#Configure People Picker Filter Profiles

A people picker filter profile limits the users, groups, mail contacts, or Microsoft 365 tenants that can be specified in a people picker. It can be selected in a service or profile.

With a profile applied, users, groups, mail contacts, or tenants that can be specified in the people picker in requests or tasks, will be limited by filters configured in the people picker filter profile.

To access People picker filter profiles, click the People picker filter profiles card on the Profiles & templates page.

To configure people picker filter profiles, click Create on the ribbon. In the Create people picker filter profiles panel, enter a name for the profile, and you can enable the following filters:

#Enable Microsoft 365 Tenant Filters for Contacts

If you have multiple Microsoft 365 tenants, by enabling Microsoft 365 tenant filters for contacts, business users can define users from specific tenants as contacts for teams, Microsoft 365 Groups, site collections, or guest users in the following services or profiles:

• Dynamic services – Create team service – Team contact

• Dynamic services – Create Microsoft 365 Group service – Group contact

• Dynamic services – Create site collection service – Site collection contact

• Dynamic services – Change contact service (Only for Microsoft Team/Microsoft 365 Group/site collection/guest user object types)

• Dynamic services – Invite guest user service

• Modern Microsoft Team/Microsoft 365 Group/site collection automatic import profile – Require end user confirmation method – Contacts

• Modern Microsoft Team/Microsoft 365 Group/ site collection manual Import

• Modern Microsoft Team/Microsoft 365 Group/site collection/guest user renewal – Contact renewal

• Specify contacts for Microsoft Team/Microsoft 365 Group/site collection/guest user

To enable Microsoft 365 tenant filters for contacts, turn on the toggle and select the tenants that can be specified in the people picker.

#Enable User Filters

Complete the following steps to enable user filters and configure the conditions to limit users that can be specified in the people picker:

1. Turn on the toggle .

2. Click Add condition. In the Add condition panel, select one of the following condition types:

   • Users or groups – If you select this condition type, complete the following steps:

     1. Microsoft 365 tenant – Select a Microsoft 365 tenant from the drop-down list.

     2. Condition – Choose one of the following conditions:

        • Belong to – With this condition selected, any users or groups that you specified in the Users or groups field are allowed in the people picker.

        • Do not belong to – With this condition selected, any users that you specified in the Users field will be excluded from the people picker scope.

     3. Specify allowed/not allowed users or groups in the people picker to configure the condition:

        • Users or groups – With Belong to selected as the condition, enter names of users or groups (Microsoft 365 Groups, security groups, or mail-enabled security groups) to limit the people picker scope. If you set a group as the filter condition, all the group owners or members are allowed in the people picker.

        • Users – With Do not belong to selected as the condition, enter names of users to exclude from the people picker scope.

   • Microsoft Entra property – If you select this condition type, complete the following steps:

     1. Microsoft 365 tenant – Select a Microsoft 365 tenant from the drop-down list.

     2. Microsoft Entra property – Select a property from the Built-in properties drop-down list or Custom properties drop-down list.

     3. Condition – Choose one of the following conditions:

        • Matches – With this condition selected, any user whose property value conforms to your specified Property value is allowed in the people picker.

        • Does not match – With this condition selected, any user whose property value conforms to your specified Property value will be excluded from the people picker scope.

     4. Property value – Choose one of the following options to define the property value for this condition.

        • A user’s property value – Enter a username or enter $ to select a user role to specify a user. The specified user’s property value will be retrieved as the condition.

        • A specific property value – Enter the property value in the text box. Note that if you want to add multiple values, separate each value with a semicolon.

        • The workspace metadata value – Select a managed metadata from the drop-down list. The metadata value of the workspace will be retrieved as the condition.

          Note that the profile with this condition configured will only apply to the people picker fields in Manage Permissions services, Change Group/Team Settings services, and Site Collection/Group/Team renewal profiles.

   Click Save to save all your configurations, and the condition will be added to the table.

3. You can add multiple conditions to the table. If you add multiple conditions, choose one of the following options to define the logical option for these conditions:

   • Match any single condition – If you choose this option, the users who conform to any one of the conditions in the table are allowed to be specified in the people picker. If you set the user filter to match any single condition, the total amount of conditions cannot exceed seven

   • Match all conditions – If you choose this option, the users who conform to all of the conditions in the table are allowed to be specified in the people picker. If you set the user filter to match all conditions, the total amount of conditions and properties cannot exceed eight.

#Enable multitenant organization user filters

In multi‑tenant organization (MTO) environments, cross‑tenant synchronized users appear in Microsoft Entra ID as internal members, making it difficult to distinguish them from true internal users during policy enforcement. This limitation can lead to failed requests, particularly in scenarios like shared channel management, where access must comply with B2B Direct Connect domain settings.

The multitenant organization user filter enables validating users at time of selection, checking whether a user from a different domain exists as a member in your current tenant’s Microsoft Entra ID, to prevent blocked users from being submitted.

To enable the multitenant organization user filters, turn on the toggle.

This filter will only take effect on the following services and processes:

• Create shared channel service

• Change shared channel settings service

• Shared channel renewal

#Enable Group Filters

Complete the following steps to enable group filters and configure the conditions to limit groups (Microsoft 365 Groups, security groups, distribution groups, mail-enabled security groups, specified values, and Everyone except external users) that can be specified in the people picker:

1. Turn on the toggle.

2. You can choose to Block all groups or Set conditions to filter groups.

3. When you choose to set conditions, click Add condition. In the Add condition panel, select one of the following conditions:

   • Specific groups – If you select this condition, complete the following steps:

     1. Microsoft 365 tenant – Select a Microsoft 365 tenant from the drop-down list.

     2. Condition – Choose one of the following options to define the condition to limit groups:

        • Allow specific groups

        • Block specific groups

        • Name starts with

        • Name does not start with

        • Email starts with

     3. Groups/Value

        • Groups – If you choose Allow specific groups or Block specific groups as the filter condition, enter names of the group (Microsoft 365 Groups, security groups, distribution groups, or mail-enabled security groups) to limit the people picker scope. You can also enter Everyone except external users when choosing to block specific groups.

