How to Create an Azure AD B2B Collaboration Policy

Deny Guests from Some Domains or Use an Allow List

The ability for applications to use Azure B2B collaboration to add guest users is governed by external collaboration settings, aka the Azure AD B2B collaboration policy. The settings are available through the External identities section of the Azure AD admin center, where they are found under Collaboration restrictions (Figure 1).

Azure AD B2B Collaboration Policy Settings
Figure 1: Azure AD External Collaboration Settings

Three options are available:

  • Allow guest accounts from any external domain. This is the default.
  • Deny access to guest accounts from specified domains (deny list).
  • Allow access only to guest accounts from specified domains (allow list).

An allow or deny list can contain up to 60 domains. You can only choose one or the other and cannot have some domains in a deny list and others in an allow list.

In my case, I use the middle approach to block guest accounts from certain domains. For instance, these might be domains belonging to direct competitors or domains used for consumer rather than business purposes. In Figure 1, you can see that I’ve decided to block access to guests with and email addresses.

Azure AD Blocks Bad Guests

Azure AD applies the block rather than applications. For example, in Figure 2, I’ve tried to add a new guest account to Teams, which doesn’t object when I enter to identify the guest. The block descends when Teams tries to add the new guest account to Azure AD. The “Something went wrong” is an uncertain error, but it should be enough for the administrator to know what’s going on when they learn where the guest comes from. OWA doesn’t object to the email address for a new guest but is no more definite in its error (Figure 3). Again, this is because the application fails to create a new guest account in Azure AD.

Teams can't add a new guest account because Azure AD blocks the attempt
Figure 1: Teams can’t add a new guest account because Azure AD blocks the attempt

OWA runs into the same problem when a group owner attempts to add a new guest account
Figure 3: OWA runs into the same problem when a group owner attempts to add a new guest account

Knowing What Domains Guests Come From

Before going ahead to update your external collaboration settings, it’s a good idea to understand where current guest accounts come from. This code scans down through guest accounts found in Azure AD to capture details of each user’s home domain. It then populates a hash table with the domain information to create a count for each, followed by sorting in descending order to discover the most popular domains:

$Domains = [System.Collections.Generic.List[Object]]::new()
$Guests = (Get-AzureADUser -Filter "UserType eq 'Guest'" -All $True| Select Displayname, UserPrincipalName, Mail, ObjectId | Sort DisplayName)
ForEach ($Guest in $Guests) {
   $Domain = ($Guest.UserPrincipalName.Split("#EXT#")[0]).Split("_")[1]
$DomainsCount = @{}
$Domains = $Domains | Sort
$Domains | ForEach {$DomainsCount[$_]++}
$DomainsCount = $DomainsCount.GetEnumerator() | Sort -Property Value -Descending

Name                           Value
----                           -----                  59                    11                      6                    5                      4                  4

Now you know what domains are actively in use, you can decide which you might like to ban. Remember that putting a domain on the deny list stops only the creation of new guest accounts. Existing guest accounts remain in the membership of groups and teams. If you want to purge accounts from unwanted domains, you need to find the groups (teams) with guest members and examine each guest to decide if they can stay or be removed. It’s easy enough to find guests from banned domains with PowerShell, or so the saying goes…

The Office 365 for IT Pros eBook is packed full of practical information like this. Learn from the pros by subscribing to Office 365 for IT Pros and receive monthly updates during your subscription period.

6 Replies to “How to Create an Azure AD B2B Collaboration Policy”

  1. Hi Tony, I think the above helps with restricting outbound Guest invitations from your tenant. Is there anyway to restrict which domains our users can accept inbound Guest invitations from too? Thanks, Ryan.

    1. Nope. The only control is for inbound guests. Right now, it’s an acknowledged weakness of the Azure AD collaboration model that tenant admins have zero control over what their users do in other tenants.

      1. Thanks for confirming. Please share if you ever hear of this being changed 👍

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.