SOLVED

Defining dynamic group member rules for including only external guests: which syntax is valid?

%3CLINGO-SUB%20id%3D%22lingo-sub-1180642%22%20slang%3D%22en-US%22%3ERe%3A%20Defining%20dynamic%20group%20member%20rules%20for%20including%20only%20external%20guests%3A%20which%20syntax%20is%20valid%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1180642%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5701%22%20target%3D%22_blank%22%3E%40Daniel%20Westerdale%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Syntax%20we%20use%20to%20get%20all%20external%20guests%20is%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E(user.userType%20-eq%20%22Guest%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20will%20pick%20out%20all%20of%20the%20guest%20users%20in%20the%20tenant%20regardless%20of%20their%20domain.%20If%20you%20just%20want%20all%20guest%20users%20from%20a%20specific%20domain%2C%20then%20you%20can%20filter%20by%20domain%20with%20this%20syntax%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E(user.mail%20-contains%20%22%40company.co.uk%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EJust%20tested%20both%20in%20my%20tenant%20and%20and%20confirm%20either%20way%20works%20%3Athumbs_up%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOne%20weird%20bug%20I%20found%20I%20noticed%20-%20when%20assigning%20members%20via%20user.mail%20they%20didn't%20show%20up%20in%20the%20new%20AAD%20groups%20preview%2C%20but%20did%20in%20the%20old%20view.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20this%20helps%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMark%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1181530%22%20slang%3D%22en-US%22%3ERe%3A%20Defining%20dynamic%20group%20member%20rules%20for%20including%20only%20external%20guests%3A%20which%20syntax%20is%20valid%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1181530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply.Yes%2C%20we%20changed%20the%20rule%20syntax%20first%20thing%20morning%20using%20similar%20syntax%20to%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20has%20now%20populated%20-%20happy%20days!%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E(user.Mail%20-contains%20%22%40extdomain.co.uk%22)%20-AND%20(user.userType%20-eq%20%22Guest%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20one%20my%20my%20colleague%20is%20monitoring%20to%20see%20what%20happens...%20fingers%20crossed%20eh.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E((user.Mail%20-contains%20%22%40extdomain.co.uk%22)%20-OR%20(user.Mail%20-contains%20%22%40otherextdomain.co.uk%22))%20-AND%20(user.userType%20-eq%20%22Guest%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1180048%22%20slang%3D%22en-US%22%3EDefining%20dynamic%20group%20member%20rules%20for%20including%20only%20external%20guests%3A%20which%20syntax%20is%20valid%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1180048%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20syntax%20is%20really%20starting%20to%20confuse%20me%20as%20I%20thought%20this%20should%20work%20.%20However%2C%20I%20tend%20to%20work%20with%20internal%20users%20so%20this%20may%20not%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3E(user.userPrincipalName%20-contains%20%22%40guestdomain.co.uk%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20colleague%20reckons%20this%20is%20the%20answer%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E(user.usermail%20-contains%20%22%40guestdomain.co.uk%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20his%20latest%20suggestion%2C%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E(user.userType%20-eq%20%22Guest%22)%20and%20(user.otherMails%20-contains%20%22%40guestdomain.co.uk%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENormally%2C%20I%20would%20inspect%20the%20AAD%20but%20I%20don't%20have%20permissions%20to%20AD%20on%20the%20target%20tenant.%20Anyway%2C%20would%20be%20great%20to%20stop%20us%20both%20arguing%20with%20a%20proven%20answer!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1180048%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Contributor

 

 

The syntax is really starting to confuse me as I thought this should work . However, I tend to work with internal users so this may not work.

 

(user.userPrincipalName -contains "@guestdomain.co.uk")

 

My colleague reckons this is the answer

 

(user.usermail -contains "@guestdomain.co.uk")

 

Or his latest suggestion, 

(user.userType -eq "Guest") and (user.otherMails -contains "@guestdomain.co.uk")

 

Normally, I would inspect the AAD but I don't have permissions to AD on the target tenant. Anyway, would be great to stop us both arguing with a proven answer!

 

 

2 Replies
best response confirmed by Daniel Westerdale (Regular Contributor)
Solution

Hi @Daniel Westerdale 

 

The Syntax we use to get all external guests is:

 

(user.userType -eq "Guest")

 

This will pick out all of the guest users in the tenant regardless of their domain. If you just want all guest users from a specific domain, then you can filter by domain with this syntax

 

(user.mail -contains "@company.co.uk")

 

Just tested both in my tenant and and confirm either way works :thumbs_up:

 

One weird bug I found I noticed - when assigning members via user.mail they didn't show up in the new AAD groups preview, but did in the old view.

 

Hope this helps,

Mark

 

@HidMov 

 

 

Thanks for your reply.Yes, we changed the rule syntax first thing morning using similar syntax to you

 

This has now populated - happy days!

(user.Mail -contains "@extdomain.co.uk") -AND (user.userType -eq "Guest")

 

This one my my colleague is monitoring to see what happens... fingers crossed eh.

((user.Mail -contains "@extdomain.co.uk") -OR (user.Mail -contains "@otherextdomain.co.uk")) -AND (user.userType -eq "Guest")