Forum Discussion
Exclude test guest users from a script listing all guest users
Dear All,
I am trying to find a quick way to exclude all our "test" guest users from a powershell script which lists all the guest users in our tenant. The script is quite simple:
$GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Sort-Object DisplayName | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled
$GuestUsers | Export-Excel -path "C:\Temp\Guest2022.xlsx" -AutoSize -TableName GuestAccounts -WorksheetName GuestAccounts
The problem is that we have 15 test guest users that always appear in the list. It's not a big number so I can remove them manually afterward but it would be great if I can exclude them directly in the script.
Any help would be much appreciated!
Many thanks in advance!
Francesco
The problem
Hey, Francesco.
Yeah, there's multiple ways to tackle this both in the server-side (which would be rather ugly) and client-side filtering contexts.
If there's anything common about the test accounts, perhaps a client-side Regex approach would be easiest, as that would automatically identify any new test accounts added later on.
Here's an example of the client-side Regex approach, which I've tacked onto the "getting" side:
$GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notmatch "test|someOtherName|yetAnotherName" } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName
Basically, you're just added values to exclude separated by the pipe ("|") symbol.
If you want to go down the array path, this is one approach you could take. The notable difference in my example is that only exact matches would be excluded.
You could blend the two but for 15 or so accounts, it's not worth doing so.
$Exclusions = @( "test1", "test2", "test3" ) $GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notin $Exclusions } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName
Cheers,
Lain
- You can always filter the list client-side? For example:
$GuestUsers | ? {$_.DisplayName -ne "Guest user XX"} | Export-Excel bla bla
or whatever other properties are appropriate... - LainRobertsonSilver Contributor
Hi, Francesco.
If the test accounts begin with (or if you're happy to make it so that they do) a well-defined prefix on any of the "common" attributes, you can perform server-side filtering as shown in the example below (which uses userPrincipalName, but you can choose something else.)
Get-AzureADUser -Filter "userType eq 'Member' and startswith(userPrincipalName, 'test')"
Note: While attribute references are not case-sensitive, the "startswith()" function name is case-sensitive.
Search functionality is significantly less in Graph than in Active Directory meaning you will need to fall back to using client-side filtering if the prefix isn't well defined.
At fifteen guest accounts, the volume is so small that it doesn't matter whether you filter server- or client-side. It's quite a different story when you're in the tens of thousands with "high" latency, but until you're running queries returning large volumes, do whatever is easiest.
Cheers,
Lain
- fstorerBrass Contributor
Thank you LainRobertson and VasilMichev for your quick responses!
Unfortunately the test guest users don't have a defined prefix so I will use the client-side filtering as suggested by VasilMichev . I have another question, though: can I create an array with all those test guest users and then ask PowerShell to exclude all the entries in the list?
Many thanks for your help!
Francesco
- LainRobertsonSilver Contributor
Hey, Francesco.
Yeah, there's multiple ways to tackle this both in the server-side (which would be rather ugly) and client-side filtering contexts.
If there's anything common about the test accounts, perhaps a client-side Regex approach would be easiest, as that would automatically identify any new test accounts added later on.
Here's an example of the client-side Regex approach, which I've tacked onto the "getting" side:
$GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notmatch "test|someOtherName|yetAnotherName" } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName
Basically, you're just added values to exclude separated by the pipe ("|") symbol.
If you want to go down the array path, this is one approach you could take. The notable difference in my example is that only exact matches would be excluded.
You could blend the two but for 15 or so accounts, it's not worth doing so.
$Exclusions = @( "test1", "test2", "test3" ) $GuestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'" -All $true | Where-Object { $_.displayName -notin $Exclusions } | Select-Object DisplayName,JobTitle,Mail,UserType,AccountEnabled | Sort-Object DisplayName
Cheers,
Lain