If you’ve had a chance to check out my “Ins and Outs of Guest Access” blog series, you may already know how to control guest access in your environment. However, what if you want to allow guest access for most groups, but have other groups where you want to prevent guest access? This is where your friend PowerShell will come in handy! In this blog series, we’ll show you how to block guest users from a specific group. Before we start though, make sure have the preview version of Azure Active Directory PowerShell for Graph (Azure AD) to give you the ability to change group-level guest access settings:
Blocking guest access for a specific group
Great, we’re connected to the preview version of Azure AD, now comes the fun part! First, let’s find an Office 365 group where we want to block guest access. In my demo tenant, I’ve chosen the “Store Portal” group.
Now let’s run the script to block guest access for that particular group. In the script below, you would just replace the “Store Portal” with the group you want to block guest access to.
$GroupName = “Store Portal”
Connect-AzureAD
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq “group.unified.guest”}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy[“AllowToAddGuests”]=$False
$groupID= (Get-AzureADGroup -SearchString $GroupName).ObjectId
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy
Great, it worked! At least I think…. only one way to tell, let’s test! Let’s navigate to Azure AD so we can find a guest within my tenant. In the picture below you’ll notice that my brian.siefferman@perficient.com account was added as a guest to the organization.
Since we know this is a guest user, let’s try to add that account to my Store Portal team. Let’s open up our Teams client and go to our “Store Portal” team and try to add a guest to the team. As you’ll notice below, even after populating the guest’s entire email address, no results will be returned and you will get the “we didn’t find any matches” pop-up. Awesome it looks like it worked, but just to make sure let’s try to add that same guest user to a different team.
If this is working the way that we want it to, we should still be able to add guests to any other team except this one. So, let’s try adding the guest to a different team. We’ll try to add the guest user to the “Digital Initiative Public Relations” team.
This time if we try to add a guest to a different team that allows guests to be added, you’ll notice that it will find the guest user and allow you to add them as a guest to the team!
Great, it works just as expected! I hope you have found this helpful, and I encourage you to check back soon for some additional guidance on guest access!