Get List of Users without CA Policy Assigned

mikhailf · ‎Sep 29 2022

Hello, TechCommunity forum,

Does anybody know if there is a way to get a list of users that are not covered by Conditional Access policies?

For example, I have ten policies for different groups of users. Is there a way to find users that are not part of those groups/CA policies?

Vasil Michev · ‎Sep 29 2022

Sure, you can do it via the Graph. Enumerate all policies, then expand the "users" facet and work with the values therein to determine whether a given user is covered. You'll have to also check his Group membership, the /memberOf or /transitiveMemberOf endpoints can help you with that.

mikhailf · ‎Oct 02 2022

Hello @Vasil Michev ,

Thank you for your reply.
First of all I tried "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyid}?$select=conditions" and got conditions (because "users" are listed under "conditions").
And now I need to deep somehow into users and then into IncludeUsers. I tried different variations of $expand and $select but didn't succeed.

I see that "includeUsers" contains "All". But if I expand this facet, will it be possible to get a list of all users? For example, if I would had "Group1" instead of "All". Or should I use another API to get a list of all users in this "Group1"?

Vasil Michev · ‎Oct 02 2022

You'll need to run a separate query to get the list of members.

Get List of Users without CA Policy Assigned

Get List of Users without CA Policy Assigned

Re: Get List of Users without CA Policy Assigned

Re: Get List of Users without CA Policy Assigned

Re: Get List of Users without CA Policy Assigned

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Get List of Users without CA Policy Assigned