Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Defining dynamic group member rules for including only external guests: which syntax is valid?

Iron Contributor

 

 

The syntax is really starting to confuse me as I thought this should work . However, I tend to work with internal users so this may not work.

 

(user.userPrincipalName -contains "@guestdomain.co.uk")

 

My colleague reckons this is the answer

 

(user.usermail -contains "@guestdomain.co.uk")

 

Or his latest suggestion, 

(user.userType -eq "Guest") and (user.otherMails -contains "@guestdomain.co.uk")

 

Normally, I would inspect the AAD but I don't have permissions to AD on the target tenant. Anyway, would be great to stop us both arguing with a proven answer!

 

 

2 Replies
best response confirmed by Daniel Westerdale (Iron Contributor)
Solution

Hi @Daniel Westerdale 

 

The Syntax we use to get all external guests is:

 

(user.userType -eq "Guest")

 

This will pick out all of the guest users in the tenant regardless of their domain. If you just want all guest users from a specific domain, then you can filter by domain with this syntax

 

(user.mail -contains "@company.co.uk")

 

Just tested both in my tenant and and confirm either way works :thumbs_up:

 

One weird bug I found I noticed - when assigning members via user.mail they didn't show up in the new AAD groups preview, but did in the old view.

 

Hope this helps,

Mark

 

@HidMov 

 

 

Thanks for your reply.Yes, we changed the rule syntax first thing morning using similar syntax to you

 

This has now populated - happy days!

(user.Mail -contains "@extdomain.co.uk") -AND (user.userType -eq "Guest")

 

This one my my colleague is monitoring to see what happens... fingers crossed eh.

((user.Mail -contains "@extdomain.co.uk") -OR (user.Mail -contains "@otherextdomain.co.uk")) -AND (user.userType -eq "Guest")

 

1 best response

Accepted Solutions
best response confirmed by Daniel Westerdale (Iron Contributor)
Solution

Hi @Daniel Westerdale 

 

The Syntax we use to get all external guests is:

 

(user.userType -eq "Guest")

 

This will pick out all of the guest users in the tenant regardless of their domain. If you just want all guest users from a specific domain, then you can filter by domain with this syntax

 

(user.mail -contains "@company.co.uk")

 

Just tested both in my tenant and and confirm either way works :thumbs_up:

 

One weird bug I found I noticed - when assigning members via user.mail they didn't show up in the new AAD groups preview, but did in the old view.

 

Hope this helps,

Mark

 

View solution in original post