Unable to retrieve the list of Guest users without ExternalUserState value

Alex Rough 40 Reputation points
2024-04-10T15:05:00.26+00:00

There are cases when ExternalUserState property of Guest users may be empty (null/blank) due to invitation being sent from different services (possibly SharePoint). It is not possible to retrieve the list of those users because according to "Advanced query capabilities on Microsoft Entra ID objects" user property "externalUserState" doesn't support 'eq Null' condition.

Get-MgUser -Filter "UserType eq 'Guest' and externalUserState eq 'Accepted'"

We can get the list of guest users which accepted invitation.

Get-MgUser -Filter "UserType eq 'Guest' and externalUserState eq $null"

We get an error:
"Get-MgUser : Invalid filter clause: Expression expected at position 44 in 'UserType eq 'Guest' and externalUserState eq'."
Neither works '', '*', '$null', null...

Is it a bug that Microsoft will fix or there is a workaround how to retrieve those users?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,644 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,679 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,080 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,652 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments
Accepted answer
  1. Vasil Michev 95,666 Reputation points MVP
    2024-04-10T16:16:57.87+00:00

    As you mentioned yourself, the API does not currently support a filter operation against null values for said property. However, you can do the filter the other way around - use the NOT operator to exclude the two other possible values, namely "Accepted" and "PendingAcceptance". In other words, do this:

    Get-MgUser -Filter "UserType eq 'Guest' and NOT(externalUserState eq 'PendingAcceptance') and NOT(externalUserState eq 'Accepted')" -ConsistencyLevel eventual -CountVariable count
    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest