diff --git a/build/integration/features/bootstrap/FeatureContext.php b/build/integration/features/bootstrap/FeatureContext.php
index ab37556f931..ec00c790160 100644
--- a/build/integration/features/bootstrap/FeatureContext.php
+++ b/build/integration/features/bootstrap/FeatureContext.php
@@ -25,5 +25,7 @@ class FeatureContext implements Context, SnippetAcceptingContext {
 		$this->deleteServerConfig('bruteForce', 'whitelist_0');
 		$this->deleteServerConfig('bruteForce', 'whitelist_1');
 		$this->deleteServerConfig('bruteforcesettings', 'apply_allowlist_to_ratelimit');
+		$this->deleteServerConfig('core', 'shareapi_exclude_groups');
+		$this->deleteServerConfig('core', 'shareapi_exclude_groups_list');
 	}
 }
diff --git a/build/integration/features/bootstrap/ShareesContext.php b/build/integration/features/bootstrap/ShareesContext.php
index 37e0e63e547..4b31d35c933 100644
--- a/build/integration/features/bootstrap/ShareesContext.php
+++ b/build/integration/features/bootstrap/ShareesContext.php
@@ -22,5 +22,7 @@ class ShareesContext implements Context, SnippetAcceptingContext {
 		$this->deleteServerConfig('core', 'shareapi_only_share_with_group_members');
 		$this->deleteServerConfig('core', 'shareapi_allow_share_dialog_user_enumeration');
 		$this->deleteServerConfig('core', 'shareapi_allow_group_sharing');
+		$this->deleteServerConfig('core', 'shareapi_exclude_groups');
+		$this->deleteServerConfig('core', 'shareapi_exclude_groups_list');
 	}
 }
diff --git a/build/integration/features/contacts-menu.feature b/build/integration/features/contacts-menu.feature
index a3a9e0f6667..7adbba7ee78 100644
--- a/build/integration/features/contacts-menu.feature
+++ b/build/integration/features/contacts-menu.feature
@@ -71,6 +71,138 @@ Feature: contacts-menu
     And searched contact "1" is named "Test name"
     And searched contact "2" is named "user2"
 
+
+
+  Scenario: users can not be searched by display name when searcher belongs to a group excluded from sharing
+    Given user "user0" exists
+    And group "ExcludedGroup" exists
+    And user "user0" belongs to group "ExcludedGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "yes"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "ExcludedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | displayname |
+      | value | Test name |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "0" contacts
+
+  Scenario: users can not be searched by email when searcher belongs to a group excluded from sharing
+    Given user "user0" exists
+    And group "ExcludedGroup" exists
+    And user "user0" belongs to group "ExcludedGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "yes"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "ExcludedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | email |
+      | value | test@example.com |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "0" contacts
+
+  Scenario: users can not be searched by display name when searcher belongs to both a group excluded from sharing and another group
+    Given user "user0" exists
+    And group "ExcludedGroup" exists
+    And user "user0" belongs to group "ExcludedGroup"
+    And group "AnotherGroup" exists
+    And user "user0" belongs to group "AnotherGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "yes"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "ExcludedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | displayname |
+      | value | Test name |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "0" contacts
+
+  Scenario: users can not be searched by email when searcher belongs to both a group excluded from sharing and another group
+    Given user "user0" exists
+    And group "ExcludedGroup" exists
+    And user "user0" belongs to group "ExcludedGroup"
+    And group "AnotherGroup" exists
+    And user "user0" belongs to group "AnotherGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "yes"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "ExcludedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | email |
+      | value | test@example.com |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "0" contacts
+
+  Scenario: users can not be searched by display name when searcher does not belong to a group allowed to share
+    Given user "user0" exists
+    And group "AllowedGroup" exists
+    And parameter "shareapi_exclude_groups" of app "core" is set to "allow"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "AllowedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | displayname |
+      | value | Test name |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "0" contacts
+
+  Scenario: users can not be searched by email when searcher does not belong to a group allowed to share
+    Given user "user0" exists
+    And group "AllowedGroup" exists
+    And parameter "shareapi_exclude_groups" of app "core" is set to "allow"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "AllowedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | email |
+      | value | test@example.com |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "0" contacts
+
+  Scenario: users can be searched by display name when searcher belongs to both a group allowed to share and another group
+    Given user "user0" exists
+    And group "AllowedGroup" exists
