SOLVED

Blocked domain in Teams

Iron Contributor

Hi, 

 

We are currently testing restricting access to Teams to specific domains and if I add a domain(for example domain.com) to be on the blocked list in the Teams admin settings, I can as a team owner still invite a user from that domain. I was expecting the behaviour to say the domain is blocked as part of your organisation setting. 

6 Replies

Hi,

 

I think that you added the blocked domain in the External Access section. That will block your users to federate with users in that domain, chat and call directly to/from them.

 

For Guest access (invite external users to your Team) you can't block per domain (what I know of) but there is an uservoice requesting this.

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/34883527-restrict-guest-access...

best response confirmed by Dhiran Gajjar (Iron Contributor)
Solution

Hello @Dhiran Gajjar 

 

I was open ticket in Office 365 Support, about problem control public domain access to Teams.

 

Answer: 
Can we control access to Teams chat by external domain list access?

Can we control access to Teams channel by external domain list access?

For both of the above scenarios, the federation settings would apply. You can restrict access to a specific domain, but that will be restricted for all users, and not based on Teams or Channels.

If we add domain to block list, can guest with this UPN name connect to Teams channel?

Who we can block access to Teams channel from free public domain? yahoo, gmail, etc.?

For this, we don’t have the option in Teams. However, we might be able to achieve it via Azure/O365 groups.

You can create a new Allow or Block list policy.

You can refer to this article for the same:
https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-group-access-to-offic...

Important information about how block lists work:

This feature is currently only in Preview and as part of an Office 365 license.
You can create either an Allow list or Block list. But you can't set up both types of lists. By default, whatever domains are not in an Allow list are on a Block list, and vice versa.
You can create only one policy per organization. You can update that policy with more domains, or you can delete that policy to create a new one.
This list works independently from SPO allow/block list. You would need to set-up Allow/Block list for SPO if you want to restrict individual file sharing of Group connected site.
This list doesn't apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.
Hope this helps.

 

I'm not testing this policy on production now. I hope use this steps in next Phase in Office 365 project. 

@Oleg Kovalenko - thank your for the reply. 

 

We managed to get the approved domain listed loaded in Azure and enabled external sharing for Teams. This now allows us to stop users from inviting users from non-approved domains which was our goal. 

 

The link you provided was useful for the PowerShell scripts, so thanks again. 

Hello @Dhiran Gajjar,

I've tried following the link Oleg has provided but it looks like it has expired now.

Could you share how you were able to accomplish this?

Thanks,

@Montreal_IT_Don - trying to remember something that I have downloaded 4 years ago but this is closest script aroud that timeframe that I have. I hope this helps? 

 

Connect-SPOService -Url https://<yourhost>-admin.SharePoint.com 
$allsites = import-csv C:\temp\ExternalUsers.csv | Select-Object -Property "Site URL" -Unique

foreach ($site in $allsites) {

    Write-Host "Enabling External Access to $($site.'Site URL')"
    # Set the Sharing facility only authenticated users
    Set-SPOSite -Identity $site.'Site URL' -SharingCapability ExternalUserSharingOnly
    # This will set only site owners can invite the external users
    Set-SPOSite -Identity $site.'Site URL' -DisableSharingForNonOwners  

}
# To disable external Sharing
#   Set-SPOSite -Identity $siteCollectionURL -SharingCapability Disabled

 

thank you very much, really appreciate this.

I'll go with this and customize it so i can test it on my sandbox env.
1 best response

Accepted Solutions
best response confirmed by Dhiran Gajjar (Iron Contributor)
Solution

Hello @Dhiran Gajjar 

 

I was open ticket in Office 365 Support, about problem control public domain access to Teams.

 

Answer: 
Can we control access to Teams chat by external domain list access?

Can we control access to Teams channel by external domain list access?

For both of the above scenarios, the federation settings would apply. You can restrict access to a specific domain, but that will be restricted for all users, and not based on Teams or Channels.

If we add domain to block list, can guest with this UPN name connect to Teams channel?

Who we can block access to Teams channel from free public domain? yahoo, gmail, etc.?

For this, we don’t have the option in Teams. However, we might be able to achieve it via Azure/O365 groups.

You can create a new Allow or Block list policy.

You can refer to this article for the same:
https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-group-access-to-offic...

Important information about how block lists work:

This feature is currently only in Preview and as part of an Office 365 license.
You can create either an Allow list or Block list. But you can't set up both types of lists. By default, whatever domains are not in an Allow list are on a Block list, and vice versa.
You can create only one policy per organization. You can update that policy with more domains, or you can delete that policy to create a new one.
This list works independently from SPO allow/block list. You would need to set-up Allow/Block list for SPO if you want to restrict individual file sharing of Group connected site.
This list doesn't apply to already added guest members, this will be enforced for all the guests added after the list is set-up. However, you can remove them through the script.
Hope this helps.

 

I'm not testing this policy on production now. I hope use this steps in next Phase in Office 365 project. 

View solution in original post