Skip to Main Content
Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and
follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.

🥴 See something off? Open a support chat to let us know.

Created by Noah Tatum
Created on Dec 6, 2023

Azure Active Directory: Conditional Access Policies with Excluded Users Summary

I based this off another metric created by David Chapman, so thanks to him for the original idea! I added the ability to also bring in users from excluded groups for a full picture of what users are excluded from CA policies. There might be a more elegant/streamlined way to run the query but this is what I came up with.

Policies.ConditionalAccess[].{ca_displayName:displayName,ca_excludedDisplayNames:join(',',map_by_key(conditions.users.excludeUsers[].{id: @}, ~.Users[], `id`)[].displayName)ca_excludedGroupMemberDisplayNames:join(',',map_by_key(conditions.users.excludeGroups[].{id:@},~.Groups[], `id`)[].members[].userPrincipalName.{userPrincipalName: @} | map_by_key(@, ~.Users[],`userPrincipalName`)[].displayName)}[].{ca_displayName:ca_displayName,ca_excludedDisplayNames:join(',',join(',',[ca_excludedDisplayNames,ca_excludedGroupMemberDisplayNames]).split(@,',').sort(@).unique_list(@)[?not_null(@)])}[].join(': ',[ca_displayName,ca_excludedDisplayNames])
  • Attach files