Friday, August 11, 2017

Office 365 – You can now manage domain guest access for Groups

Guest Domain Access for O365


An update is being rolled out to let you manage allowed/blocked domains for guest access to Office 365 Groups.
After allowing guest access to Groups, Microsoft now helps securing this access by allowing administrators to define a list of allowed/blocked domains.
This feature is not available (yet?) using the Office 365 administration portal but with PowerShell.
This functionality is using Azure AD policy feature

Important Points

  • When using this functionality, you can not define both options. This means any domains not listed as allowed, will then be blocked and vice versa
  • Only one policy per tenant
  • This is a different list than the one used for SharePoint Online sharing; you will be able to import the existing SPO list but after you will have to manage it separately
  • This does not apply to guests already members of an Office 365 Groups; only new guest will have the policy applied

How to use

Install the prerequisites

The PowerShell command to set the domain allow/block list for Office 365 Groups guest access is using the preview modules of Azure Active Directory PowerShell modules.
  • You must use Azure AD PowerShell Preview – at least version 2.0.0.98 – you can get Azure AD PowerShell Preview using the following procedure
    • Run a PowerShell command prompt using the runadadministrator and check the installed Azure AD PS module installed with the command Get-Module -ListAvailable AzureAD*
image
  • If you get a version different than 2.0.0.98 (or later), you need to uninstall your current version with the command Uninstall-Module AzureAD
image
  • If you have no result or after uninstalling the previous version run the command Install-Module AzureADPreview to install the required preview module; you may be prompted to trust the repository to download the module
image

Configure the domains list

Once you have the required module installed, you can use the script available https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da#bkmk_script to manage the domains list.
Once you have saved the script you can then use it to add/update/remove/import the domains list
  • Create the allow/block domain list Set-GuestAllowBlockDomainPolicy.ps1 -Update –AllowList / –BlockList @("domain1.com", "domain2.com") – this command can be used to overwrite an existing list
  • Import the existing list from SharePoint Online Set-GuestAllowBlockDomainPolicy.ps1 –MigrateFromSharepoint: don’t forget after this import you will have to manage it separately
  • Add a domain to the existing list Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList / –BlockList @("domain3.com")
  • Or finally remove the policy with Set-GuestAllowBlockDomainPolicy.ps1 –Remove
Unfortunately there is not (yet?) a way to get the existing list or remove one domain; if you want to remove one domain you need to overwrite the list with the domain(s) you want to remove not included
Reference: Benoit Hamet 
Posted by at
Reactions: 
Labels: , , ,
Subscribe to: Post Comments (Atom)