diff --git a/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md b/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md index 2bf6b5366a..c31affcceb 100644 --- a/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md +++ b/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md @@ -19,7 +19,7 @@ This cmdlet was introduced in Lync Server 2010. ### Identity (Default) ``` -Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-EnableAcsFederationAccess ] +Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-CommunicationWithExternalOrgs ] [-AllowedExternalDomains ] [-BlockedExternalDomains ] [-EnableAcsFederationAccess ] [-EnableXmppAccess ] [-EnablePublicCloudAccess ] [-EnablePublicCloudAudioVideoAccess ] [-EnableTeamsConsumerAccess ] [-EnableTeamsConsumerInbound ] [-EnableOutsideAccess ] [[-Identity] ] [-RestrictTeamsConsumerAccessToExternalUserProfiles ] [-EnableTeamsSmsAccess ] @@ -28,7 +28,7 @@ Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFede ### Instance ``` -Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-EnableAcsFederationAccess ] +Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-CommunicationWithExternalOrgs ] [-AllowedExternalDomains ] [-BlockedExternalDomains ] [-EnableAcsFederationAccess ] [-EnableXmppAccess ] [-EnablePublicCloudAccess ] [-RestrictTeamsConsumerAccessToExternalUserProfiles ] [-EnableTeamsSmsAccess ] [-EnablePublicCloudAudioVideoAccess ] [-EnableTeamsConsumerAccess ] [-EnableTeamsConsumerInbound ] [-EnableOutsideAccess ] [-Instance ] @@ -118,6 +118,14 @@ New-CsExternalAccessPolicy -Identity AcsFederationNotAllowed -EnableAcsFederatio In this example, the Global policy is updated to allow Teams-ACS federation for all users, then a new external access policy instance is created with Teams-ACS federation disabled and which can then be assigned to selected users for which Team-ACS federation will not be allowed. +### -------------------------- Example 6 ------------------------ +``` +New-CsExternalAccessPolicy -Identity GranularFederationExample -CommunicationWithExternalOrgs "AllowSpecificExternalDomains" -AllowedExternalDomains @("example1.com", "example2.com") +Set-CsTenantFederationConfiguration -CustomizeFederation $true +``` + +In this example, we create an ExternalAccessPolicy named "GranularFederationExample" that allows communication with specific external domains, namely `example1.com` and `example2.com`. The federation policy is set to restrict communication to only these allowed domains. After that, we still have to enable the `CustomizeFederation` setting in the TenantFederationConfiguration to allow the federation settings as defined in the ExternalAccessPolicy to work. + ## PARAMETERS ### -Identity @@ -194,6 +202,56 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -CommunicationWithExternalOrgs +Indicates how the users get assigned by this policy can communicate with the external orgs. There are 5 options: +* OrganizationDefault: the users of this policy will follow the federation settings defined in TenantFederationConfiguration +* AllowAllExternalDomains: the users are open to communicate with all domains +* AllowSpecificExternalDomains: the users can only communicate with the users of the domains defined in `AllowedExternalDomains` +* BlockSpecificExternalDomains: only users from the domains defined in `BlockedExternalDomains` are blocked from communicating with the users of this policy +* BlockAllExternalDomains: the users are not able to communicate with any external domains +```yaml +Type: String +Parameter Sets: (All) +Aliases: +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 + +Required: False +Position: Named +Default value: OrganizationDefault +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllowedExternalDomains +Indicates the domains that are allowed to communicate with the users of this policy. This is referenced only when `CommunicationWithExternalOrgs` is set to be `AllowSpecificExternalDomains` +```yaml +Type: List +Parameter Sets: (All) +Aliases: +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BlockedExternalDomains +Indicates the domains that are blocked from communicating with the users of this policy. This is referenced only when `CommunicationWithExternalOrgs` is set to be `BlockSpecificExternalDomains` +```yaml +Type: List +Parameter Sets: (All) +Aliases: +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -EnableAcsFederationAccess Indicates whether Teams meeting organized by the user can be joined by users of customer applications built using Azure Communication Services (ACS). This policy setting only applies if ACS Teams federation has been enabled at the tenant level using the cmdlet Set-CsTeamsAcsFederationConfiguration. diff --git a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md index 0c2e146d71..a34da336e3 100644 --- a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md @@ -24,7 +24,7 @@ Set-CsTenantFederationConfiguration [-Tenant ] [-AllowedDomains ] [-BlockedDomains ] [-BlockAllSubdomains ] [-AllowFederatedUsers ] [-AllowPublicUsers ] [-AllowTeamsConsumer ] [-AllowTeamsConsumerInbound ] [-TreatDiscoveredPartnersAsUnverified ] [-SharedSipAddressSpace ] [-RestrictTeamsConsumerToExternalUserProfiles ] - [-AllowedDomainsAsAList ] [-ExternalAccessWithTrialTenants ] + [-AllowedDomainsAsAList ] [-ExternalAccessWithTrialTenants ] [-CustomizeFederation ] [[-Identity] ] [-Force] [-WhatIf] [-Confirm] [] ``` @@ -33,7 +33,7 @@ Set-CsTenantFederationConfiguration [-Tenant ] Set-CsTenantFederationConfiguration [-Tenant ] [-AllowedDomains ] [-BlockedDomains ] [-BlockAllSubdomains ] [-AllowFederatedUsers ] [-AllowPublicUsers ] [-TreatDiscoveredPartnersAsUnverified ] [-SharedSipAddressSpace ] [-RestrictTeamsConsumerToExternalUserProfiles ] - [-AllowedDomainsAsAList ] [-Instance ] [-Force] [-WhatIf] [-Confirm] [] + [-AllowedDomainsAsAList ] [-CustomizeFederation ] [-Instance ] [-Force] [-WhatIf] [-Confirm] [] ``` ## DESCRIPTION @@ -175,6 +175,13 @@ Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed" Example 11 shows how you can allow users to communicate with users in tenants that contain only trial licenses (default value is Blocked). +### -------------------------- Example 12 ------------------------- +``` +Set-CsTenantFederationConfiguration -CustomizeFederation $True +``` + +Example 12 shows how you can enable the feature where you can customize your federation in ExternalAccessPolicy. + ## PARAMETERS @@ -484,6 +491,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -CustomizeFederation +Defines if we enable more customized federation settings in ExternalAccessPolicy or not. For example, when this is true, if the `AllowedDomains` includes [a.com, b.com], but the `AllowedExternalDomains` of the ExternalAccessPolicy includes [c.com], then users assigned by the ExternalAccessPolicy will only be allowed to access c.com, all other users will have access to a.com and b.com as defined in `AllowedDomains`. +Possible values: True, False + +```yaml +Type: Boolean +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WhatIf Describes what would happen if you executed the command without actually executing the command.