Forum Discussion
mikhailf
Sep 29, 2022Steel Contributor
Get List of Users without CA Policy Assigned
Hello, TechCommunity forum, Does anybody know if there is a way to get a list of users that are not covered by Conditional Access policies? For example, I have ten policies for different groups ...
VasilMichev
Sep 29, 2022MVP
Sure, you can do it via the Graph. Enumerate all policies, then expand the "users" facet and work with the values therein to determine whether a given user is covered. You'll have to also check his Group membership, the /memberOf or /transitiveMemberOf endpoints can help you with that.
- mikhailfOct 02, 2022Steel Contributor
Hello VasilMichev ,
Thank you for your reply.
First of all I tried "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyid}?$select=conditions" and got conditions (because "users" are listed under "conditions").
And now I need to deep somehow into users and then into IncludeUsers. I tried different variations of $expand and $select but didn't succeed.I see that "includeUsers" contains "All". But if I expand this facet, will it be possible to get a list of all users? For example, if I would had "Group1" instead of "All". Or should I use another API to get a list of all users in this "Group1"?
- VasilMichevOct 02, 2022MVPYou'll need to run a separate query to get the list of members.