Ensure a dynamic group for guest users is created


A dynamic group is a dynamic configuration of security group membership for Azure Active Directory. Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes.

The recommended state is to create a dynamic group that includes guest accounts.


Dynamic groups allow for an automated method to assign group membership.

Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Create a dynamic guest group:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Identity > Groups select All groups.

Select New group and assign the following values:

Group type: Security

Azure AD Roles can be assigned: No

Membership type: Dynamic User

Select Add dynamic query.

Above the Rule syntax text box, select Edit.

Place the following expression in the box:

(user.userType -eq 'Guest')

Select OK and Save

Using PowerShell:

Connect to Microsoft Graph using Connect-MgGraph -Scopes 'Group.ReadWrite.All'

In the script below edit DisplayName and MailNickname as needed and run:

$params = @{
DisplayName = 'Dynamic Test Group'
MailNickname = 'DynGuestUsers'
MailEnabled = $false
SecurityEnabled = $true
GroupTypes = 'DynamicMembership'
MembershipRule = '(user.userType -eq 'Guest')'
MembershipRuleProcessingState = 'On'

New-MgGroup @params

Default Value:


See Also


Item Details


References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2

Plugin: microsoft_azure

Control ID: 19ee2308a3191d9bd8e77c5375a7e293b4802cc5f1a69bf2637ce212eb590e04