Conditional Access to Block Guest with High Privilege Roles

I would think the following would block just guests with the high privilege roles, but it actually blocks anyone with these roles. Please help :slight_smile:

Block Guests and External Users from logging on with high-privilege Azure roles.

resource “azuread_conditional_access_policy” “blockguestadmin” {
display_name = “Users-Guest-CA01: Block Guests/External Users from high privilege roles”
state = “enabled”

conditions {
users {
included_users = [“GuestsOrExternalUsers”]
excluded_groups = [azuread_group.security-exemption-cap.id]

  included_roles = [
    "62e90394-69f5-4237-9190-012177145e10", // Global Administrator

    "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", // Application Administrator
    "cf1c38e5-3621-4004-a7cb-879624dced7c", // Application Developer
    "c4e39bd9-1100-46d3-8c65-fb160da0071f", // Authentication Administrator
    "0526716b-113d-4c15-b2c8-68e3c22b9f80", // Authentication Policy Administrator
    "aaf43236-0c0d-4d5f-883a-6955382ac081", // B2C IEF Keyset Administrator
    "158c047a-c907-4556-b7ef-446551a6b5f7", // Cloud Application Administrator
    "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", // Conditional Access Administrator
    "9360feb5-f418-4baa-8175-e2a00bac4301", // Directory Writers
    "29232cdf-9323-42fd-ade2-1d097af3e4de", // Exchange Administrator
    "31392ffb-586c-42d1-9346-e59415a2cc4e", // Exchange Recipient Administrator
    "3a2c62db-5318-420d-8d74-23affee5d9d5", // Intune Administrator
    "966707d0-3269-4727-9be2-8c3a10f19b9d", // Password Administrator
    "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", // Privileged Authentication Administrator
    "e8611ab8-c189-46e8-94e1-60213ab1f814", // Privileged Role Administrator
    "194ae4cb-b126-40b2-bd5b-6091b380977d", // Security Administrator
    "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f", // Security Operator
    "5d6b6bb7-de71-4623-b4af-96380a352509", // Security Reader
    "fe930be7-5e62-47db-91af-98c3a49a38b1"  // User Administrator
  ]
}
## Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
client_app_types = [lower("all")]

applications {
  ### Can be all, None, Office365 or Application ID
  included_applications = [title("all")]
}
locations {
  included_locations = [title("all")]
}

platforms {
  ##  all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue
  included_platforms = ["all"]
}

}

grant_controls {
## MFA strength required
## authentication_strength_policy, is not compatible with built_in_controls = [“mfa”]
## Passwordless Strength (High)
authentication_strength_policy_id = local.passwordlessonly_policy_id
## Password Strength (Medium)
#authentication_strength_policy_id = local.password_policy_id
operator = “AND”
built_in_controls = [“block”]
}
}