Ensure that Collaboration Invitations in Microsoft 365 are sent to allowed domains only Using a PowerShell Script - Best Active Directory, M365 CIS, AVD and FSLogix Assessment Tools

Nirmal@DynamicPacks.net
April 11, 2024
No Comments

One way to control invitations to B2B collaboration users from specific organizations is by using an allowlist or blocklist. For instance, if you wish to prevent invitations from personal email addresses, you could create a blocklist containing domains such as Gmail.com and Outlook.com. Alternatively, if your business only wants to invite partner organizations such as Contoso.com, Fabrikam.com, and Litware.com, you can add them to your allowlist to limit invitations to only these organizations.

However, there are a few points to keep in mind before allowing/dis-allowing domains for communications as listed below:

You can create either an allowlist or a blocklist. You can’t set up both types of lists. By default, whatever domains aren’t in the allowlist are on the blocklist, and vice versa.
You can create only one policy per organization. You can update the policy to include more domains, or you can delete the policy to create a new one.
The number of domains you can add to an allowlist or blocklist is limited only by the size of the policy. This limit applies to the number of characters, so you can have a greater number of shorter domains or fewer longer domains. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allowlist or blocklist and any other parameters configured for other features.
This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or blocklist for OneDrive for Business and SharePoint Online. For more information, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
The list doesn’t apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user’s attempt to redeem the invitation will fail.

Here’s a PowerShell script that you can use to check if the collaboration invitations are sent to only allowed domains. The result returned from the script is stored in a CSV file. Please ensure to install required PowerShell modules before executing below PowerShell script.

$Error.Clear()
$ModProcess = "Yes"
$TotNo = ""
IF ($ModProcess -eq "Yes")
{
	
	$TestCSVFile = "C:\Temp\B2BDomains.CSV"	
	
	$STR = "Name,Status"
	Add-Content $TestCSVFile $STR
	
	$TotLicensed = 0
	$TotNotLicensed = 0
	$AnyGap = "No"
	$TestStatus = ""
	$SumVal = ""
	$TestText = ""
	
	$log = @()
	#List all B2B domains based on the condition
	$policy = (Get-AzureADPolicy | ? { $_.DisplayName -eq "B2BManagementPolicy" } | select definition)
	#replace single quote with escape charcter and double quotes
	if ($policy)
	{
		$defs = $policy.Definition.Replace('"', "\""""")
		$allowedDomains = $defs.Substring($defs.indexof("[") + 1)
		$allowedDomains = $allowedDomains.Substring(0, $allowedDomains.IndexOf("]"))
		#revert back the quotes back to normal node to see the real output
		$alloweddomain = $allowedDomains.Replace("\""""", "")
		if ($alloweddomain)
		{
			$value = "Yes"
			$AnyGap = "Yes"
			$TotNo = "Enabled"
			
			$ourobject = New-Object -TypeName PSObject
			$ourobject | Add-Member -MemberType NoteProperty -Name PolicyName -Value "B2BManagementPolicy" -Force
			$ourobject | Add-Member -MemberType NoteProperty -Name CollInvitationstoallowedDomains -Value $value -Force
			
			$STR = "B2BManagementPolicy," + $value
			Add-Content $TestCSVFile $STR
		}
		else
		{
			$value = "No"
			$ourobject = New-Object -TypeName PSObject
			$ourobject | Add-Member -MemberType NoteProperty -Name PolicyName -Value "B2BManagementPolicy" -Force
			$ourobject | Add-Member -MemberType NoteProperty -Name CollInvitationstoallowedDomainsOnly -Value $value
			$TotNo = "Disabled"
			
			$STR = "B2BManagementPolicy," + $value
			Add-Content $TestCSVFile $STR			
			
		}
		$log += $ourobject
	}
	else
	{
		$ourobject = New-Object -TypeName PSObject
		$ourobject | Add-Member -MemberType NoteProperty -Name PolicyName -Value "No Policy Configured for B2B Collaboration" -Force
		$ourobject | Add-Member -MemberType NoteProperty -Name CollInvitationstoallowedDomainsOnly -Value "Not Applicable"
		$log += $ourobject
		$AnyGap = "Yes"
		$TotNo = "Enabled-No Policy Configured"
		
		$STR = "B2BManagementPolicy," + "Not Configured"
		Add-Content $TestCSVFile $STR
		
	}
	
}

SmartProfiler and CIS Benchmark for Office 365 Foundation

SmartProfiler is a tool that has been specifically developed to support CIS Standards for Office 365 Foundation (M365) and Microsoft Azure. It is worth noting that SmartProfiler provides a more comprehensive set of tests than the CIS Benchmark for Office 365 Foundation, offering a total of 138 tests across all relevant categories. While the CIS benchmark provides only 87 tests, SmartProfiler’s additional 51 tests are specifically designed by DynamicPacks Technologies Office 365 team to ensure that every aspect of Office 365 is covered.

As an experienced provider of Office 365 services, we have worked with clients across the globe to develop tests that address Office 365 misconfigurations and other common issues. With SmartProfiler, our clients can rest assured that they are receiving the most comprehensive suite of tests available for Office 365 environments.

The PowerShell script provided as part of this article is also included in SmartProfiler for Office 365 Assessment Tool.