AADConditionalAccessPolicy: Get-TargetResource function errors on a policy if an included/excluded user or group has been deleted from AAD

[HardingChris]

Details of the scenario you tried and the problem that is occurring

When the Get-TargetResource function runs for a Conditional Access policy to obtain the current configuration, the function calls either the Get-MgUser or Get-MgGroup function for each GUID present in the following properties of the policy:
IncludeUsers
ExcludeUsers
IncludeGroups
ExcludeGroups

If one of the GUIDs is no longer present in AAD, then the Get-MgUser or Get-MgGroup function throws an error:
Resource '' does not exist or one of its queried reference-property objects are not present.

The try catch error handling doesn't catch this error gracefully as it is generated within the Get-MgUser / Get-MgGroup function.

e.g. this catch statement doesn't run:

try
{
$ExcludeUser = (Get-MgUser -UserId $ExcludeUserGUID).userprincipalname
}
catch
{
$Message = "Couldn't find user $ExcludeUserGUID , that is defined in policy $PolicyDisplayName"
etc....

As a result, if running this as part of a DevOps pipeline, the pipeline run shows as failed in this scenario

Verbose logs showing the problem

N/A

Suggested solution to the issue

Improved error handling to catch the error generated within the Get-MgUser / Get-MgGroup function

The DSC configuration that is used to reproduce the issue (as detailed as possible)

N/A

To reproduce:

1. exclude a particular user from a conditional access policy
2. delete that user from AAD
3. run a DSC configuration that defines a AADConditionalAccessPolicy resource matching that conditional access policy

Expect to see error generated during Get-TargetResource:
Resource '' does not exist or one of its queried reference-property objects are not present.

The operating system the target node is running

N/A

Version of the DSC module that was used ('dev' if using current dev branch)

dev