New Feature Announcement: PowerShell support of Allow/Block guest access based on Domain list

Microsoft

We are happy to announce the world wide roll-out of Allow/Block list support for guest access in O365 Groups. With this feature, IT Admins can set-up a list of domains to

  • Allow guest users of specific domains to be invited to Groups.
  • Block guest users of specific domains to be invited to Groups.

 

This policy currently can be set-up through PowerShell & coming soon through UI. We have provided user friendly script below to set-up allow/block list for your tenant.

 

This policy works for all workloads with Guest access through O365 Groups such as Outlook,  Teams & Planner in future. This work independently with SPO settings but we have provided support to

  • Migrate SPO allow/block list to O365 Groups

 

Here is the link to the detailed documentation & script to set this policy: https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da

 

Feel free to reach out if you any feedback and questions!

 

We will be supporting this functionality in OAC(Office Admin Portal) through user interface soon.

 

Thanks,

Sahil

23 Replies

Not to be disrespectful here, I really appreciate the update. But how about providing UI settings, or at least a "regular people" version of the cmdlets? I mean sersiously, have you received at least one positive feedback item on the usability of these cmdlets? It takes a 300 pages script to just change a setting, cmon.

 

And why are half the settings controlled via "settings" and the other half via "policies"? The same thing that's used for token expiration settings, that will surely help reduce confusion...

At the very least, can you please update the New/Set-AzureADPolicy cmdlet help to include examples on how to configure this. Perhaps also referencing the JSON helper functions from the example script, so that normal people can work with it.

Hi Vasil, 

1. UI support is in the pipeline and we are targeting to have that soon.

2. I hope you have seen the script here but to clarify we understand Azure Policy JSON argument can be difficult for normal people but if you see the script, the script does the job of converting the parameters as JSON, you just need to pass parameters, also this script works as a cmdlet if you run in a session, so in a way its very easy to run this script, if you save the script locally and run as cmdlet.

 

For the second message, I will definitely pass the feedback to update the set-azure policy.

To be fair to Microsoft, this step:

 

  1. Moves block/allow lists into an AAD policy rather than introducing a dependency on a base workload (like SharePoint or Exchange).
  2. Uses a policy that is available to all group-enabled applications - which is why it is right to use a separate policy rather than adding it to the Groups AAD policy. That's in line with creating a common external access mechanism for all Office 365 apps (as I argue for in https://www.petri.com/common-external-access-office-365).

Also, if you strip things away, you can get to 

Update an existing policy:

New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true -InformationAction Ignore | Out-Null

Create a new policy:

Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null

 

Most of the code in the script is error handling or software setup, which is what you'd expect in any utility written by Microsoft... Now, my scripts would be a lot simpler, but they'd have no error handling!

BTW, I agree with Vasil that if you provide a PowerShell cmdlet to update policies etc., please hide all the JSON formatting crap behind the scenes so that "normal people" (let's define these folk as people who don't have the time or the inclination to mess around with JSON when they just want to update a setting - life is too short). Parameters like this should be simple strings like a list of domain names. For some unfathomable reason, Microsoft engineers working on Office 365 seem to love obfuscating simple things with JSON and GUIDs... Very strange!
BTW, is there any reason why the script is not signed by Microsoft? Running unverified scripts is not a habit that we should encourage, even if the script comes from Microsoft...
Question: The page says:

This list doesn’t apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.

That's fine - but I see no way to remove existing guest users from group memberships in the script. Am I missing something?

Yes, but you do realize that many organizations have strict policies around running scripts, unsigned at that? Heck, I've even seen complaints about having to download the AzureAD module from "non-MS" source such as the PowerShell Gallery, but that's another story. In any case, I need to go over all the 300+ lines of the script to make sure I understand what it does, before I run it. And I'm pretty much forced to do that, because the only examples I can find on how to actually run the cmdlet and which parameters to use are in that script.

