We can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources.
You can use an allow list or a deny list to allow or block invitations to B2B users from specific organizations. For example, if you want to block personal email address domains, you can set up a deny list that contains domains like Gmail.com and Outlook.com. Or, if your business has a partnership with other businesses like Contoso.com, Fabrikam.com, and Litware.com, and you want to restrict invitations to only these organizations, you can add Contoso.com, Fabrikam.com, and Litware.com to your allow list.
Important considerations
- You can create either an allow list or a deny list. You can't set up both types of lists. By default, whatever domains are not in the allow list are on the deny list, and vice versa.
- You can create only one policy per organization. You can update the policy to include more domains, or you can delete the policy to create a new one.
- This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or deny list for OneDrive for Business and SharePoint Online. For more information, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
- This list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation will fail.
Before you begin , Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. By default, all users and admins can invite guests.
Instead of choosing the default configurations ,it is recommended to review these settings and configure according your organization security policies to prevent certain types of users or admins from inviting guests.
To find out how to view and set these policies, see Enable B2B external collaboration and manage who can invite guests
In our Org, we don’t allow normal users to invite guests and we have collaboration restrictions to allow invitations only to specified domains .These specific domains must go through some approval process internally .
If user try to invite user (eswar@eskonr.com) and eskonr.com is not whitelisted then it will fail to send invitation.
As you see below ,we opted for Allow invitations only to the specified domains (most restrictive) is opted and we have many domains added to our Azure portal for B2B collaboration .
With the domain list growing , our security team wants to have the list of all domains that are whitelisted . I started looking at the list of domains if there is manual way to select list of all domains ,copy them but it doesn't allow me to select all and only option is select one by one domain and copy.
So i started exploring the powershell script to automate this . This request is going to come again & again so it is better to spend sometime to prepare script and keep it ready when asked for it.
Here is the simple powershell script (bad way of writing ) to get all whitelisted domains in azure AD.
$scriptpath = $MyInvocation.MyCommand.Path
#Get the current directory of the file stored.
$dir = Split-Path $scriptpath
#Get current date
$date = (get-date -f dd-MM-yyyy-hhmmss)
#Set filename to store the output
$Outfile = "$dir\Whitelisteddomains-"+$date+".csv"
#connect to Azure AD (assuming ,the AzureADPreview for now is being installed.)
Connect-AzureAD
#List all B2B domains based on the condition
$data = (Get-AzureADPolicy | ? {$_.DisplayName -eq "B2BManagementPolicy" } | select definition)
#replace single quote with escape charcter and double quotes
$defs = $data.Definition.Replace('"',"\""""")
$allowedDomains = $defs.Substring($defs.indexof("[")+1)
$allowedDomains = $allowedDomains.Substring(0,$allowedDomains.IndexOf("]"))
#revert back the quotes back to normal node to see the real output
$allowedDomains.Replace("\""""","") | out-file $Outfile -Force
Save the script to location and run the script .
On the PC that you run this script ,make sure you have AzureADPreview module installed. Why preview ? because the Get-AzureADPolicy cmdlet is still in preview and not in AzureAD module.
When you run the script ,it prompt for authentication and follow the conditional access (if you have any) before you connect to Azure portal .
Once you pass the authentication ,you will see file named with whitelisteddomains-date.csv
References :
Azure Active Directory B2B Documentation https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/b2b/?view=azuremgmtcdn-fluent-1.0.0
Allow or block invitations to B2B users from specific organizations https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/b2b/allow-deny-list?view=azuremgmtcdn-fluent-1.0.0
Hope it helps!
7 Comments
Thank you for this!
Thanks Eswar, that helped me a lot 🙂
One comment to your script, in the very last line (–Force) this one is not a normal dash but an en-dash, one have to change it to this -Force, otherwise error while running
Thanks Adam, the post is updated.
Regards,
Eswar
Hi Eswar, thank you for helping to get to the properties. Looking over the Azure AD Policy object, those properties are in JSON format, so a super easy way to get them out would be like this:
$B2BPolicy = (Get-AzureADPolicy -All:$true | Where-Object {$_.DisplayName -eq "B2BManagementPolicy" })
($B2BPolicy.definition | convertfrom-json).B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains
Should give you a list of email domains that are open to B2B....
Hi Bob,
Thanks for the update. That looks super easy to get the information.
Regards,
Eswar
This is great stuff. Do you know how you can easily update the allowed domains?
Hi Andrew,
allowed domains can also be done using powershell script but i dont have ready made script available now but will add to my to-do list.
Thanks,
Eswar