This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Does "All users" Azure AD group contains external and guest users of the tenant as well or not as we would not want to give the access or kind of visibility to those users in any way if there is chance or way?
For example: I have an application which is SSO enabled in the tenant and if I select the "All Users" group then would that allow the access to external and guest users in any way or not?
Here I am thinking from the access prevention point of view and we don't want to give access to those external users at all.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 57.00000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
It is buried here, but if you reached this topic in a quest to determine how the "All Users" group was created, then Michael Maher's comment on Andy's response is the answer that you are looking for:
Microsoft previously included a mechanism to create this group automatically, but now provides instructions on how to create the group manually instead.
There is no build-in "All Users" group in Azure. If you have that, then it was created manually.
You can check the membership to see what it includes . It may be dynamic
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
Yeah you are right and Thanks its Dynamic security group in Azure AD and was created but we have not added any membership rule or expression to that group and I can see it includes internal and guest users added in that group.
So my understanding is that if we assign the application to this group then it would accessible to guest users as well along with internal users. am I right or wrong here?
Correct. ANyone in that group will have access.
Also I was looking for filter to get only the Dynamic security groups in AAD but it seems its not there as of yet may be this would be new feature request for existing feature/product enhancement.
So to get the view of Dynamic groups need to filter out with "Group type=security" then look for "Membership type" as Dynamic then would be able to see it.
Here is snap I can see that this group was created automatically it may be was created when tenant was provisioned but there is no exact details except date & time of creation.
That looks like someone simply added those comments to the group properties. "Auto Generated" Prob means dynamic.
But it is not because I checked on 2 different tenants and its the same details on the both tenants for this groups so to me it seems group was created automatically by system when we provision many different user account in tenant.
May be this is worth checking with Identity team from MS on this.
Sorry, there is no built in groups in Azure like that. You have to create them manually per:
I am curious now to know who has created those kind of groups in the tenant if they are not truly created automatically by system and I was thinking if we can get Audit logs for them to see who is the actual user or person in the system who has created it?
Also I saw groups audit logs but I could not go back more than 30 days which is the limitation for audit logs to see & export but definitely there would be a way via Graph API or PowerShell to get those details. So if you can share cmdlets or Graph API method would be good.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 33%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
There seems to have been a toggle switch for the creation of the 'All Users' group at some stage. The option to create this is now gone from the Azure AD portal in my tenant
