Get-MgBetaIdentityConditionalAccessPolicy does not return ExcludeGuestsOrExternalUsers "members"

[jonwbstr]

Describe the bug

I want to create a conditional access policy that excludes a specific service provider, to generate the required JSON body I created the policy in the user interface and fetched the policy via Get-MgBetaIdentityConditionalAccessPolicy. However, the Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy does not contain the "members" property and values. I was able to find the body I need by using the -debug parameter. I suspect this issue affects include and exclude for more than just serviceproviders but have not confirmed that.

"excludeGuestsOrExternalUsers": {
        "guestOrExternalUserTypes": "serviceProvider",
        "externalTenants": {
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated",
          "members": [
            "xxxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxxx"
          ]
        }
      }

Expected behavior

The Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy object should contain the excluded members.

How to reproduce

1. Using the entra ID portal, create a conditional access policy with an excluded service provider
2. Run the command $p = Get-MgBetaIdentityConditionalAccessPolicy -id
3. Look for the tenantID that was excluded and you will see that it is not present. It should be at:
   $p.conditions.users.ExcludeGuestsOrExternalUsers

SDK Version

2.24.0

Latest version known to work for scenario above?

No response

Known Workarounds

None

Debug output

Click to expand log

```

</details>


### Configuration

Name                           Value
----                           -----
PSVersion                      7.4.3
PSEdition                      Core
GitCommitId                    7.4.3
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

### Other information
No other information

[timayabi2020]

Hi @jonwbstr thanks for identifying and raising this issue. To navigate around the default properties being returned you can use that command or Invoke-MgGraphRequest, assign the result to a variable and use the dot . operator to navigate through the properties that you need.

[timayabi2020]

@jonwbstr please note that PowerShell does not support dynamic output table format for C# based cmdlets - c# - How do you set the default output format for a PowerShell Cmdlet? - Stack Overflow. For that reason, it is recommended that you add |Format-List at the end of your command to get a different view from the default fixed output table format. For more information, please go through this document. Format Azure PowerShell cmdlet output | Microsoft Learn

[jonwbstr]

Hi Tim, I'm not sure how that dynamic output table comment it related to the issue, should I have included that in the initial issue description?

[timayabi2020]

@jonwbstr the issue to do with dynamic outputs is beyond this scope for now. Kindly let me know if you are able to get the property based on the recommendations I've provided.

[jonwbstr]

Hi Tim, yes Invoke-MGGraphRequest has all the properties

$t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/<POLICY_ID>"

[timayabi2020]

@jonwbstr Get-MgBetaIdentityConditionalAccessPolicy also works. I've just used a different property from yours because that is where I have data. Please try it.

[jonwbstr]

Hi Tim, would you more detailed steps on how to create the property with data that I'm having an issue with so we can troubleshoot the same thing?

Below is attempts to get data from the same property using the two methods discussed in this ticket. The output for the two commands is different. Invoke-MgGrahRequest contains data while Get-MgBetaIdentityConditionalAccessPolicy does not.

PS C:\> $p = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId d60c2778-1470-4a1b-9f61-3f20e2fbf621
PS C:\> $t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/d60c2778-1470-4a1b-9f61-3f20e2fbf621"
PS C:\> $t.conditions.users.excludeguestsorexternalusers|convertto-json
{
  "externalTenants": {
    "members": [
      "xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx"
    ],
    "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
    "membershipKind": "enumerated"
  },
  "guestOrExternalUserTypes": "serviceProvider"
}
PS C:\> $p.conditions.users.excludeguestsorexternalusers|convertto-json
{
  "ExternalTenants": {
    "MembershipKind": "enumerated"
  },
  "GuestOrExternalUserTypes": "serviceProvider",
  "AdditionalProperties": {}
}

[jonwbstr]

[jonwbstr]

I mentioned that I suspected this affected both include and exclude, so I built another to confirm that for us. TLDR; yes same issue for both properties. $p is the command that is missing data, $t is the command where the data is not missing. Look for the green lines in the second object

PS C:\> $t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/4d93eaf9-7140-492c-b4c4-4833fd69c087"
PS C:\> $p = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 4d93eaf9-7140-492c-b4c4-4833fd69c087
PS C:\> $p|convertto-json -depth 100
{
  "Conditions": {
    "Applications": {
      "ApplicationFilter": {
        "Mode": null,
        "Rule": null
      },
      "ExcludeApplications": [],
      "IncludeApplications": [
        "All"
      ],
      "IncludeAuthenticationContextClassReferences": [],
      "IncludeUserActions": []
    },
    "AuthenticationFlows": {
      "TransferMethods": null
    },
    "ClientAppTypes": [
      "all"
    ],
    "ClientApplications": {
      "ExcludeServicePrincipals": null,
      "IncludeServicePrincipals": null,
      "ServicePrincipalFilter": {
