See GitHub to download or for more information: https://github.com/ITAutomator/M365-Teams-Policy-Update
Overview
Reports and updates Teams External Access Policies that aren’t (yet) visible in the admin center. Update M365 Teams Policies in bulk via csv file.
How it works
Use this code in 2 phases to report on, then update the Teams ExternalAccessPolicy for your users.
The assumption is that, in general Teams chats to outside companies and individuals is blocked. The code checks a certain group of users and switches them to allowed. All other users are switched to blocked.
Phase 1: Report
Run the M365TeamsPolicyReport.ps1 (or .cmd) and enter your admin credentials.
This will output a CSV file containing your users and the policies they have been assigned.
- Only Enabled accounts are reported. Only members are reported (vs guests).
- By default, no policy might be assigned (aka Global or <none>).
- For Teams users, the default policy seems to be FederationAndPICDefault which allows external access at the user level. (see below)
Phase 2: Update
Edit the CSV file M365TeamsPolicyUpdate.csv. If you don’t have one, it will be created on first launch.
| GroupNameOrEmail | Change Allow External TeamsMessaging to be whatever you have called the allow group. The group must exist. The suggestion is to make it an (optionally mail-enabled) security group. |
| GroupPolicyName | The policy will be created if it doesn’t exist. Two policies are created: <GroupPolicyName> will be the allow policy, <GroupPolicyName>Blocked will be the block policy. Group members will have the allow policy applied. Non-group members will get the blocked policy. |
| NonGroupPolicyName | Non-group members will get this policy. Use one of these keywords: Global: any policy will be removed (returned to Global) Blocked: set the policy to whatever the blocked policy is. Anything else: This policy name will be used |
| GlobalExternalAccessDefault | FALSE The program will check the Global policy setting (for people that have no policy) and change it to this |
In the update phase the code run the M365TeamsPolicyUpdate.ps1 (or .cmd) to make your updates. It will do the following actions.
Note: The program allows you to step through each user if you want to go slowly.
Note: There is an issue with the policy assignment operations where it will begin to fail after 50. That is because the assignments are jobs that are queued for a minute or two. A future version should add everyone in one bulk batch. For now, you can just re-run it and it will pick up the next 50 until it is completed.
- Checks and changes the default policy (internally called Global) is FALSE (can be changed in the settings CSV file) and will check and prompt to update the default policy if it is set differently from the setting.
- It will check for the custom GroupPolicyName (TeamsExternalAccess) and create it if it doesn’t exist. Also, it will create the Blocked version of the policy.
- It will loop through the group members and assign the allow policy.
- It will loop through the non-members and assign the block policy.
Notes from Microsoft
According to Microsoft, to control Teams External Access at the user level:
Microsoft: IT Admins – Manage external meetings and chat (link)
- The company must allow it at the company level. The company may select all domains or specify approved or blocked domains. This can be adjusted in the Teams Admin Center.
Get-CsTenantFederationConfiguration - User-level policies would then apply. These can only be viewed through PowerShell.
Get-CsExternalAccessPolicy
Grant-CsExternalAccessPolicy- The default user-level policy that most people have (called Global) allows it, so it should be set to False.
- Some people may have the user-level policy FederationAndPICDefault policy which is set to True and cannot be changed. You can set them back to Global by using the grant command with policy name $null.
You can tell it’s blocked by policy if your users see this:
