diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index 6e0177b60..f6896eded 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -124,6 +124,9 @@ def setup_config(app: Flask) -> None:
     setup_database_uri(app)
     setup_logger(app)
 
+    if app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] == "":
+        app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] = None
+
     thread_local_data = threading.local()
     app.config["THREAD_LOCAL_DATA"] = thread_local_data
     _set_up_tenant_specific_fields_as_list_of_strings(app)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 52126b1b5..499bc8f5f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -93,3 +93,7 @@ ALLOW_CONFISCATING_LOCK_AFTER_SECONDS = int(
 # and store in the user table's tenant_specific_field_n columns. You can have up to three items in this
 # comma-separated list.
 TENANT_SPECIFIC_FIELDS = environ.get("TENANT_SPECIFIC_FIELDS")
+
+SPIFFWORKFLOW_DEFAULT_USER_GROUP = environ.get(
+    "SPIFFWORKFLOW_DEFAULT_USER_GROUP", default="everybody"
+)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/users_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/users_controller.py
index 5dce5b43e..c9d2e1293 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/users_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/users_controller.py
@@ -1,5 +1,6 @@
 """Users_controller."""
 import flask
+from flask import current_app
 from flask import g
 from flask import jsonify
 from flask import make_response
@@ -22,5 +23,9 @@ def user_group_list_for_current_user() -> flask.wrappers.Response:
     """User_group_list_for_current_user."""
     groups = g.user.groups
     # TODO: filter out the default group and have a way to know what is the default group
-    group_identifiers = [i.identifier for i in groups if i.identifier != "everybody"]
+    group_identifiers = [
+        i.identifier
+        for i in groups
+        if i.identifier != current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
+    ]
     return make_response(jsonify(sorted(group_identifiers)), 200)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index b745e7f1f..9e5cb6cee 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -169,8 +169,11 @@ class AuthenticationService:
         iat = decoded_token["iat"]
         if iss != cls.server_url():
             valid = False
-        elif aud not in (cls.client_id(), "account") and\
-                aud != [cls.client_id(), "account"]:
+        # aud could be an array or a string
+        elif aud not in (cls.client_id(), "account") and aud != [
+            cls.client_id(),
+            "account",
+        ]:
             valid = False
         elif azp and azp not in (
             cls.client_id(),
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index 55b03af9f..85a06ad82 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -141,7 +141,6 @@ class AuthorizationService:
             )
             .all()
         )
-
         for permission_assignment in permission_assignments:
             if permission_assignment.grant_type == "permit":
                 return True
@@ -795,13 +794,23 @@ class AuthorizationService:
                 db.session.delete(ipa)
 
         for iutga in initial_user_to_group_assignments:
-            current_user_dict: UserToGroupDict = {
-                "username": iutga.user.username,
-                "group_identifier": iutga.group.identifier,
-            }
-            if current_user_dict not in desired_user_to_group_identifiers:
-                db.session.delete(iutga)
+            # do not remove users from the default user group
+            if (
+                current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] is None
+                or current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
+                != iutga.group.identifier
+            ):
+                current_user_dict: UserToGroupDict = {
+                    "username": iutga.user.username,
+                    "group_identifier": iutga.group.identifier,
+                }
+                if current_user_dict not in desired_user_to_group_identifiers:
+                    db.session.delete(iutga)
 
+        # do not remove the default user group
+        desired_group_identifiers.add(
+            current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
+        )
         groups_to_delete = GroupModel.query.filter(
             GroupModel.identifier.not_in(desired_group_identifiers)
         ).all()