+    And user "user0" belongs to group "AllowedGroup"
+    And group "AnotherGroup" exists
+    And user "user0" belongs to group "AnotherGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "allow"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "AllowedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | displayname |
+      | value | Test name |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "1" contacts
+    And searched contact "0" is named "Test name"
+
+  Scenario: users can be searched by email when searcher belongs to both a group allowed to share and another group
+    Given user "user0" exists
+    And group "AllowedGroup" exists
+    And user "user0" belongs to group "AllowedGroup"
+    And group "AnotherGroup" exists
+    And user "user0" belongs to group "AnotherGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "allow"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "AllowedGroup"
+    And user "user1" exists
+    And As an "admin"
+    And sending "PUT" to "/cloud/users/user1" with
+      | key | email |
+      | value | test@example.com |
+    When Logging in using web as "user0"
+    And searching for contacts matching with "test"
+    Then the list of searched contacts has "1" contacts
+    And searched contact "0" is named "user1"
+
+
+
   Scenario: users can not be found by display name if visibility is private
     Given user "user0" exists
     And user "user1" exists
diff --git a/build/integration/sharees_features/sharees.feature b/build/integration/sharees_features/sharees.feature
index 4ff6d70cc53..bcfca9dbee4 100644
--- a/build/integration/sharees_features/sharees.feature
+++ b/build/integration/sharees_features/sharees.feature
@@ -117,6 +117,81 @@ Feature: sharees
     And "exact remotes" sharees returned is empty
     And "remotes" sharees returned is empty
 
+  Scenario: Search when belonging to a group excluded from sharing
+    Given As an "test"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "yes"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "ShareeGroup"
+    When getting sharees for
+      | search | sharee |
+      | itemType | file |
+    Then the OCS status code should be "100"
+    And the HTTP status code should be "200"
+    And "exact users" sharees returned is empty
+    And "users" sharees returned is empty
+    And "exact groups" sharees returned is empty
+    And "groups" sharees returned is empty
+    And "exact remotes" sharees returned is empty
+    And "remotes" sharees returned is empty
+
+  Scenario: Search when belonging to both a group excluded from sharing and another group
+    Given As an "test"
+    And group "AnotherGroup" exists
+    And user "test" belongs to group "AnotherGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "yes"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "ShareeGroup"
+    When getting sharees for
+      | search | sharee |
+      | itemType | file |
+    Then the OCS status code should be "100"
+    And the HTTP status code should be "200"
+    And "exact users" sharees returned is empty
+    And "users" sharees returned are
+      | Sharee1 | 0 | Sharee1 | Sharee1 |
+      | Sharee2 | 0 | Sharee2 | sharee2@system.com |
+    And "exact groups" sharees returned is empty
+    And "groups" sharees returned are
+      | ShareeGroup | 1 | ShareeGroup |
+    And "exact remotes" sharees returned is empty
+    And "remotes" sharees returned is empty
+
+  Scenario: Search when not belonging to a group allowed to share
+    Given As an "test"
+    And group "AnotherGroup" exists
+    And parameter "shareapi_exclude_groups" of app "core" is set to "allow"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "AnotherGroup"
+    When getting sharees for
+      | search | sharee |
+      | itemType | file |
+    Then the OCS status code should be "100"
+    And the HTTP status code should be "200"
+    And "exact users" sharees returned is empty
+    And "users" sharees returned is empty
+    And "exact groups" sharees returned is empty
+    And "groups" sharees returned is empty
+    And "exact remotes" sharees returned is empty
+    And "remotes" sharees returned is empty
+
+  Scenario: Search when belonging to both a group allowed to share and another group
+    Given As an "test"
+    And group "AnotherGroup" exists
+    And user "test" belongs to group "AnotherGroup"
+    And parameter "shareapi_exclude_groups" of app "core" is set to "allow"
+    And parameter "shareapi_exclude_groups_list" of app "core" is set to "AnotherGroup"
+    When getting sharees for
+      | search | sharee |
+     | itemType | file |
+    Then the OCS status code should be "100"
+    And the HTTP status code should be "200"
+    And "exact users" sharees returned is empty
+    And "users" sharees returned are
+      | Sharee1 | 0 | Sharee1 | Sharee1 |
+      | Sharee2 | 0 | Sharee2 | sharee2@system.com |
+    And "exact groups" sharees returned is empty
+    And "groups" sharees returned are
+      | ShareeGroup | 1 | ShareeGroup |
+    And "exact remotes" sharees returned is empty
+    And "remotes" sharees returned is empty
+
   Scenario: Search without exact match no iteration allowed
     Given As an "test"
     And parameter "shareapi_allow_share_dialog_user_enumeration" of app "core" is set to "no"