        • Value – If you choose Name starts with or Email starts with as the filter condition, enter the value manually. If you want to enter multiple values, separate each value with a semicolon.

   • Groups that the requester is a member of – If you select this condition, the requester can only specify the groups that they are a member of in the people picker.

   • Group types – If you select this condition, select the group types (Microsoft 365 Group, Distribution group, Security group, and/or Mail-enabled security group as the people picker scope) to limit the people picker scope.

   Click Save to save all your configurations, and the condition will be added to the table.

4. You can add multiple conditions to the table. If you add multiple conditions, choose one of the following options to define the logical option for these conditions:

   • Match any single condition – If you choose this option, the groups which conform to any one of the conditions in the table are allowed to be specified in the people picker.

   • Match all conditions – If you choose this option, the groups which conform to all of the conditions in the table are allowed to be specified in the people picker.

#Enable Guest Filters

Complete the following steps to enable guest filters and configure the filters to limit guest users that can be specified in the people picker:

1. Turn on the toggle .

2. You can choose to Block all guest users or Allow existing guest users.

3. If you allow existing guest users, you can enable the following advanced options for guest filters:

   • Limit existing guest users – Click Add condition. In the Add condition panel, select one of the following condition types:

     Users or groups – If you select this condition type, complete the following steps:

     1. Microsoft 365 tenant – Select a Microsoft 365 tenant from the drop-down list.

     2. Condition – Choose one of the following conditions:

        • Belong to – With this condition selected, any users or groups that you specified in the Users or groups field are allowed in the people picker.

        • Do not belong to – With this condition selected, any users that you specified in the Users field will be excluded from the people picker scope.

     3. Specify allowed/not allowed guest users or groups in the people picker to configure the condition:

        • Users or groups – With Belong to selected as the condition, enter names of guest users or groups (Microsoft 365 Groups, security groups, or mail-enabled security groups) to limit the people picker scope. If you set a group as the filter condition, all the group owners or members are allowed in the people picker.

        • Users – With Do not belong to selected as the condition, enter names of guest users to exclude from the people picker scope.

     Microsoft Entra property – If you select this condition type, complete the following steps:

     1. Microsoft 365 tenant – Select a Microsoft 365 tenant from the drop-down list.

     2. Microsoft Entra property – Select a property from the Built-in properties drop-down list or Custom properties drop-down list.

     3. Condition – Choose one of the following conditions:

        • Matches – With this condition selected, any guest user whose property value conforms to your specified Property value is allowed in the people picker.

        • Does not match – With this condition selected, any guest user whose property value conforms to your specified Property value will be excluded from the people picker scope.

     4. Property value – Choose one of the following options to define the property value for this condition.

        • A user’s property value – Enter a guest username or enter $ to select a user role to specify a guest user. The specified guest user’s property value will be retrieved as the condition.

        • A specific property value – Enter the property value in the text box. Note that if you want to add multiple values, separate each value with a semicolon.

     Click Save to save all your configurations, and the condition will be added to the table.

     You can add multiple conditions to the table. If you add multiple conditions, choose one of the following options to define the logical option for these conditions:

     • Match any single condition – If you choose this option, the guest users who conform to any one of the conditions in the table are allowed to be specified in the people picker. If you set the guest user filter to match any single condition, the total amount of conditions cannot exceed seven

     • Match all conditions – If you choose this option, the guest users who conform to all of the conditions in the table are allowed to be specified in the people picker. If you set the guest user filter to match all conditions, the total amount of conditions and properties cannot exceed eight.

   • Allow new guest users – If you select this option, new guest users who are not already in your organization’s Microsoft Entra will be allowed to be specified in the people picker.

   • Set an allow list or deny list to allow or block users from specific organizations – If you select this option, configure the allow list or deny list:

     • Allow users from specific organizations – Enter one or more domain names to add one or more organizations to the allow list. Users in your specified domains are allowed to be specified in the people picker.

     • Block users from specific organizations – Enter one or more domain names to add one or more organizations to the deny list. Users in your specified domains are not allowed to be specified in the people picker.

   NOTE

   If you want to add multiple domains, keep each domain name in a separate line.

When you finish, click Save to save all your configurations.

#Enable Mail Contact Filters

Complete the following steps to enable mail contact filters and configure the filters to limit mail contacts that can be specified in the people picker:

1. Turn on the toggle .

2. Choose whether to Allow existing mail contacts in the people picker.

3. If you allow existing mail contacts, you can choose whether to enable the Set an allow list or deny list to allow or block mail contacts from specific organizations option for mail contact filters. With this option selected, configure the allow list or deny list:

   • Allow mail contacts from specific organizations – Enter one or more domain names to add one or more organizations to the allow list. Mail contacts in your specified domains are allowed to be specified in the people picker.

   • Block mail contacts from specific organizations – Enter one or more domain names to add one or more organizations to the deny list. Mail contacts in your specified domains are not allowed to be specified in the people picker.

   NOTE

   If you want to add multiple domains, keep each domain name in a separate line.

When you finish, click Save to save all your configurations.