CIS.M365.5.1.3.1 - Ensure a dynamic group for guest users is created
Overview
5.1.3.1 (L1) Ensure a dynamic group for guest users is created
A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes.
The recommended state is to create a dynamic group that includes guest accounts.
Rationale
Dynamic groups allow for an automated method to assign group membership.
Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts.
Remediation action:
- Navigate to Microsoft 365 Entra admin center.
- Click to expand Identity select Groups.
- Click All groups
- Select New group and assign the following values:
- Group type: Security
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Dynamic User
- Click Add dynamic query.
- Click Edit above the Rule Syntax box.
- Enter
(user.userType -eq "Guest") - Click OK and Save.
PowerShell
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "Group.ReadWrite.All" - In the script below edit DisplayName and MailNickname as needed and run:
$params = @{
DisplayName = "Dynamic Guest Group"
MailNickname = "DynGuestUsers"
MailEnabled = $false
SecurityEnabled = $true
GroupTypes = "DynamicMembership"
MembershipRule = '(user.userType -eq "Guest")'
MembershipRuleProcessingState = "On"
}
New-MgGroup @params
Related links
- Microsoft 365 Entra admin center
- Create or update a dynamic membership group in Microsoft Entra ID
- Manage rules for dynamic membership groups in Microsoft Entra ID
- Create and manage dynamic membership groups for B2B collaboration in Microsoft Entra External ID
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 185
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.5.1.3.1 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisEnsureGuestUserDynamicGroup |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.5.1.3.1, L1, Security |
Source
- Pester test:
tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1