Allow or Block guest access to Office 365 groups based on Domain

In this post, I will demonstrate that how can we restrict guest member addition in Group based on Domain.

We will be using the AzureADPreview Module to do the same, if you have not yet installed the Azure AD preview module, please find the instruction in my post below.

Connect to AzureADPreivew

Run the below CMD to Connect to Azure AD.
Connect-AzureAD

There is a script provided by Microsoft to Set Guest Allow Block Domain Policy                       

Unblock the Script#

Run the below CMD to unblock the Script.

Unblock-File .\Set-GuestAllowBlockDomainPolicy.ps1

Check Existing Policy#

Check if any existing Policy is Available.Run the script with the below Parameter.

.\Set-GuestAllowBlockDomainPolicy.ps1 -QueryPolicy

Update Allow/Block List# Update switch will create a new policy and if the same is already exist the same will be replaced, so if you need to make some addition to the existing policy use the -Append switch.

Create policy with AllowList only# Run the script with below parameter to create or replace policy with new Allow List

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("newcustomer.com", "newpartner.com").

Create policy with BlockList only# Run the script with below parameter to create or replace policy with new block List

Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("badpartner.com", "blockedpartner.com")

Add more domains to Allow/Block List# Run the script with below parameter to append policy with the AllowList

Update an Existing Policy with AllowList#

Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @("outlook.com")

Update an Existing Policy with BlockList#

Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @("gmail.com")

Below screen showing the whole process, where there was no policy Guest Allow policy in the Environment, and after running the below above CMD a new policy was setup.


To further add the domain in the Blocked Domains, we should be using the -Append switch.
The script is written nicely and show the existing policy before it is modified, example below.


Remove the Policy# Run the below cmd to remove the existing policy.

.\Set-GuestAllowBlockDomainPolicy.ps1 -Remove

This completes my post, where we learn how can we manage (allow/block) guest access based on the domain to the Office 365 Groups.

Comments