Permit or block invitations to B2B users from specific organizations

  • Article
  • 5 minutes to read

You can utilize an let listing or a deny list to allow or cake invitations to B2B users from specific organizations. For example, if yous want to cake personal electronic mail address domains, you tin can fix a deny listing that contains domains like Gmail.com and Outlook.com. Or, if your business has a partnership with other businesses like Contoso.com, Fabrikam.com, and Litware.com, and y'all want to restrict invitations to only these organizations, you lot can add Contoso.com, Fabrikam.com, and Litware.com to your let listing.

Important considerations

  • You can create either an let list or a deny list. You can't set up both types of lists. By default, any domains are not in the allow list are on the deny list, and vice versa.
  • You can create just i policy per organization. Yous tin update the policy to include more domains, or yous can delete the policy to create a new one.
  • The number of domains you tin can add to an allow listing or deny list is limited only by the size of the policy. This limit applies to the number of characters, so you can have a greater number of shorter domains or fewer longer domains. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allow list or deny list and whatsoever other parameters configured for other features.
  • This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If y'all want to restrict private file sharing in SharePoint Online, you need to prepare an let or deny list for OneDrive for Business organisation and SharePoint Online. For more data, run into Restricted domains sharing in SharePoint Online and OneDrive for Business.
  • The listing does non utilize to external users who have already redeemed the invitation. The list will be enforced later on the list is set. If a user invitation is in a pending country, and you set a policy that blocks their domain, the user'due south attempt to redeem the invitation will neglect.

Fix the allow or deny list policy in the portal

Past default, the Permit invitations to be sent to whatsoever domain (near inclusive) setting is enabled. In this instance, you can invite B2B users from whatsoever organization.

Add together a deny listing

This is the most typical scenario, where your organization wants to work with almost whatever organization, but wants to prevent users from specific domains to be invited as B2B users.

To add a deny list:

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Users > User settings.

  3. Nether External users, select Manage external collaboration settings.

  4. Under Collaboration restrictions, select Deny invitations to the specified domains.

  5. Under TARGET DOMAINS, enter the name of ane of the domains that you lot want to block. For multiple domains, enter each domain on a new line. For case:

    Shows the deny option with added domains

  6. When you're washed, select Salvage.

Afterward you set the policy, if you endeavour to invite a user from a blocked domain, you receive a message saying that the domain of the user is currently blocked by your invitation policy.

Add an allow list

This is a more than restrictive configuration, where you tin can prepare specific domains in the allow list and restrict invitations to any other organizations or domains that aren't mentioned.

If yous desire to use an allow list, brand certain that you spend time to fully evaluate what your business needs are. If you make this policy too restrictive, your users may choose to ship documents over electronic mail, or find other non-Information technology sanctioned means of collaborating.

To add an allow listing:

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Users > User settings.

  3. Under External users, select Manage external collaboration settings.

  4. Under Collaboration restrictions, select Allow invitations only to the specified domains (about restrictive).

  5. Under TARGET DOMAINS, enter the proper noun of one of the domains that yous want to allow. For multiple domains, enter each domain on a new line. For instance:

    Shows the allow option with added domains

  6. When you're done, select Save.

Later you set the policy, if you try to invite a user from a domain that's not on the let list, y'all receive a message maxim that the domain of the user is currently blocked by your invitation policy.

Switch from allow list to deny list and vice versa

If you switch from one policy to the other, this discards the existing policy configuration. Make sure to support details of your configuration before you perform the switch.

Set the allow or deny listing policy using PowerShell

Prerequisite

Note

The AzureADPreview Module is non a fully supported module equally it is in preview.

To prepare the allow or deny list by using PowerShell, you lot must install the preview version of the Azure Active Directory Module for Windows PowerShell. Specifically, install the AzureADPreview module version ii.0.0.98 or later.

To check the version of the module (and see if information technology's installed):

  1. Open Windows PowerShell equally an elevated user (Run every bit Ambassador).

  2. Run the following command to see if you have any versions of the Azure Active Directory Module for Windows PowerShell installed on your figurer:

                      Get-Module -ListAvailable AzureAD*

If the module is not installed, or you don't have a required version, do i of the following:

  • If no results are returned, run the following command to install the latest version of the AzureADPreview module:

                      Install-Module AzureADPreview

  • If simply the AzureAD module is shown in the results, run the post-obit commands to install the AzureADPreview module:

                      Uninstall-Module AzureAD  Install-Module AzureADPreview

  • If but the AzureADPreview module is shown in the results, but the version is less than ii.0.0.98, run the post-obit commands to update it:

                      Uninstall-Module AzureADPreview  Install-Module AzureADPreview

  • If both the AzureAD and AzureADPreview modules are shown in the results, but the version of the AzureADPreview module is less than 2.0.0.98, run the following commands to update it:

                      Uninstall-Module AzureAD  Uninstall-Module AzureADPreview  Install-Module AzureADPreview

Use the AzureADPolicy cmdlets to configure the policy

To create an allow or deny listing, utilize the New-AzureADPolicy cmdlet. The following example shows how to set a deny list that blocks the "live.com" domain.

              $policyValue = @("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [],`"BlockedDomains`": [`"live.com`"]}}}")  New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true

The following shows the same case, but with the policy definition inline.

              New-AzureADPolicy -Definition @("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [],`"BlockedDomains`": [`"live.com`"]}}}") -DisplayName B2BManagementPolicy -Blazon B2BManagementPolicy -IsOrganizationDefault $true

To ready the allow or deny list policy, use the Set-AzureADPolicy cmdlet. For case:

              Prepare-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id

To become the policy, use the Go-AzureADPolicy cmdlet. For case:

              $currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Blazon -eq 'B2BManagementPolicy'} | select -First 1

To remove the policy, apply the Remove-AzureADPolicy cmdlet. For example:

              Remove-AzureADPolicy -Id $currentpolicy.Id

Next steps

  • For an overview of Azure AD B2B, meet What is Azure AD B2B collaboration?
  • For data about Conditional Access and B2B collaboration, see Conditional Access for B2B collaboration users.