Sync Guest-Users from Source to Destination dont work

[dborchers-gc]

Is there a limit with guest users?

I´ve added a Guest user to one of my source groups and after hours of waiting the user wont be synced to the Targetgroup

[danielluo-msft]

Hi @dborchers-gc,

Yes, there is a limitation on adding guest users to a Unified group. It is not supported in Azure. We are working on a fix for stopping the sync (rather than it retrying that guest add again and again, even though it will never succeed). The short and long term fix for this would either to make your destination not a Unified group or to remove any guest users from the sync.

[danielluo-msft]

If you run the following query within your Log Analytics resource, you will see that the sync is likely getting a ton of responses with the Graph response saying you cannot add the guest users to a Unified group as it just isn't allowed:

Log Analytics

ApplicationLog_CL 
|  project TimeGenerated, Message, location_s, RunId_g, TargetOfficeGroupId_g 
|  where Message has "Guests users are not allowed to join this Unified Group due to policy setting"
|  order by TimeGenerated desc

[dborchers-gc]

Hi @danielluo-msft

okay i understand that the GMM can't do that but normally adding guest users to unified groups is possible, maybe only if teh guest user is already a guest account in our azure ad but from the Entra Admin Center i´m able to add guest users to unified groups.

[danielluo-msft]

Hi @dborchers-gc,

I see, well generally this issue occurs when you placed some kind of sensitivity label on a destination group that adds a policy which no longer allows guest user membership, which is on the Graph / Azure side, rather than the GMM side, limitation-wise. To test this, would you mind trying to manually add a guest user to the destination where this is failing and let me know if that goes through? (It should not as far as I'm aware since you adding in Portal is the same operation that GMM attempts to perform under the hood)

Dan