Aug 01 2017 11:30 PM - edited Aug 01 2017 11:31 PM
We are happy to announce the world wide roll-out of Allow/Block list support for guest access in O365 Groups. With this feature, IT Admins can set-up a list of domains to
This policy currently can be set-up through PowerShell & coming soon through UI. We have provided user friendly script below to set-up allow/block list for your tenant.
This policy works for all workloads with Guest access through O365 Groups such as Outlook, Teams & Planner in future. This work independently with SPO settings but we have provided support to
Here is the link to the detailed documentation & script to set this policy: https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da
Feel free to reach out if you any feedback and questions!
We will be supporting this functionality in OAC(Office Admin Portal) through user interface soon.
Thanks,
Sahil
Aug 02 2017 12:13 AM
Not to be disrespectful here, I really appreciate the update. But how about providing UI settings, or at least a "regular people" version of the cmdlets? I mean sersiously, have you received at least one positive feedback item on the usability of these cmdlets? It takes a 300 pages script to just change a setting, cmon.
And why are half the settings controlled via "settings" and the other half via "policies"? The same thing that's used for token expiration settings, that will surely help reduce confusion...
Aug 02 2017 12:21 AM
At the very least, can you please update the New/Set-AzureADPolicy cmdlet help to include examples on how to configure this. Perhaps also referencing the JSON helper functions from the example script, so that normal people can work with it.
Aug 02 2017 12:29 AM
Hi Vasil,
1. UI support is in the pipeline and we are targeting to have that soon.
2. I hope you have seen the script here but to clarify we understand Azure Policy JSON argument can be difficult for normal people but if you see the script, the script does the job of converting the parameters as JSON, you just need to pass parameters, also this script works as a cmdlet if you run in a session, so in a way its very easy to run this script, if you save the script locally and run as cmdlet.
For the second message, I will definitely pass the feedback to update the set-azure policy.
Aug 02 2017 12:30 AM
To be fair to Microsoft, this step:
Also, if you strip things away, you can get to
Update an existing policy:
New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true -InformationAction Ignore | Out-Null
Create a new policy:
Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null
Most of the code in the script is error handling or software setup, which is what you'd expect in any utility written by Microsoft... Now, my scripts would be a lot simpler, but they'd have no error handling!
Aug 02 2017 12:35 AM
Aug 02 2017 12:42 AM
Aug 02 2017 12:53 AM
Aug 02 2017 01:04 AM
Yes, but you do realize that many organizations have strict policies around running scripts, unsigned at that? Heck, I've even seen complaints about having to download the AzureAD module from "non-MS" source such as the PowerShell Gallery, but that's another story. In any case, I need to go over all the 300+ lines of the script to make sure I understand what it does, before I run it. And I'm pretty much forced to do that, because the only examples I can find on how to actually run the cmdlet and which parameters to use are in that script.
Don't get me wrong, I really appreciate you providing a solution to this problem. My main complaint is usability, you could've easily made a cmdlet available that accepts the allow/block domain parameter and handles the JSON conversion internally. And that's a general complaint about pretty much every operation handled by the AzureAD module. Forcing us to work with ObjectIDs, JSON and whatnot is simply not cool. You should not be providing a solution that's convenient to you as programmers, but to the end users. If it's not in UI form, at least make it as easy as passing a simple parameter.
Aug 02 2017 04:41 AM - edited Aug 02 2017 04:45 AM
It's always a good idea to check scripts downloaded from the internet to get an understanding of what they do :) Anyway, we should already be accustomed to new features coming with a large sense of 'pioneering' when it comes to management. For example, with Groups settings administration you still need to through some hoops to creating/update settings objects, and the new licensing cmdlets in AzureAD - especially when disabling features - are not the most intuitive. A cmdlet/script not only takes away all those details for admins, it also means less opportunities for error.
Aug 02 2017 12:33 PM
Thanks for your feedback! This is a representative script for IT admins to use as a reference while crafting their own based on their organization requirements. It is not a downloadable script. The downloadable link will be provided to you in few days, which will be signed by Microsoft.
Aug 02 2017 11:44 PM
Here is the download link to the script: Signed by Microsoft:
https://www.microsoft.com/en-us/download/details.aspx?id=55709
Aug 02 2017 11:58 PM
Great. The signed version will reassure many customers.
Aug 03 2017 12:03 AM
Thanks @Sahil Arora. Can you please also take a note on the feedback we (and many others!) have left over the past year or so about the "usability" of the AzureAD module, and if possible take steps to reduce the dependance on "programmer notations" for future releases.
Aug 03 2017 06:08 AM
-- Articl about the script ---
Microsoft has launched a new external sharing policy for groups that allows tenants to set allow and block lists for domains. The new policy is due for use with Teams, Planner, and other applications that need to block external users from specific domains. It’s a set along the path to getting full external access for Office 365 apps.
https://www.petri.com/external-access-policy-groups-teams-planner
Jan 18 2018 07:14 AM
Jan 28 2018 09:43 PM
Hi,
I've tried executing this script and I'm also getting the same error message, any update on how to resolve?
Setting AllowedDomainList for B2BManagementPolicy
New-AzureADPolicy : Error occurred while executing NewPolicy
Code: Request_BadRequest
Message: One or more properties contains invalid values.
InnerError:
RequestId: 3dbe4560-e2e7-47dd-9b46-f66ff31132da
DateTimeStamp: Mon, 29 Jan 2018 05:12:32 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:325 char:5
+ New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADPolicy], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
Policy
New AzureAD Policy:
Cannot index into a null array.
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:330 char:1
+ PrintAllowBlockedList $currentpolicy.Definition[0];
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Jan 29 2018 01:09 AM
Jan 29 2018 08:46 AM
Hi Rob,
Thank you for the information, I've got PS 5 and now getting a different error message.
Setting AllowedDomainList for B2BManagementPolicy
New-AzureADPolicy : Cannot bind argument to parameter 'Definition' because it is an empty collection.
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:325 char:35
+ New-AzureADPolicy -Definition @policyValue -DisplayName B2BManage ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [New-AzureADPolicy], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyCollectionNotAllowed,Microsoft.Open.MSGraphBeta.PowerShell.NewPolicy
New AzureAD Policy:
Cannot index into a null array.
At D:\dlp\Set-GuestAllowBlockDomainPolicy.ps1:330 char:1
+ PrintAllowBlockedList $currentpolicy.Definition[0];
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Jan 29 2018 09:26 AM
Adding @Sarat Subramaniam for trouble shooting help.