According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation, when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.
The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts. In Azure AD, internal users created within the tenant are designated with the attribute user.userType = "Member", while external or guest accounts from partner organizations have user.userType = "Guest".
To ensure only internal (Litware) users are included, the membership rule must:
Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.
Include only members, excluding guests — by filtering with (user.userType -eq "Member").
Hence, the dynamic rule that satisfies these conditions is:
(user.objectId -ne null) and (user.userType -eq "Member")
This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).
This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules”, which states:
“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”
✅ Correct Answer:
(user.objectId -ne null) and (user.userType -eq "Member")
