Configure Entra External Collaboration Settings with Microsoft Graph

Andres Bohren

2025-01-23

Configure Entra External Collaboration Settings with Microsoft Graph

Hi All,

Recently I had the Task to set up Entra External collaboration settings with PowerShell.

According to the Microsoft Documentation you should use the AzureAD PowerShell Module

Allow or block B2B collaboration with organizations

The retirement of the MSOnline (MSOL) and AzureAD PowerShell Modules has been postphoned many times. The modules will not be supported after March 30 2025. It would certainly work, but that would be only a short time solution.

MSOnline and AzureAD PowerShell retirement - 2025 info and resources

Graph Explorer

You can use the Graph Explorer to check if the B2BManagementPolicy exists

Graph Explorer

https://graph.microsoft.com/beta/legacy/policies
https://graph.microsoft.com/beta/legacy/policies?$select=id,displayName

PowerShell and Microsoft.Graph

Connect to Microsoft Graph using the Microsoft.Graph PowerShell Module

##########################################################################
# Connect MgGraph
##########################################################################
Connect-MgGraph -Scopes Policy.Read.All, Directory.AccessAsUser.All -NoWelcome
(Get-MgContext).Scopes

Permission Dialog

Query the Policies to get the B2BManagementPolicy

##########################################################################
# Query Policies
##########################################################################
$URI = "https://graph.microsoft.com/beta/legacy/policies"
$LegacyPolicy = Invoke-MgGraphRequest -Method "GET" -URI $URI
$B2BManagementPolicy = $LegacyPolicy.Value | where {$_.type -eq "B2BManagementPolicy"}
$B2BManagementPolicy
$B2BManagementPolicy.definition
$B2BManagementPolicyID = $B2BManagementPolicy.Id

Set to “most restrictive”

##########################################################################
#Allow invitations only to the specified domains (most restrictive)
##########################################################################
$Body = @"
{
    "definition": [
        "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"allow.net\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
    ]
}
"@

#Update Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "PATCH" -URI $URI -Body $Body -ContentType $ContentType

That’s how it looks in the Entra Portal

Set to “Deny invitations”

##########################################################################
#Deny invitations to the specified domains
##########################################################################
$Body = @"
{
"definition": [
        "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"BlockedDomains\":[\"example.com\",\"foo.bar\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
    ]
}
"@

#Update Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "PATCH" -URI $URI -Body $Body -ContentType $ContentType

That’s how it looks in the Entra Portal

set to “most inclusive”

##########################################################################
#Allow invitations to be sent to any domain (most inclusive)
##########################################################################
$Body = @"
{
    "definition": [
        "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"BlockedDomains\":[]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
    ]
}
"@

#Update Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "PATCH" -URI $URI -Body $Body -ContentType $ContentType

That’s how it looks in the Entra Portal

Policy does not Exist

You can check if the B2BManagementPolicy does exist with Graph Explorer

Graph Explorer

https://graph.microsoft.com/beta/legacy/policies
https://graph.microsoft.com/beta/legacy/policies?$select=id,displayName

PowerShell

Connect to Microsoft Graph using the Microsoft.Graph PowerShell Module

##########################################################################
# Connect MgGraph
##########################################################################
Connect-MgGraph -Scopes Policy.Read.All, Directory.AccessAsUser.All -NoWelcome

##########################################################################
# Query Policies
##########################################################################
$URI = "https://graph.microsoft.com/beta/legacy/policies"
$LegacyPolicy = Invoke-MgGraphRequest -Method "GET" -URI $URI
$B2BManagementPolicy = $LegacyPolicy.Value | where {$_.type -eq "B2BManagementPolicy"}
If ($Null -eq $B2BManagementPolicy)
{
    Write-Host "B2BManagementPolicy does not exist" -ForegroundColor Yellow
} else {
    $B2BManagementPolicy
}

I was strugeling how to create a B2BManagementPolicy when it did not exist before and reached out to MVP Vasil Michev who was kind enough to help me here 😍 Thanks a Lot Vasil 🫡

Create B2BManagementPolicy

##########################################################################
# Create B2BManagementPolicy
##########################################################################
#Connect-MgGraph -Scopes Policy.Read.All, Directory.AccessAsUser.All -NoWelcome
$Body = @"
{
  "type": "B2BManagementPolicy",
  "definition": [
    "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"Worlintest.onmicrosoft.com\"]},\"PreviewPolicy\":{\"Features\":[\"OneTimePasscode\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
  ],
  "displayName": "B2BManagementPolicy"
}
"@

#Create Policy
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies"
Invoke-MgGraphRequest -Method "POST" -URI $URI -Body $Body -ContentType $ContentType

##########################################################################
#Delete Policy
##########################################################################
$B2BManagementPolicyID = "a6729c51-4846-4a9c-8d2d-dcc842af5b95"
$ContentType = "application/json"
$URI = "https://graph.microsoft.com/beta/legacy/policies/$B2BManagementPolicyID"
Invoke-MgGraphRequest -Method "DELETE" -URI $URI -ContentType $ContentType

Summary

With the information provided you should be able to create and modify the B2BManagementPolicy with Microsoft Graph and PowerShell. Happy coding.

Regards
Andres Bohren