Blocking Guests on Sensitive Teams

April 2, 2021

6353

The number of Teams is increasing day by day in environments and if you wish to block specific teams not to have external guests. you can do it. Team owners may add an external guest to a team by mistake. where a guest may watch sensitive conversations. to avoid such an embarrassing situation it’s better to protect such teams by blocking external guests. There is no GUI option at this moment to do the same.

let’s see how to do using azure ad and exchange online PowerShell modules

To Check which team has external guests –

Every team creates a unified group. So the easiest way to check which teams have external guests is to check the unified groups.

Connect to the exchange module.

Connect-Exchangeonline

Check for groups that have external guests

Get-UnifiedGroup | Where-Object {$_.GroupExternalMembercount -notlike "0"}

Now check for groups/teams which don’t have guests and block them all if required

Get-UnifiedGroup | Where-Object {$_.GroupExternalMembercount -like "0"}

Get the azure ad preview module –

Install-module AzureADPreview

Connect-AzureAD

Below applies to all groups/teams in the environment to stop adding guests.

$groupID =`
Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}`
| Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}
    $settingsCopy = $template.CreateDirectorySetting()
    $settingsCopy["AllowToAddGuests"]=$False
    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}

Now it’s applying to all teams

To revert back –

$groupID =`
Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}`
| Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
    $SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $Groups | select-object -expandproperty ID
    Remove-AzureADObjectSetting -Id $settingid -targettype Groups -TargetObjectID $Groups
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}
    $settingsCopy = $template.CreateDirectorySetting()
    $settingsCopy["AllowToAddGuests"]=$True
    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}

You can always manipulate the first line to suit your requirements –

To apply on Teams with no external guests –

 Get-UnifiedGroup | Where-Object{$_.GroupExternalMembercount -like "0"}

To apply on a specific team –

Get-UnifiedGroup | Where-Object {$_.displayname -like "IT Team"}

To apply on a group of teams starts with Governance –

Get-UnifiedGroup | Where-Object {$_.displayname -like "Governance*"}

To check the unified groups which has allowed external guests –

Get-UnifiedGroup | Where-Object {$_.allowaddguests -like $true}

To check the unified groups which has not allowed external guests –

Get-UnifiedGroup | Where-Object {$_.allowaddguests -like $false}

Blocking Guests on Sensitive Teams

Related Articles

Intune Web-based Enrollment for iOS Devices: How to Get Started

How to Create a SharePoint Site

Troubleshoot “Invalid Latest Package Version” Error in Microsoft Endpoint Admin Center

LEAVE A REPLY Cancel reply

EDITOR PICKS

How to Create a SharePoint Site

Deploying to Azure VM using Terraform Infrastructure as Code (IaC)

Step-by-Step Azure SQL Backup & Restore Guide

POPULAR POSTS

Troubleshoot “Invalid Latest Package Version” Error in Microsoft Endpoint Admin Center

How to Set Google as the Default Search Engine in Microsoft Edge Using Intune: A Step-by-Step Guide

Device Preparation Policy – (Autopilot V2)

POPULAR CATEGORY

ABOUT ME

FOLLOW US