Entra / Microsoft 365 · Teams
Populate teams external access
Finds the domains used by guest accounts and uses them to build an external access allow list.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-MicrosoftTeamsConnect-MgGraph -NoWelcome -Scopes User.Read.All
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
function Get-DomainByCheck {# Check a domain name to make sure that it's activeparam ([parameter(Mandatory = $true)]$Domain)$Uri = ("https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByDomainName(domainName='{0}')" -f $Domain)Try {[array]$Global:DomainData = Invoke-MgGraphRequest -Uri $Uri -Method Get -ErrorAction StopIf ($DomainData.displayname -in $UnwantedRealms) {Return $false} Else {Return $true}} Catch {Return $false}}# Define the display name values we don't want to accept as valid domains. MSA Realms is returned by domains like Yahoo.com. Test_Test_Microsoft# is returned by domains like amer.teams.ms used for inbound email to Teams channels$Global:UnwantedRealms = "MSA Realms", "Test_Test_Microsoft"Write-Host "Connecting to Microsoft Teams and the Microsoft Graph..."Connect-MicrosoftTeamsConnect-MgGraph -NoWelcome -Scopes User.Read.AllWrite-Host "Checking for guest accounts in the tenant..."[array]$Guests = Get-MgUser -All -Filter "usertype eq 'Guest'"Write-Host ("{0} guest accounts found" -f $Guests.Count)$GuestList = [System.Collections.Generic.List[Object]]::new()ForEach ($Guest in $Guests) {$Domain = $Guest.Mail.Split("@")[1]$ReportLine = [PSCustomObject][Ordered]@{Guest = $Guest.MailDomain = $DomainName = $Guest.DisplayName }$GuestList.Add($ReportLine)}Write-Host ""Write-Host "Guest accounts found for the following domains"Write-Host "----------------------------------------------"$GuestList | Group-Object Domain | Sort-Object Name | Select-Object Name, Count$Domains = $GuestList | Sort-Object Domain -Unique | Select-Object -ExpandProperty Domain# Get current set of domains configured for Teams extrenal access$DomainConfiguration = Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowedDomains# Check the set of domains that aren't in the current configuration[array]$DomainsToAdd = $Domains | Where-Object {$_ -notin $DomainConfiguration.AllowedDomain.Domain}Write-Host ""Write-Host "Checking domains used by guest accounts to make sure that they are Microsoft 365 tenants..."[array]$Microsoft365Tenants = $nullForEach ($Domain in $DomainsToAdd) {$Check = Get-DomainByCheck $DomainIf ($Check -eq $false) {Write-Host ("Domain {0} is not a Microsoft 365 tenant" -f $Domain)} Else {$Microsoft365Tenants += $Domain}}$Prompt = ("Do you want to add the following {0} domains to the list allowed for Teams external access? {1}" -f $Microsoft365Tenants.count, ($Microsoft365Tenants -join ", "))$Choice = Read-Host $PromptIf (($Choice.ToUpper()) -eq "Y") {$i = 0ForEach ($Domain in $Microsoft365Tenants) {$i++Write-Host ("Adding {0} to the allowed domains list... ({1}/{2})" -f $Domain, $i, $Microsoft365Tenants.Count)Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$Domain} -ErrorAction SilentlyContinue}$DomainConfiguration = Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowedDomainsWrite-Host ("External access for Teams now includes {0} domains" -f $DomainConfiguration.AllowedDomain.Domain.count)}
Attribution
Author
Office365itpros