Configure Entra External Collaboration Settings with Microsoft Graph
Hi All,
Recently I had the Task to set up Entra External collaboration settings with PowerShell.
According to the Microsoft Documentation you should use the AzureAD PowerShell Module
The retirement of the MSOnline (MSOL) and AzureAD PowerShell Modules has been postphoned many times. The modules will not be supported after March 30 2025. It would certainly work, but that would be only a short time solution.
Graph Explorer
You can use the Graph Explorer to check if the B2BManagementPolicy exists
https://graph.microsoft.com/beta/legacy/policies
https://graph.microsoft.com/beta/legacy/policies?$select=id,displayName
PowerShell and Microsoft.Graph
Connect to Microsoft Graph using the Microsoft.Graph PowerShell Module
##########################################################################
# Connect MgGraph
##########################################################################
Connect-MgGraph -Scopes Policy.Read.All, Directory.AccessAsUser.All -NoWelcome
(Get-MgContext).Scopes
Permission Dialog
Query the Policies to get the B2BManagementPolicy
##########################################################################
# Query Policies
##########################################################################
$URI = "https://graph.microsoft.com/beta/legacy/policies"
$LegacyPolicy = Invoke-MgGraphRequest -Method "GET" -URI $URI
$B2BManagementPolicy = $LegacyPolicy.Value | where {$_.type -eq "B2BManagementPolicy"}
$B2BManagementPolicy
$B2BManagementPolicy.definition
$B2BManagementPolicyID = $B2BManagementPolicy.Id
Set to “most restrictive”
##########################################################################
#Allow invitations only to the specified domains (most restrictive)
##########################################################################
$Body = @"
{
"definition": [
"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"allow.net\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
]
}
"@
#Update Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "PATCH" -URI $URI -Body $Body -ContentType $ContentType
That’s how it looks in the Entra Portal
Set to “Deny invitations”
##########################################################################
#Deny invitations to the specified domains
##########################################################################
$Body = @"
{
"definition": [
"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"BlockedDomains\":[\"example.com\",\"foo.bar\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
]
}
"@
#Update Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "PATCH" -URI $URI -Body $Body -ContentType $ContentType
That’s how it looks in the Entra Portal
set to “most inclusive”
##########################################################################
#Allow invitations to be sent to any domain (most inclusive)
##########################################################################
$Body = @"
{
"definition": [
"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"BlockedDomains\":[]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
]
}
"@
#Update Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "PATCH" -URI $URI -Body $Body -ContentType $ContentType
That’s how it looks in the Entra Portal
Policy does not Exist
You can check if the B2BManagementPolicy does exist with Graph Explorer
https://graph.microsoft.com/beta/legacy/policies
https://graph.microsoft.com/beta/legacy/policies?$select=id,displayName
PowerShell
Connect to Microsoft Graph using the Microsoft.Graph PowerShell Module
##########################################################################
# Connect MgGraph
##########################################################################
Connect-MgGraph -Scopes Policy.Read.All, Directory.AccessAsUser.All -NoWelcome
##########################################################################
# Query Policies
##########################################################################
$URI = "https://graph.microsoft.com/beta/legacy/policies"
$LegacyPolicy = Invoke-MgGraphRequest -Method "GET" -URI $URI
$B2BManagementPolicy = $LegacyPolicy.Value | where {$_.type -eq "B2BManagementPolicy"}
If ($Null -eq $B2BManagementPolicy)
{
Write-Host "B2BManagementPolicy does not exist" -ForegroundColor Yellow
} else {
$B2BManagementPolicy
}
I was strugeling how to create a B2BManagementPolicy when it did not exist before and reached out to MVP Vasil Michev who was kind enough to help me here 😍 Thanks a Lot Vasil 🫡
Create B2BManagementPolicy
##########################################################################
# Create B2BManagementPolicy
##########################################################################
#Connect-MgGraph -Scopes Policy.Read.All, Directory.AccessAsUser.All -NoWelcome
$Body = @"
{
"type": "B2BManagementPolicy",
"definition": [
"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"Worlintest.onmicrosoft.com\"]},\"PreviewPolicy\":{\"Features\":[\"OneTimePasscode\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
],
"displayName": "B2BManagementPolicy"
}
"@
#Create Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies"
Invoke-MgGraphRequest -Method "POST" -URI $URI -Body $Body -ContentType $ContentType
##########################################################################
#Delete Policy
##########################################################################
$B2BManagementPolicyID = "a6729c51-4846-4a9c-8d2d-dcc842af5b95"
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "DELETE" -URI $URI -ContentType $ContentType
Summary
With the information provided you should be able to create and modify the B2BManagementPolicy with Microsoft Graph and PowerShell. Happy coding.
Regards
Andres Bohren
EntraID Logo
