Blocking Guests on Sensitive Teams

The number of Teams is increasing day by day in environments and if you wish to block specific teams not to have external guests. you can do it. Team owners may add an external guest to a team by mistake. where a guest may watch sensitive conversations. to avoid such an embarrassing situation it’s better to protect such teams by blocking external guests. There is no GUI option at this moment to do the same.

let’s see how to do using azure ad and exchange online PowerShell modules

To Check which team has external guests –

Every team creates a unified group. So the easiest way to check which teams have external guests is to check the unified groups.

Connect to the exchange module.

Connect-Exchangeonline

Check for groups that have external guests

Get-UnifiedGroup | Where-Object {$_.GroupExternalMembercount -notlike "0"}

Now check for groups/teams which don’t have guests and block them all if required

Get-UnifiedGroup | Where-Object {$_.GroupExternalMembercount -like "0"}

Get the azure ad preview module –

Install-module AzureADPreview
Connect-AzureAD

Below applies to all groups/teams in the environment to stop adding guests.

$groupID =`
Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}`
| Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}
    $settingsCopy = $template.CreateDirectorySetting()
    $settingsCopy["AllowToAddGuests"]=$False
    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}
Now it’s applying to all teams
To revert back –
$groupID =`
Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}`
| Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
    $SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $Groups | select-object -expandproperty ID
    Remove-AzureADObjectSetting -Id $settingid -targettype Groups -TargetObjectID $Groups
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}
    $settingsCopy = $template.CreateDirectorySetting()
    $settingsCopy["AllowToAddGuests"]=$True
    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}
You can always manipulate the first line to suit your requirements –
To apply on Teams with no external guests –
 Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"} 
To apply on a specific team –
Get-UnifiedGroup | Where-Object {$_.displayname -like "IT Team"}
To apply on a group of teams starts with Governance¬† –
Get-UnifiedGroup | Where-Object {$_.displayname -like "Governance*"}

To check the unified groups which has allowed external guests –

Get-UnifiedGroup | Where-Object {$_.allowaddguests -like $true}

To check the unified groups which has not allowed external guests –

Get-UnifiedGroup | Where-Object {$_.allowaddguests -like $false}

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Azure B2C White label URLs with Azure Front Door

Azure B2C is allowing white label URLs through Azure Front Door now. it was a …

Leave a Reply

Your email address will not be published.