 

Don't get me wrong, I really appreciate you providing a solution to this problem. My main complaint is usability, you could've easily made a cmdlet available that accepts the allow/block domain parameter and handles the JSON conversion internally. And that's a general complaint about pretty much every operation handled by the AzureAD module. Forcing us to work with ObjectIDs, JSON and whatnot is simply not cool. You should not be providing a solution that's convenient to you as programmers, but to the end users. If it's not in UI form, at least make it as easy as passing a simple parameter.

It's always a good idea to check scripts downloaded from the internet to get an understanding of what they do :)   Anyway, we should already be accustomed to new features coming with a large sense of  'pioneering' when it comes to management. For example, with Groups settings administration you still need to through some hoops to creating/update settings objects, and the new licensing cmdlets in AzureAD - especially when disabling features - are not the most intuitive. A cmdlet/script not only takes away all those details for admins, it also means less opportunities for error.

Thanks for your feedback! This is a representative script for IT admins to use as a reference while crafting their own based on their organization requirements. It is not a downloadable script. The downloadable link will be provided to you in few days, which will be signed by Microsoft.

Great. The signed version will reassure many customers.

Thanks @Sahil Arora. Can you please also take a note on the feedback we (and many others!) have left over the past year or so about the "usability" of the AzureAD module, and if possible take steps to reduce the dependance on "programmer notations" for future releases.

-- Articl about the script ---

 

Microsoft has launched a new external sharing policy for groups that allows tenants to set allow and block lists for domains. The new policy is due for use with Teams, Planner, and other applications that need to block external users from specific domains. It’s a set along the path to getting full external access for Office 365 apps.
https://www.petri.com/external-access-policy-groups-teams-planner

I'm trying to use this script, but initially I was getting an error for line 325, about an invalid parameter -InformationAction - so I removed that parameter.

Running:

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com")

I now get:

Setting AllowedDomainList for B2BManagementPolicy
New-AzureADPolicy : Error occurred while executing NewPolicy
Code: Request_BadRequest
Message: One or more properties contains invalid values.
InnerError:
RequestId: f7c9e44f-ffac-4f2a-8ff2-627ce077bd15
DateTimeStamp: Thu, 18 Jan 2018 14:57:19 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\users\XXXXX\Downloads\PowerShell\365Groups\Set-GuestAllowBlockDomainPolicy.ps1:325 char:5
+ New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADPolicy], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
Policy


New AzureAD Policy:
Cannot index into a null array.

Any thoughts please?

Hi,

 

I've tried executing this script and I'm also getting the same error message, any update on how to resolve?

Setting AllowedDomainList for B2BManagementPolicy
New-AzureADPolicy : Error occurred while executing NewPolicy
Code: Request_BadRequest
Message: One or more properties contains invalid values.
InnerError:
  RequestId: 3dbe4560-e2e7-47dd-9b46-f66ff31132da
  DateTimeStamp: Mon, 29 Jan 2018 05:12:32 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:325 char:5
+     New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
   Policy


New AzureAD Policy:
Cannot index into a null array.
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:330 char:1
+ PrintAllowBlockedList $currentpolicy.Definition[0];
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

I had a support case open with MS, and they found that it was because I was using PowerShell 4 (on Windows 7) - I updated to PowerShell 5, and the script then ran fine.

Hi Rob,

Thank you for the information, I've got PS 5 and now getting a different error message.

Setting AllowedDomainList for B2BManagementPolicy
New-AzureADPolicy : Cannot bind argument to parameter 'Definition' because it is an empty collection.
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:325 char:35
+     New-AzureADPolicy -Definition @policyValue -DisplayName B2BManage ...
+                                   ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [New-AzureADPolicy], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyCollectionNotAllowed,Microsoft.Open.MSGraphBeta.PowerShell.NewPolicy
New AzureAD Policy:
Cannot index into a null array.
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:330 char:1
+ PrintAllowBlockedList $currentpolicy.Definition[0];
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray