Get List of Users without CA Policy Assigned

Frequent Contributor

Hello, TechCommunity forum,

 

Does anybody know if there is a way to get a list of users that are not covered by Conditional Access policies?

For example, I have ten policies for different groups of users. Is there a way to find users that are not part of those groups/CA policies?

 

3 Replies
Sure, you can do it via the Graph. Enumerate all policies, then expand the "users" facet and work with the values therein to determine whether a given user is covered. You'll have to also check his Group membership, the /memberOf or /transitiveMemberOf endpoints can help you with that.

Hello @Vasil Michev ,


Thank you for your reply.
First of all I tried "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyid}?$select=conditions" and got conditions (because "users" are listed under "conditions").
And now I need to deep somehow into users and then into IncludeUsers. I tried different variations of $expand and $select but didn't succeed. 

I see that "includeUsers" contains "All". But if I expand this facet, will it be possible to get a list of all users? For example, if I would had "Group1" instead of "All". Or should I use another API to get a list of all users in this "Group1"? 

You'll need to run a separate query to get the list of members.