Is there a way to restrict access to a security group for a guest user?

Anthony Moulin 1 Reputation point
2022-09-23T08:01:04.87+00:00

I'm looking to make it impossible for a guest type user to access a security group when creating their profile.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,818 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2022-09-23T09:48:52.663+00:00

    @Anthony Moulin Thank you for reaching out to us. As I understand you want to restrict guest type user while accessing a security group.

    Yes there is a restricted access permission level for guest accounts where guests cant see membership of any groups. When guest access is restricted, guests can view only their own user profile. Permission to view other users isn't allowed even if the guest is searching by User Principal Name or objectId. Restricted access also restricts guest users from seeing the membership of groups they're in.

    Restricted guest permissions: In the Azure portal, they can find the list of groups they're in by searching for their object ID in the All users list, and then selecting Groups. They can see only limited details about the group, notably the object ID. By design, the Name and Email columns are blank and Group Type is Unrecognized. In the My Apps portal, they're not able to access the list of groups they own or groups they're a member of.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions#:~:text=guest%20user%20permissions.

    Let me know if you have any further questions. Please feel free to post back.

    244128-image.png

    0 comments No comments

  2. Anthony Moulin 1 Reputation point
    2022-09-23T09:56:17.863+00:00

    Hello @Givary-MSFT ,

    I may not have been clear enough, what I want is to disallow adding a guest user to an azure security group.

    Best Regards.


  3. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2022-09-30T03:21:40.85+00:00

    @Anthony Moulin

    Case Update, Actually ask - When creating a guest type user in my Azure AD, I want to prevent this member from being added to a specific Azure security group, is this possible ?

    In order to achieve this ask you need to create a security group with membership type as dynamic ( have this query: (user.userType -eq "member") ) which will not have guest accounts in the group.

    Sometimes a Global admin can convert guest account to member type, in that case you use this filter (user.userPrincipalName -contains "ext") .

    With Such group in Azure AD, it will not let you add the guest user at the time of inviting user, automatically if condition matches/evaluated users will be added to the group.

    Let me know if you have any further questions, please feel free to post back.

    0 comments No comments