Knowledge Base

How to exclude guest users from getting CodeTwo signatures

Problem:

Guest users in your organization’s Microsoft 365 tenant consume CodeTwo Email Signatures 365 licenses and may unintentionally receive signatures, automatic replies, and so on.

Solution:

You define the scope of licensed users (i.e. users who consume licenses and can benefit from the CodeTwo service) when registering your tenant with CodeTwo. By default, the All users option is selected, meaning all users in your Microsoft 365 tenant (including guest users) are included in this scope.

To ensure that only the desired users benefit from CodeTwo, you can create a group with dynamic membership in Entra ID and update the Scope setting in CodeTwo Admin Panel. Just replace the default All users option with the newly created group to limit the scope accordingly.

Important

To use dynamic membership rules for groups in Microsoft Entra ID, each unique user added to such groups needs to have a Microsoft Entra ID P1 license or an Intune for Education license. Note that the Microsoft Entra ID P1 license is included in Microsoft 365 E3, E5, A3, A5 and Microsoft 365 Business Premium plans. Learn more

Create a group with dynamic membership

The dynamic group membership feature allows you to create a group based on a membership rule. This rule processes users in Entra ID against conditions you specify every 24 hours. As a result, only the users who meet these conditions are included as members of the group. Learn all about the groups with dynamic membership in Entra ID

This solution not only lets you add the desired existing users to the group, but also ensures that newly onboarded users who meet the conditions are added automatically, making the solution virtually maintenance-free.

To create a group with dynamic membership to use with CodeTwo Email Signatures 365, follow these steps:

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Groups > All groups and click New group (Fig. 1.).

Adding a new group in the Microsoft Entra admin center.
Fig. 1. Adding a new group in the Microsoft Entra admin center.

  1. Configure your group as follows (Fig. 2.):
    1. Leave the default group type (Security).
    2. Name your group and (optionally) add the description.
    3. For Membership type, choose Dynamic User.
    4. Specify the owner of the group – you can choose yourself or a different admin user.
    5. Finally, click Add dynamic query to start setting up the rule which will control group membership.

Configuring the basic settings of the group.
Fig. 2. Configuring the basic settings of the group.

  1. Now, create the rule that lets only internal users become group members:
    1. Click Edit just above the Rule syntax box to open rule builder.
    2. In the pane that opens, paste the following code into the Rule syntax box and click OK (Fig. 3.):
      (user.objectId -ne null) -and (user.userType -eq "Member")

      With this rule in place, only internal users can become members of your dynamic group.
      Fig. 3. With this rule in place, only internal users can become members of your dynamic group.

    3. Your rule should look like the one shown in Fig. 4. below. Click Save to apply your changes.

      The completed rule setup.
      Fig. 4. The completed rule setup.

    Tips for configuring custom membership rules

    Group nesting is not possible for dynamic groups. To include members of different Entra ID group(s) in your dynamic group, use the memberOf property. Learn more

    If you do not want to use the ready-made code we’ve prepared for you, use the Add expression button (see Fig. 4.) and configure your own conditions.

    Learn more about the syntax of the membership rules

  2. Finally, click Create to create your group with dynamic membership. Wait up to 24 hours for the membership rule to be processed.

Once the time has elapsed, check if the group contains all the desired users. In the Microsoft Entra admin center, go to Identity > Groups > All groups, find your group on the list, and click Members in the menu on the left:

  • If the group doesn’t include all the users you want or contains too many users, click Dynamic membership rules to correct and save your membership rule (Fig. 5.). Wait for the changes to propagate (up to 24 hours).

    Accessing (and correcting) your membership rule.
    Fig. 5. Accessing (and correcting) your membership rule.

  • If everything looks correct, proceed to configure the scope of licensed users in CodeTwo Admin Panel.

As mentioned earlier, group membership is dynamic. This means any new internal user (guest users excluded) added to your organization in the future will automatically join the group and benefit from CodeTwo.

Change the scope of licensed users in CodeTwo Admin Panel

Follow these easy steps to change the default scope setting (All users) to your dynamic group:

  1. Sign in to CodeTwo Admin Panel.
  2. Select your tenant on the Tenants page.
  3. Go to Scope & region and click Change (see Fig. 6.).
  4. In the popup that opens, select Only users belonging to this group, click the Change group button and use the picker to select your newly created group with dynamic membership. The final configuration should look similar to what is shown in Fig. 6. Click OK to save the changes.

Limiting the scope of licensed users to the group with dynamic membership.
Fig. 6. Limiting the scope of licensed users to the group with dynamic membership.

With the new setting, only users belonging to the group with dynamic membership will be able to consume licenses and benefit from CodeTwo Email Signature 365. 

Next steps after changing the scope of licensed users

To ensure your email signatures are not interrupted and continue working as intended, you need to review a few other settings in CodeTwo Email Signatures 365. Take a moment to go through all the steps outlined in this article.

See also:

Was this information useful?