Forum Discussion

Brass Contributor

Jun 06, 2018

Group together Guest Accounts based on Dynamic Groups

Hi All, Is it possible to create a dynamic Security Group within azure to automatically add every new Guest Account to this group for example to use to assign access to a Customized SharePoint Co...

Access Management

Azure Active Directory (AAD)

Identity Management

VasilMichev
Jun 06, 2018
Yes, it's possible via the Dynamic Azure AD Groups functionality: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

The membership rule you need is: (user.userType -eq "Guest")

VasilMichev

MVP

Yes, it's possible via the Dynamic Azure AD Groups functionality: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

The membership rule you need is: (user.userType -eq "Guest")

Dean_Gross

Silver Contributor

Jun 07, 2018

VasilMichevhow does the licensing for this scenario work? I thought that dynamic group members needed to have AAD P1, is there an exemption for guests?

VasilMichev
MVP
Jun 07, 2018
Shhhhh, let it slide :) I'm not sure to be honest, I know that they are not enforcing the licensing requirement in code, but whether Guest users need to be licensed...
Ueli Zimmermann
Brass Contributor
Jun 09, 2018
Hi Dean,

Its actually always the Tenant which invites the Guests requiring the correct count of Licenses regarding Azure MFA. Its a 1:5 Ratio.

You need 1 User which has a AD Premium or Azure MFA License and with that you can have 5 Guest Users which are required to use MFA while accessing one of your Resources /SaaS Apps.

They do not have to be related to that specific User.
I hope this helps to clarify

Cheers
Ueli