For organization unfamiliar with external sharing, it's recommended that you consult some preliminary reading on the subject, such as the articles below. We also will use this page to highlight some "gotchas" or things you may want to investigate, even for companies already using these features.

• Collaborating with people outside your organization

• Plan external collaboration with channel conversations, file collaboration, and shared apps

Excluding Guests from the All Users Security Group

Many organizations with licenses such as E3 or higher (which include Azure Premium P1) will have the ability to use Azure Dynamic (Membership) Security Groups. In these cases, Azure generates an "All Users" Security Group which dynamically updates itself as new members are added to the tenant.

By default, Microsoft 365 automatically adds Guest accounts to this list as well.

One concern some organizations may have is that Guests can also navigate and view the entire group's memberships, such as names and emails. To change this behavior, follow the steps below to remove Guests from this group. 

Below is what a Guest may see with the default settings:

Edit the Rule syntax to follow the pattern below (see https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#create-an-all-users-rule):

Once the Dynamic Group refreshes its membership, the number will update to reflect only accounts from within your organization.

Following this change, Guests will only be able to see and find Groups they are explicitly added to (assuming there are no other non-standard dynamic groups granting them access).

Below is the updated view for a Guest: