Blocking Guests on Sensitive Teams

April 2, 2021

6107

The number of Teams is increasing day by day in environments and if you wish to block specific teams not to have external guests. you can do it. Team owners may add an external guest to a team by mistake. where a guest may watch sensitive conversations. to avoid such an embarrassing situation it’s better to protect such teams by blocking external guests. There is no GUI option at this moment to do the same.

let’s see how to do using azure ad and exchange online PowerShell modules

To Check which team has external guests –

Every team creates a unified group. So the easiest way to check which teams have external guests is to check the unified groups.

Connect to the exchange module.

Connect-Exchangeonline

Check for groups that have external guests

Get-UnifiedGroup | Where-Object {$_.GroupExternalMembercount -notlike "0"}

Now check for groups/teams which don’t have guests and block them all if required

Get-UnifiedGroup | Where-Object {$_.GroupExternalMembercount -like "0"}

Get the azure ad preview module –

Install-module AzureADPreview

Connect-AzureAD

Below applies to all groups/teams in the environment to stop adding guests.

$groupID =`
Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}`
| Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}
    $settingsCopy = $template.CreateDirectorySetting()
    $settingsCopy["AllowToAddGuests"]=$False
    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}

Now it’s applying to all teams

To revert back –

$groupID =`
Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}`
| Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
    $SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $Groups | select-object -expandproperty ID
    Remove-AzureADObjectSetting -Id $settingid -targettype Groups -TargetObjectID $Groups
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}
    $settingsCopy = $template.CreateDirectorySetting()
    $settingsCopy["AllowToAddGuests"]=$True
    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}

You can always manipulate the first line to suit your requirements –

To apply on Teams with no external guests –

 Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}

To apply on a specific team –

Get-UnifiedGroup | Where-Object {$_.displayname -like "IT Team"}

To apply on a group of teams starts with Governance –

Get-UnifiedGroup | Where-Object {$_.displayname -like "Governance*"}

To check the unified groups which has allowed external guests –

Get-UnifiedGroup | Where-Object {$_.allowaddguests -like $true}

To check the unified groups which has not allowed external guests –

Get-UnifiedGroup | Where-Object {$_.allowaddguests -like $false}

Blocking Guests on Sensitive Teams

Related Articles

Deploying Docker Image to Azure Container Registry and Hosting it with Azure Web App Service.

Use Winget to deploy apps on Intune.

Enhancing Email Security: Tagging External Emails in Microsoft 365

LEAVE A REPLY Cancel reply

EDITOR PICKS

Deploying Docker Image to Azure Container Registry and Hosting it with Azure Web App Service.

Manual Validation Approval for CI/CD Release Pipeline using YAML in Azure DevOps

A Step-by-Step Guide to Deploying Next.js to Azure App Service Using GitHub Action

POPULAR POSTS

Deploying Docker Image to Azure Container Registry and Hosting it with Azure Web App Service.

Enhancing Email Security: Tagging External Emails in Microsoft 365

Manual Validation Approval for CI/CD Release Pipeline using YAML in Azure DevOps

POPULAR CATEGORY

ABOUT ME

FOLLOW US