Get-MgBetaIdentityConditionalAccessPolicy does not return ExcludeGuestsOrExternalUsers "members"

[jonwbstr]

Describe the bug

I want to create a conditional access policy that excludes a specific service provider, to generate the required JSON body I created the policy in the user interface and fetched the policy via Get-MgBetaIdentityConditionalAccessPolicy. However, the Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy does not contain the "members" property and values. I was able to find the body I need by using the -debug parameter. I suspect this issue affects include and exclude for more than just serviceproviders but have not confirmed that.

"excludeGuestsOrExternalUsers": {
        "guestOrExternalUserTypes": "serviceProvider",
        "externalTenants": {
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated",
          "members": [
            "xxxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxxx"
          ]
        }
      }

Expected behavior

The Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy object should contain the excluded members.

How to reproduce

1. Using the entra ID portal, create a conditional access policy with an excluded service provider
2. Run the command $p = Get-MgBetaIdentityConditionalAccessPolicy -id
3. Look for the tenantID that was excluded and you will see that it is not present. It should be at:
   $p.conditions.users.ExcludeGuestsOrExternalUsers

SDK Version

2.24.0

Latest version known to work for scenario above?

No response

Known Workarounds

None

Debug output

Click to expand log

```

</details>


### Configuration

Name                           Value
----                           -----
PSVersion                      7.4.3
PSEdition                      Core
GitCommitId                    7.4.3
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

### Other information
No other information

[timayabi2020]

Hi @jonwbstr thanks for identifying and raising this issue. To navigate around the default properties being returned you can use that command or Invoke-MgGraphRequest, assign the result to a variable and use the dot . operator to navigate through the properties that you need.

[timayabi2020]

@jonwbstr please note that PowerShell does not support dynamic output table format for C# based cmdlets - c# - How do you set the default output format for a PowerShell Cmdlet? - Stack Overflow. For that reason, it is recommended that you add |Format-List at the end of your command to get a different view from the default fixed output table format. For more information, please go through this document. Format Azure PowerShell cmdlet output | Microsoft Learn

[jonwbstr]

Hi Tim, I'm not sure how that dynamic output table comment it related to the issue, should I have included that in the initial issue description?

[timayabi2020]

@jonwbstr the issue to do with dynamic outputs is beyond this scope for now. Kindly let me know if you are able to get the property based on the recommendations I've provided.