Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Group together Guest Accounts based on Dynamic Groups

Brass Contributor

Hi All,

 

Is it possible to create a dynamic Security Group within azure to automatically add every new Guest Account to this group for example to use to assign access to a Customized SharePoint Collab Landing Page for External Users or other such Tasks ? unfortunately i could not find such a Group or Option only for full Internal User Accounts.

 

Cheers

Ueli

10 Replies
best response confirmed by Ueli Zimmermann (Brass Contributor)
Solution

Yes, it's possible via the Dynamic Azure AD Groups functionality: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-a...

 

The membership rule you need is: (user.userType -eq "Guest")

Great Vasil that is exactly what i need. 

 

Cheers

Ueli

@Vasil Michevhow does the licensing for this scenario work? I thought that dynamic group members needed to have AAD P1, is there an exemption for guests?

Shhhhh, let it slide :) I'm not sure to be honest, I know that they are not enforcing the licensing requirement in code, but whether Guest users need to be licensed...

Hi Dean,

 

Its actually always the Tenant which invites the Guests requiring the correct count of Licenses regarding Azure MFA. Its a 1:5 Ratio. 

 

You need 1 User which has a AD Premium or Azure MFA License and with that you can have 5 Guest Users which are required to use MFA while accessing one of your Resources /SaaS Apps.

 

They do not have to be related to that specific User.

I hope this helps to clarify

 

Cheers

Ueli

Hi Vasil,
Thanks for the tip. We tried it out and it worked. However, anyone who might try this should be aware that each of the guest users dynamically added to the group will get a welcome email that includes the name of each group member.
Brian

Hi Brian,

 

how would it be the case that guest users in the Dynamic group would get a welcome email? In order to be dynamically added to the group the guest user would already have been invited into the tenant in order for them to have been created in Azure AD, only after being created could they be added to the dynamic group.

 

I've created a number of dynamic security groups for external users based on their UPN domain, however, adding them to SharePoint site security groups does not appear to work, the external users don't get access to the site.

 

Terry

Hi Terry,

 

By default, as each new member is dynamically added to the group, they all receive a welcome email - in this case a bunch of them at once because they were existing tenant members.

 

And for us, assigning permissions for the dynamic group to something in SharePoint worked.

 

Brian

Hi Brian,
strange, the welcome email thing has never happened with Dynamic Groups within our tenant. 

I've assigned dynamic groups with normal member accounts (not guest) and the permissions work, still haven't got this to work with Guest users though, I suspect it may be to do with the licence ration for AAD P1 member to Guest accounts, perhaps.

thanks
Terry
Hi Brian, there is indeed a welcome email. However, this can be disabled. Please see https://spodev.com/disable-welcome-email-for-microsoft-365-groups/amp/ on how to do this.

1 best response

Accepted Solutions
best response confirmed by Ueli Zimmermann (Brass Contributor)
Solution

Yes, it's possible via the Dynamic Azure AD Groups functionality: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-a...

 

The membership rule you need is: (user.userType -eq "Guest")

View solution in original post