Defining dynamic group member rules for including only external guests: which syntax is valid?

Regular Contributor



The syntax is really starting to confuse me as I thought this should work . However, I tend to work with internal users so this may not work.


(user.userPrincipalName -contains "")


My colleague reckons this is the answer


(user.usermail -contains "")


Or his latest suggestion, 

(user.userType -eq "Guest") and (user.otherMails -contains "")


Normally, I would inspect the AAD but I don't have permissions to AD on the target tenant. Anyway, would be great to stop us both arguing with a proven answer!



2 Replies
best response confirmed by Daniel Westerdale (Regular Contributor)

Hi @Daniel Westerdale 


The Syntax we use to get all external guests is:


(user.userType -eq "Guest")


This will pick out all of the guest users in the tenant regardless of their domain. If you just want all guest users from a specific domain, then you can filter by domain with this syntax


(user.mail -contains "")


Just tested both in my tenant and and confirm either way works :thumbs_up:


One weird bug I found I noticed - when assigning members via user.mail they didn't show up in the new AAD groups preview, but did in the old view.


Hope this helps,






Thanks for your reply.Yes, we changed the rule syntax first thing morning using similar syntax to you


This has now populated - happy days!

(user.Mail -contains "") -AND (user.userType -eq "Guest")


This one my my colleague is monitoring to see what happens... fingers crossed eh.

((user.Mail -contains "") -OR (user.Mail -contains "")) -AND (user.userType -eq "Guest")