Forum Discussion

Sahil Arora's avatar
Sahil Arora
Icon for Microsoft rankMicrosoft
Aug 02, 2017

New Feature Announcement: PowerShell support of Allow/Block guest access based on Domain list

We are happy to announce the world wide roll-out of Allow/Block list support for guest access in O365 Groups. With this feature, IT Admins can set-up a list of domains to

  • Allow guest users of specific domains to be invited to Groups.
  • Block guest users of specific domains to be invited to Groups.

 

This policy currently can be set-up through PowerShell & coming soon through UI. We have provided user friendly script below to set-up allow/block list for your tenant.

 

This policy works for all workloads with Guest access through O365 Groups such as Outlook,  Teams & Planner in future. This work independently with SPO settings but we have provided support to

  • Migrate SPO allow/block list to O365 Groups

 

Here is the link to the detailed documentation & script to set this policy: https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da

 

Feel free to reach out if you any feedback and questions!

 

We will be supporting this functionality in OAC(Office Admin Portal) through user interface soon.

 

Thanks,

Sahil

  • Rob Ellis's avatar
    Rob Ellis
    Bronze Contributor
    I'm trying to use this script, but initially I was getting an error for line 325, about an invalid parameter -InformationAction - so I removed that parameter.

    Running:

    Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com")

    I now get:

    Setting AllowedDomainList for B2BManagementPolicy
    New-AzureADPolicy : Error occurred while executing NewPolicy
    Code: Request_BadRequest
    Message: One or more properties contains invalid values.
    InnerError:
    RequestId: f7c9e44f-ffac-4f2a-8ff2-627ce077bd15
    DateTimeStamp: Thu, 18 Jan 2018 14:57:19 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At C:\users\XXXXX\Downloads\PowerShell\365Groups\Set-GuestAllowBlockDomainPolicy.ps1:325 char:5
    + New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-AzureADPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
    Policy


    New AzureAD Policy:
    Cannot index into a null array.

    Any thoughts please?
    • Prabhakar Sastry's avatar
      Prabhakar Sastry
      Brass Contributor

      Hi,

       

      I've tried executing this script and I'm also getting the same error message, any update on how to resolve?

      Setting AllowedDomainList for B2BManagementPolicy
      New-AzureADPolicy : Error occurred while executing NewPolicy
      Code: Request_BadRequest
      Message: One or more properties contains invalid values.
      InnerError:
        RequestId: 3dbe4560-e2e7-47dd-9b46-f66ff31132da
        DateTimeStamp: Mon, 29 Jan 2018 05:12:32 GMT
      HttpStatusCode: BadRequest
      HttpStatusDescription: Bad Request
      HttpResponseStatus: Completed
      At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:325 char:5
      +     New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy  ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [New-AzureADPolicy], ApiException
          + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
         Policy


      New AzureAD Policy:
      Cannot index into a null array.
      At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:330 char:1
      + PrintAllowBlockedList $currentpolicy.Definition[0];
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
          + FullyQualifiedErrorId : NullArray

      • Rob Ellis's avatar
        Rob Ellis
        Bronze Contributor
        I had a support case open with MS, and they found that it was because I was using PowerShell 4 (on Windows 7) - I updated to PowerShell 5, and the script then ran fine.
  • -- Articl about the script ---

     

    Microsoft has launched a new external sharing policy for groups that allows tenants to set allow and block lists for domains. The new policy is due for use with Teams, Planner, and other applications that need to block external users from specific domains. It’s a set along the path to getting full external access for Office 365 apps.
    https://www.petri.com/external-access-policy-groups-teams-planner

  • Question: The page says:

    This list doesn’t apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.

    That's fine - but I see no way to remove existing guest users from group memberships in the script. Am I missing something?
  • Not to be disrespectful here, I really appreciate the update. But how about providing UI settings, or at least a "regular people" version of the cmdlets? I mean sersiously, have you received at least one positive feedback item on the usability of these cmdlets? It takes a 300 pages script to just change a setting, cmon.

     

    And why are half the settings controlled via "settings" and the other half via "policies"? The same thing that's used for token expiration settings, that will surely help reduce confusion...

    • TonyRedmond's avatar
      TonyRedmond
      MVP

      To be fair to Microsoft, this step:

       

      1. Moves block/allow lists into an AAD policy rather than introducing a dependency on a base workload (like SharePoint or Exchange).
      2. Uses a policy that is available to all group-enabled applications - which is why it is right to use a separate policy rather than adding it to the Groups AAD policy. That's in line with creating a common external access mechanism for all Office 365 apps (as I argue for in https://www.petri.com/common-external-access-office-365).

      Also, if you strip things away, you can get to 

      Update an existing policy:

      New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true -InformationAction Ignore | Out-Null

      Create a new policy:

      Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null

       

      Most of the code in the script is error handling or software setup, which is what you'd expect in any utility written by Microsoft... Now, my scripts would be a lot simpler, but they'd have no error handling!

    • Sahil Arora's avatar
      Sahil Arora
      Icon for Microsoft rankMicrosoft

      Hi Vasil, 

      1. UI support is in the pipeline and we are targeting to have that soon.

      2. I hope you have seen the script here but to clarify we understand Azure Policy JSON argument can be difficult for normal people but if you see the script, the script does the job of converting the parameters as JSON, you just need to pass parameters, also this script works as a cmdlet if you run in a session, so in a way its very easy to run this script, if you save the script locally and run as cmdlet.

       

      For the second message, I will definitely pass the feedback to update the set-azure policy.

      • VasilMichev's avatar
        VasilMichev
        MVP

        Yes, but you do realize that many organizations have strict policies around running scripts, unsigned at that? Heck, I've even seen complaints about having to download the AzureAD module from "non-MS" source such as the PowerShell Gallery, but that's another story. In any case, I need to go over all the 300+ lines of the script to make sure I understand what it does, before I run it. And I'm pretty much forced to do that, because the only examples I can find on how to actually run the cmdlet and which parameters to use are in that script.

         

        Don't get me wrong, I really appreciate you providing a solution to this problem. My main complaint is usability, you could've easily made a cmdlet available that accepts the allow/block domain parameter and handles the JSON conversion internally. And that's a general complaint about pretty much every operation handled by the AzureAD module. Forcing us to work with ObjectIDs, JSON and whatnot is simply not cool. You should not be providing a solution that's convenient to you as programmers, but to the end users. If it's not in UI form, at least make it as easy as passing a simple parameter.

    • VasilMichev's avatar
      VasilMichev
      MVP

      At the very least, can you please update the New/Set-AzureADPolicy cmdlet help to include examples on how to configure this. Perhaps also referencing the JSON helper functions from the example script, so that normal people can work with it.

Resources