How to Find Guest Accounts Blocked by the Azure AD B2B Collaboration Policy

Blocking Guests We Don’t Want to Collaborate With

In an earlier post, I cover the basics of creating an Azure AD B2B collaboration policy for a Microsoft 365 tenant. This policy allows the tenant to define a deny list of domains they do not want guest accounts to come from or an allow list to define a restrictive set of domains they’re willing to accept guests from. In my experience, most tenants use a deny list. Once implemented, any attempt to add a new guest account from one of the blocked domains will fail. This happens for applications like Teams and Outlook, and administrative interfaces like the Azure AD admin center (Figure 1).

The Azure AD admin center stops an administrator adding a new guest from a blocked domain
Figure 1: The Azure AD admin center stops an administrator adding a new guest from a blocked domain

The policy works well and no new guest users from banned domains can be added. However, it does nothing to stop existing guests from those domains continuing to work within your tenant. Microsoft doesn’t have a facility to check for problem guest users, but it’s relatively easy to do with PowerShell.

The Find Bad Guests Script

We’ve posted a new script called FindBadGuestsFromBlockedDomains.PS1 in the Office 365 for IT Pros GitHub repository. The script works as follows:

  • Read the Azure AD B2B Collaboration policy to find if any domains are banned. If some are, we continue.
  • Find the set of Microsoft 365 Groups (including Teams) with guest members.
  • Examine the membership of each group to check if any of the guests come from banned domains.
  • Report the results.

When the script finishes processing the set of groups, it generates some basic statistics (Figure 2) and a CSV file.

Results of scanning for guests from blocked domains
Figure 2: Results of scanning for guests from blocked domains

Cleaning Up Banned Guests

The CSV file (Figure 3) contains the Azure AD object identifier for each problem guest. This is important because you can use this to drive a removal process if necessary.

Contents of the CSV file detailing guests from blocked domains
Figure 3: Contents of the CSV file detailing guests from blocked domains

Before removing a guest account, remember what it will do:

  • Remove the guest from memberships of all groups they belong to.
  • Remove access to any documents, folders, or lists shared using the guest account.

Before deleting anything, the CSV file should be reviewed to check that each account really should be deleted. Any account to keep should be removed from the file. The updated file can then act as the input for a removal process. For instance, this PowerShell code reads the CSV file and removes the accounts included in the file.

$BadAccounts = Import-Csv c:\temp\BadGuestAccounts.CSV
ForEach ($Account in $BadAccounts) {
   Write-Host "Removing" $Account."Guest Email"
   Remove-AzureADUser -ObjectId $Account.ObjectId }

The guest accounts in the tenant then comply with the collaboration policy. If you decide to remove guest accounts, it’s probably a good idea to email the group/team owners to let them know what you plan to do, just in case a guest account is required.

Like any of our scripts, the code is written to explore how to construct a solution to a problem. I’m sure the code can be improved, notably by adding better error handling. But it does work (at least in our tenant).


The Office 365 for IT Pros eBook has lots of intensely practical advice to help administrators run tenants. Subscribe to make sure that you benefit from our knowledge.

2 Replies to “How to Find Guest Accounts Blocked by the Azure AD B2B Collaboration Policy”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.