Merge pull request #380 from maester365/209-mt1020-all-conditional-ac…

…cess-policies-are-configured-to-exclude-directory-synchronization-accounts-or-do-not-scope-them-should-not-match-all-ca-policies Skip CAP if no internal users or roles are in scope
maester365 · Jul 22, 2024 · d4183ab · d4183ab
2 parents 65e3a5a + fed1ce0
commit d4183ab
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/powershell/public/Test-MtCaExclusionForDirectorySyncAccount.ps1 b/powershell/public/Test-MtCaExclusionForDirectorySyncAccount.ps1
@@ -48,7 +48,17 @@ function Test-MtCaExclusionForDirectorySyncAccount {
         if ( $policy.conditions.applications.includeApplications -ne "All" ) {
             # Skip this policy, because it does not apply to all applications
             $currentresult = $true
-            Write-Verbose "Skipping $($policy.displayName) - $currentresult"
+            Write-Verbose "Skipping $($policy.displayName) because it's not scoped to all apps - $currentresult"
+            continue
+        }
+
+        if ( [string]::IsNullOrWhiteSpace($policy.conditions.users.includeUsers) -and `
+                [string]::IsNullOrWhiteSpace($policy.conditions.users.includeGroups) -and `
+                [string]::IsNullOrWhiteSpace($policy.conditions.users.includeRoles) -and `
+            ( -not [string]::IsNullOrWhiteSpace($policy.conditions.users.includeGuestsOrExternalUsers) ) ) {
+            # Skip this policy, because it does not apply to any internal users, but only guests
+            $currentresult = $true
+            Write-Verbose "Skipping $($policy.displayName) because no internal users is scoped - $currentresult"
             continue
         }