An update is being rolled out to let you manage allowed/blocked domains for guest access to Office 365 Groups.
After allowing guest access to Groups, Microsoft now helps securing this access by allowing administrators to define a list of allowed/blocked domains.
This feature is not available (yet?) using the Office 365 administration portal but with PowerShell.
This functionality is using Azure AD policy feature
- When using this functionality, you can not define both options. This means any domains not listed as allowed, will then be blocked and vice versa
- Only one policy per tenant
- This is a different list than the one used for SharePoint Online sharing; you will be able to import the existing SPO list but after you will have to manage it separately
- This does not apply to guests already members of an Office 365 Groups; only new guest will have the policy applied
How to use
Install the prerequisites
The PowerShell command to set the domain allow/block list for Office 365 Groups guest access is using the preview modules of Azure Active Directory PowerShell modules.
- You must use Azure AD PowerShell Preview – at least version 126.96.36.199 – you can get Azure AD PowerShell Preview using the following procedure
- Run a PowerShell command prompt using the runadadministrator and check the installed Azure AD PS module installed with the command Get-Module -ListAvailable AzureAD*
- If you get a version different than 188.8.131.52 (or later), you need to uninstall your current version with the command Uninstall-Module AzureAD
- If you have no result or after uninstalling the previous version run the command Install-Module AzureADPreview to install the required preview module; you may be prompted to trust the repository to download the module
Configure the domains list
Once you have the required module installed, you can use the script available https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da#bkmk_script to manage the domains list.
Once you have saved the script you can then use it to add/update/remove/import the domains list
- Create the allow/block domain list Set-GuestAllowBlockDomainPolicy.ps1 -Update –AllowList / –BlockList @("domain1.com", "domain2.com") – this command can be used to overwrite an existing list
- Import the existing list from SharePoint Online Set-GuestAllowBlockDomainPolicy.ps1 –MigrateFromSharepoint: don’t forget after this import you will have to manage it separately
- Add a domain to the existing list Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList / –BlockList @("domain3.com")
- Or finally remove the policy with Set-GuestAllowBlockDomainPolicy.ps1 –Remove
Unfortunately there is not (yet?) a way to get the existing list or remove one domain; if you want to remove one domain you need to overwrite the list with the domain(s) you want to remove not included