph PS cmdlets instead of those legacy ones I used up until now, because the legacy ones are too obsolete, thats what I googled out, but...
When I use this

Get-MgIdentityConditionalAccessPolicy

I get a nice overview of all CA polices I have in my tenant...but how do I extract all exceptions FROM the policy? Anyone ever did that via MGGraph module?
Thanks a lot,

Tomas

Answer 1

Best use the Beta module, if you want to cover all (preview) conditions/actions. Something like this should work:

Get-MgBetaIdentityConditionalAccessPolicy | ? {$_.Conditions.Users.ExcludeUsers}

This will give you a list of all CA policies that exclude at least one user. If you want the user list as well, do something like this:

Get-MgBetaIdentityConditionalAccessPolicy | ? {$_.Conditions.Users.ExcludeUsers} | select Id,DisplayName,@{n="ExcludedUsers";e={$_.Conditions.Users.ExcludeUsers -join ","}}

You might also want to include ExcludeGroups/ExcludeRoles in the above.