Forum Discussion

Dhiran Gajjar's avatar
Dhiran Gajjar
Iron Contributor
Sep 10, 2019

Blocked domain in Teams

Hi, 

 

We are currently testing restricting access to Teams to specific domains and if I add a domain(for example domain.com) to be on the blocked list in the Teams admin settings, I can as a team owner still invite a user from that domain. I was expecting the behaviour to say the domain is blocked as part of your organisation setting. 

  • Hello Dhiran Gajjar 

     

    I was open ticket in Office 365 Support, about problem control public domain access to Teams.

     

    Answer: 
    Can we control access to Teams chat by external domain list access?

    Can we control access to Teams channel by external domain list access?

    For both of the above scenarios, the federation settings would apply. You can restrict access to a specific domain, but that will be restricted for all users, and not based on Teams or Channels.

    If we add domain to block list, can guest with this UPN name connect to Teams channel?

    Who we can block access to Teams channel from free public domain? yahoo, gmail, etc.?

    For this, we don’t have the option in Teams. However, we might be able to achieve it via Azure/O365 groups.

    You can create a new Allow or Block list policy.

    You can refer to this article for the same:
    https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-group-access-to-office-365-groups

    Important information about how block lists work:

    This feature is currently only in Preview and as part of an Office 365 license.
    You can create either an Allow list or Block list. But you can't set up both types of lists. By default, whatever domains are not in an Allow list are on a Block list, and vice versa.
    You can create only one policy per organization. You can update that policy with more domains, or you can delete that policy to create a new one.
    This list works independently from SPO allow/block list. You would need to set-up Allow/Block list for SPO if you want to restrict individual file sharing of Group connected site.
    This list doesn't apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.
    Hope this helps.

     

    I'm not testing this policy on production now. I hope use this steps in next Phase in Office 365 project. 

  • Hello Dhiran Gajjar 

     

    I was open ticket in Office 365 Support, about problem control public domain access to Teams.

     

    Answer: 
    Can we control access to Teams chat by external domain list access?

    Can we control access to Teams channel by external domain list access?

    For both of the above scenarios, the federation settings would apply. You can restrict access to a specific domain, but that will be restricted for all users, and not based on Teams or Channels.

    If we add domain to block list, can guest with this UPN name connect to Teams channel?

    Who we can block access to Teams channel from free public domain? yahoo, gmail, etc.?

    For this, we don’t have the option in Teams. However, we might be able to achieve it via Azure/O365 groups.

    You can create a new Allow or Block list policy.

    You can refer to this article for the same:
    https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-group-access-to-office-365-groups

    Important information about how block lists work:

    This feature is currently only in Preview and as part of an Office 365 license.
    You can create either an Allow list or Block list. But you can't set up both types of lists. By default, whatever domains are not in an Allow list are on a Block list, and vice versa.
    You can create only one policy per organization. You can update that policy with more domains, or you can delete that policy to create a new one.
    This list works independently from SPO allow/block list. You would need to set-up Allow/Block list for SPO if you want to restrict individual file sharing of Group connected site.
    This list doesn't apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.
    Hope this helps.

     

    I'm not testing this policy on production now. I hope use this steps in next Phase in Office 365 project. 

    • Dhiran Gajjar's avatar
      Dhiran Gajjar
      Iron Contributor

      Oleg_Kovalenko - thank your for the reply. 

       

      We managed to get the approved domain listed loaded in Azure and enabled external sharing for Teams. This now allows us to stop users from inviting users from non-approved domains which was our goal. 

       

      The link you provided was useful for the PowerShell scripts, so thanks again. 

      • Montreal_IT_Don's avatar
        Montreal_IT_Don
        Copper Contributor
        Hello Dhiran Gajjar,

        I've tried following the link Oleg has provided but it looks like it has expired now.

        Could you share how you were able to accomplish this?

        Thanks,

Resources