Forum Discussion

Daniel Westerdale's avatar
Daniel Westerdale
Iron Contributor
Feb 18, 2020

Defining dynamic group member rules for including only external guests: which syntax is valid?

 

 

The syntax is really starting to confuse me as I thought this should work . However, I tend to work with internal users so this may not work.

 

(user.userPrincipalName -contains "@guestdomain.co.uk")

 

My colleague reckons this is the answer

 

(user.usermail -contains "@guestdomain.co.uk")

 

Or his latest suggestion, 

(user.userType -eq "Guest") and (user.otherMails -contains "@guestdomain.co.uk")

 

Normally, I would inspect the AAD but I don't have permissions to AD on the target tenant. Anyway, would be great to stop us both arguing with a proven answer!

 

 

  • Hi Daniel Westerdale 

     

    The Syntax we use to get all external guests is:

     

    (user.userType -eq "Guest")

     

    This will pick out all of the guest users in the tenant regardless of their domain. If you just want all guest users from a specific domain, then you can filter by domain with this syntax

     

    (user.mail -contains "@company.co.uk")

     

    Just tested both in my tenant and and confirm either way works 👍

     

    One weird bug I found I noticed - when assigning members via user.mail they didn't show up in the new AAD groups preview, but did in the old view.

     

    Hope this helps,

    Mark

     

  • HidMov's avatar
    HidMov
    Steel Contributor

    Hi Daniel Westerdale 

     

    The Syntax we use to get all external guests is:

     

    (user.userType -eq "Guest")

     

    This will pick out all of the guest users in the tenant regardless of their domain. If you just want all guest users from a specific domain, then you can filter by domain with this syntax

     

    (user.mail -contains "@company.co.uk")

     

    Just tested both in my tenant and and confirm either way works 👍

     

    One weird bug I found I noticed - when assigning members via user.mail they didn't show up in the new AAD groups preview, but did in the old view.

     

    Hope this helps,

    Mark

     

    • Daniel Westerdale's avatar
      Daniel Westerdale
      Iron Contributor

      HidMov 

       

       

      Thanks for your reply.Yes, we changed the rule syntax first thing morning using similar syntax to you

       

      This has now populated - happy days!

      (user.Mail -contains "@extdomain.co.uk") -AND (user.userType -eq "Guest")

       

      This one my my colleague is monitoring to see what happens... fingers crossed eh.

      ((user.Mail -contains "@extdomain.co.uk") -OR (user.Mail -contains "@otherextdomain.co.uk")) -AND (user.userType -eq "Guest")

       

Resources