Forum Discussion

fstorer's avatar
fstorer
Brass Contributor
Jun 01, 2022

Exclude test guest users from a script listing all guest users

Dear All,

I am trying to find a quick way to exclude all our "test" guest users from a powershell script which lists all the guest users in our tenant. The script is quite simple:

 

$GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Sort-Object DisplayName | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled

$GuestUsers | Export-Excel -path "C:\Temp\Guest2022.xlsx" -AutoSize -TableName GuestAccounts -WorksheetName GuestAccounts

The problem is that we have 15 test guest users that always appear in the list. It's not a big number so I can remove them manually afterward but it would be great if I can exclude them directly in the script.

Any help would be much appreciated!

Many thanks in advance!

 

Francesco  

 

The problem

  • fstorer

     

    Hey, Francesco.

     

    Yeah, there's multiple ways to tackle this both in the server-side (which would be rather ugly) and client-side filtering contexts.

     

    If there's anything common about the test accounts, perhaps a client-side Regex approach would be easiest, as that would automatically identify any new test accounts added later on.

     

    Here's an example of the client-side Regex approach, which I've tacked onto the "getting" side:

    $GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notmatch "test|someOtherName|yetAnotherName" } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName

     

    Basically, you're just added values to exclude separated by the pipe ("|") symbol.

     

    If you want to go down the array path, this is one approach you could take. The notable difference in my example is that only exact matches would be excluded.

     

    You could blend the two but for 15 or so accounts, it's not worth doing so.

    $Exclusions = @(
        "test1",
        "test2",
        "test3"
    )
    
    $GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notin $Exclusions } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName

     

    Cheers,

    Lain

  • You can always filter the list client-side? For example:

    $GuestUsers | ? {$_.DisplayName -ne "Guest user XX"} | Export-Excel bla bla

    or whatever other properties are appropriate...
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    fstorer 

     

    Hi, Francesco.

     

    If the test accounts begin with (or if you're happy to make it so that they do) a well-defined prefix on any of the "common" attributes, you can perform server-side filtering as shown in the example below (which uses userPrincipalName, but you can choose something else.)

     

    Get-AzureADUser -Filter "userType eq 'Member' and startswith(userPrincipalName, 'test')"

     

    Note: While attribute references are not case-sensitive, the "startswith()" function name is case-sensitive.

     

    Search functionality is significantly less in Graph than in Active Directory meaning you will need to fall back to using client-side filtering if the prefix isn't well defined.

     

    At fifteen guest accounts, the volume is so small that it doesn't matter whether you filter server- or client-side. It's quite a different story when you're in the tens of thousands with "high" latency, but until you're running queries returning large volumes, do whatever is easiest.

     

    Cheers,

    Lain

    • fstorer's avatar
      fstorer
      Brass Contributor

      Thank you LainRobertson and VasilMichev for your quick responses!

      Unfortunately the test guest users don't have a defined prefix so I will use the client-side filtering as suggested by VasilMichev . I have another question, though: can I create an array with all those test guest users and then ask PowerShell to exclude all the entries in the list?

      Many thanks for your help!

       

      Francesco   

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        fstorer

         

        Hey, Francesco.

         

        Yeah, there's multiple ways to tackle this both in the server-side (which would be rather ugly) and client-side filtering contexts.

         

        If there's anything common about the test accounts, perhaps a client-side Regex approach would be easiest, as that would automatically identify any new test accounts added later on.

         

        Here's an example of the client-side Regex approach, which I've tacked onto the "getting" side:

        $GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notmatch "test|someOtherName|yetAnotherName" } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName

         

        Basically, you're just added values to exclude separated by the pipe ("|") symbol.

         

        If you want to go down the array path, this is one approach you could take. The notable difference in my example is that only exact matches would be excluded.

         

        You could blend the two but for 15 or so accounts, it's not worth doing so.

        $Exclusions = @(
            "test1",
            "test2",
            "test3"
        )
        
        $GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notin $Exclusions } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName

         

        Cheers,

        Lain

Resources