        "Mode": null,
        "Rule": null
      }
    },
    "DeviceStates": {
      "ExcludeStates": null,
      "IncludeStates": null
    },
    "Devices": {
      "DeviceFilter": {
        "Mode": null,
        "Rule": null
      },
      "ExcludeDeviceStates": null,
      "ExcludeDevices": null,
      "IncludeDeviceStates": null,
      "IncludeDevices": null
    },
    "InsiderRiskLevels": null,
    "Locations": {
      "ExcludeLocations": null,
      "IncludeLocations": null
    },
    "Platforms": {
      "ExcludePlatforms": null,
      "IncludePlatforms": null
    },
    "ServicePrincipalRiskLevels": null,
    "SignInRiskLevels": [],
    "UserRiskLevels": [],
    "Users": {
      "ExcludeGroups": [],
      "ExcludeGuestsOrExternalUsers": {
        "ExternalTenants": {
          "MembershipKind": "enumerated"
        },
        "GuestOrExternalUserTypes": "serviceProvider"
      },
      "ExcludeRoles": [],
      "ExcludeUsers": [],
      "IncludeGroups": [],
      "IncludeGuestsOrExternalUsers": {
        "ExternalTenants": {
          "MembershipKind": "enumerated"
        },
        "GuestOrExternalUserTypes": "otherExternalUser"
      },
      "IncludeRoles": [],
      "IncludeUsers": []
    }
  },
  "CreatedDateTime": "2024-10-30T09:29:18.197944Z",
  "Description": null,
  "DisplayName": "Vendor Allow",
  "GrantControls": {
    "AuthenticationStrength": {
      "AllowedCombinations": [
        "windowsHelloForBusiness",
        "fido2",
        "x509CertificateMultiFactor",
        "deviceBasedPush"
      ],
      "CombinationConfigurations": [],
      "CreatedDateTime": "2021-12-01T08:00:00Z",
      "Description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
      "DisplayName": "Passwordless MFA",
      "Id": "00000000-0000-0000-0000-000000000003",
      "ModifiedDateTime": "2021-12-01T08:00:00Z",
      "PolicyType": "builtIn",
      "RequirementsSatisfied": "mfa"
    },
    "BuiltInControls": [],
    "CustomAuthenticationFactors": [],
    "Operator": "OR",
    "TermsOfUse": []
  },
  "Id": "4d93eaf9-7140-492c-b4c4-4833fd69c087",
  "ModifiedDateTime": "2024-10-30T09:31:18.0311806Z",
  "SessionControls": {
    "ApplicationEnforcedRestrictions": {
      "IsEnabled": null
    },
    "CloudAppSecurity": {
      "CloudAppSecurityType": null,
      "IsEnabled": null
    },
    "ContinuousAccessEvaluation": {
      "Mode": null
    },
    "DisableResilienceDefaults": null,
    "PersistentBrowser": {
      "IsEnabled": null,
      "Mode": null
    },
    "SecureSignInSession": {
      "IsEnabled": null
    },
    "SignInFrequency": {
      "AuthenticationType": null,
      "FrequencyInterval": null,
      "IsEnabled": null,
      "Type": null,
      "Value": null
    }
  },
  "State": "enabledForReportingButNotEnforced",
  "AdditionalProperties": {
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity"
  }
}
PS C:\> $t|convertto-json -depth 100
{
  "createdDateTime": "2024-10-30T09:29:18.197944Z",
  "partialEnablementStrategy": null,
  "modifiedDateTime": "2024-10-30T09:31:18.0311806Z",
  "conditions": {
    "clientAppTypes": [
      "all"
    ],
    "userRiskLevels": [],
    "clientApplications": null,
    "platforms": null,
    "applications": {
      "includeAuthenticationContextClassReferences": [],
      "excludeApplications": [],
      "applicationFilter": null,
      "includeUserActions": [],
      "includeApplications": [
        "All"
      ]
    },
    "times": null,
    "deviceStates": null,
    "locations": null,
    "users": {
      "excludeGroups": [],
      "excludeRoles": [],
      "includeGroups": [],
      "includeGuestsOrExternalUsers": {
+        "externalTenants": {
+          "members": [
+            "10ce1e4b-e51d-47bc-b9f9-18dbed513b45"
+          ],
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated"
        },**
        "guestOrExternalUserTypes": "otherExternalUser"
      },
      **"excludeGuestsOrExternalUsers": {
        "externalTenants": {
+          "members": [
+            "10ce1e4b-e51d-47bc-b9f9-18dbed513b45"**
+          ],
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated"
        },
        "guestOrExternalUserTypes": "serviceProvider"
      },
      "includeRoles": [],
      "includeUsers": [],
      "excludeUsers": []
    },
    "devices": null,
    "signInRiskLevels": []
  },
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
  "sessionControls": null,
  "displayName": "Vendor Allow",
  "templateId": null,
  "id": "4d93eaf9-7140-492c-b4c4-4833fd69c087",
  "grantControls": {
    "authenticationStrength": {
      "createdDateTime": "2021-12-01T08:00:00Z",
      "modifiedDateTime": "2021-12-01T08:00:00Z",
      "[email protected]": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4d93eaf9-7140-492c-b4c4-4833fd69c087')/grantControls/authenticationStrength/combinationConfigurations",
      "displayName": "Passwordless MFA",
      "requirementsSatisfied": "mfa",
      "policyType": "builtIn",
      "id": "00000000-0000-0000-0000-000000000003",
      "description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
      "combinationConfigurations": [],
      "allowedCombinations": [
        "windowsHelloForBusiness",
        "fido2",
        "x509CertificateMultiFactor",
        "deviceBasedPush"
      ]
    },
    "[email protected]": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4d93eaf9-7140-492c-b4c4-4833fd69c087')/grantControls/authenticationStrength/$entity",
    "termsOfUse": [],
    "operator": "OR",
    "customAuthenticationFactors": [],
    "builtInControls": []
  },
  "state": "enabledForReportingButNotEnforced"
}