Test-MTConditionalAccessWhatIf returning incorrect results

[RobinDadswell]

I have a member of a group who is in an exclusion group, however the command Test-MTConditionalAccessWhatIf returns that policy as applying, but the GUI doesn't.

Also I am having issues with clientAppTypes when set to other as this also appears to not return any results even though there are policies applied to block this that are applied and working.

[adhodgson1]

I have been experiencing the same issue. It turns out we need to provide more of the optional parameters such as risk levels and country. If you get the output from the API request you will see information about why a policy has not applied. In my case the reason was due to not enough information, this lead me down the road of supplying more parameters.

[adhodgson1]

Sorry please ignore my previous message. I am experiencing the same issue as the original poster. The policy simulation API is returning policies that should not be applying based on the user being in an exclusion group. If I add the user to the excluded users then we are getting the expected outcome. The policy what-if tool in the admin portal is not affected by this which means the API is doing something different.

[f-bader]

Thanks for bringing this to my attention. I will try to channel this feedback to the PG responsible of the evaluate (WhatIf) graph endpoint. They graciously let us use the API even if it's not public. Therefor those issues can happen, which is why we excluded the tests from the default results.

@merill just for your information

[f-bader]

Will close as won't fix because we cannot change the result of the API until it's fixed in the backend