![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 37%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
It is not possible at this time to configure "All Users" and "Assigned Groups" - both object types have to be set as either All or Assigned jointly.
You can accomplish this goal however by using the Sync Assigned setting, creating a dynamic "all users" group (AAD Premium P1 feature) and giving it a criteria that pulls in all members, such as users where accountEnabled equals True. You can assign that group and then filter the "all users" group object itself out via the Scoping Filters feature - creating a filter akin to "filter groups where displayName eq 'all users'" or "filter groups where objectId eq XYZ" to block the group object itself while still allowing all users inside of it to be in scope.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)