I would think the following would block just guests with the high privilege roles, but it actually blocks anyone with these roles. Please help
Block Guests and External Users from logging on with high-privilege Azure roles.
resource “azuread_conditional_access_policy” “blockguestadmin” {
display_name = “Users-Guest-CA01: Block Guests/External Users from high privilege roles”
state = “enabled”
conditions {
users {
included_users = [“GuestsOrExternalUsers”]
excluded_groups = [azuread_group.security-exemption-cap.id]
included_roles = [
"62e90394-69f5-4237-9190-012177145e10", // Global Administrator
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", // Application Administrator
"cf1c38e5-3621-4004-a7cb-879624dced7c", // Application Developer
"c4e39bd9-1100-46d3-8c65-fb160da0071f", // Authentication Administrator
"0526716b-113d-4c15-b2c8-68e3c22b9f80", // Authentication Policy Administrator
"aaf43236-0c0d-4d5f-883a-6955382ac081", // B2C IEF Keyset Administrator
"158c047a-c907-4556-b7ef-446551a6b5f7", // Cloud Application Administrator
"b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", // Conditional Access Administrator
"9360feb5-f418-4baa-8175-e2a00bac4301", // Directory Writers
"29232cdf-9323-42fd-ade2-1d097af3e4de", // Exchange Administrator
"31392ffb-586c-42d1-9346-e59415a2cc4e", // Exchange Recipient Administrator
"3a2c62db-5318-420d-8d74-23affee5d9d5", // Intune Administrator
"966707d0-3269-4727-9be2-8c3a10f19b9d", // Password Administrator
"7be44c8a-adaf-4e2a-84d6-ab2649e08a13", // Privileged Authentication Administrator
"e8611ab8-c189-46e8-94e1-60213ab1f814", // Privileged Role Administrator
"194ae4cb-b126-40b2-bd5b-6091b380977d", // Security Administrator
"5f2222b1-57c3-48ba-8ad5-d4759f1fde6f", // Security Operator
"5d6b6bb7-de71-4623-b4af-96380a352509", // Security Reader
"fe930be7-5e62-47db-91af-98c3a49a38b1" // User Administrator
]
}
## Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
client_app_types = [lower("all")]
applications {
### Can be all, None, Office365 or Application ID
included_applications = [title("all")]
}
locations {
included_locations = [title("all")]
}
platforms {
## all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue
included_platforms = ["all"]
}
}
grant_controls {
## MFA strength required
## authentication_strength_policy, is not compatible with built_in_controls = [“mfa”]
## Passwordless Strength (High)
authentication_strength_policy_id = local.passwordlessonly_policy_id
## Password Strength (Medium)
#authentication_strength_policy_id = local.password_policy_id
operator = “AND”
built_in_controls = [“block”]
}
}