From 79785913ce01ded1c76819177a62345cba7ae938 Mon Sep 17 00:00:00 2001 From: Krammer Liu <99905184+krammerliu@users.noreply.github.com> Date: Fri, 27 Sep 2024 16:46:47 -0700 Subject: [PATCH 1/4] Update Set-CsTenantFederationConfiguration.md add CustomizeFederation parameter --- .../Set-CsTenantFederationConfiguration.md | 27 +++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md index 0c2e146d71..25763108d7 100644 --- a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md @@ -24,7 +24,7 @@ Set-CsTenantFederationConfiguration [-Tenant ] [-AllowedDomains ] [-BlockedDomains ] [-BlockAllSubdomains ] [-AllowFederatedUsers ] [-AllowPublicUsers ] [-AllowTeamsConsumer ] [-AllowTeamsConsumerInbound ] [-TreatDiscoveredPartnersAsUnverified ] [-SharedSipAddressSpace ] [-RestrictTeamsConsumerToExternalUserProfiles ] - [-AllowedDomainsAsAList ] [-ExternalAccessWithTrialTenants ] + [-AllowedDomainsAsAList ] [-ExternalAccessWithTrialTenants ] [-CustomizeFederation ] [[-Identity] ] [-Force] [-WhatIf] [-Confirm] [] ``` @@ -33,7 +33,7 @@ Set-CsTenantFederationConfiguration [-Tenant ] Set-CsTenantFederationConfiguration [-Tenant ] [-AllowedDomains ] [-BlockedDomains ] [-BlockAllSubdomains ] [-AllowFederatedUsers ] [-AllowPublicUsers ] [-TreatDiscoveredPartnersAsUnverified ] [-SharedSipAddressSpace ] [-RestrictTeamsConsumerToExternalUserProfiles ] - [-AllowedDomainsAsAList ] [-Instance ] [-Force] [-WhatIf] [-Confirm] [] + [-AllowedDomainsAsAList ] [-CustomizeFederation ] [-Instance ] [-Force] [-WhatIf] [-Confirm] [] ``` ## DESCRIPTION @@ -175,6 +175,13 @@ Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed" Example 11 shows how you can allow users to communicate with users in tenants that contain only trial licenses (default value is Blocked). +### -------------------------- Example 12 ------------------------- +``` +Set-CsTenantFederationConfiguration -CustomizeFederation $True +``` + +Example 12 shows how you can enable the feature where you can customize your federation in ExternalAccessPolicy. + ## PARAMETERS @@ -484,6 +491,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -CustomizeFederation +Defines if we enable more customized federation settings in ExternalAccessPolicy or not. For example, when this is true, if the `AllowedDomains` includes [a.com, b.com], but the `AllowedExternalDomains` of the ExternalAccessPolicy includes [c.com], then users assigned by the ExternalAccessPolicy will only be allowed to access c.com, all other users will have access to a.com and b.com as defined in `AllowedDomains`. +Possible values: True, False + +```yaml +Type: Boolean +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WhatIf Describes what would happen if you executed the command without actually executing the command. From 879885eb3dc7aec6f11a154baccb925496335c69 Mon Sep 17 00:00:00 2001 From: Krammer Liu <99905184+krammerliu@users.noreply.github.com> Date: Mon, 30 Sep 2024 14:24:08 -0700 Subject: [PATCH 2/4] Update Set-CsExternalAccessPolicy.md add granular federation fields --- .../teams/Set-CsExternalAccessPolicy.md | 62 ++++++++++++++++++- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md b/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md index 2bf6b5366a..91387af956 100644 --- a/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md +++ b/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md @@ -19,7 +19,7 @@ This cmdlet was introduced in Lync Server 2010. ### Identity (Default) ``` -Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-EnableAcsFederationAccess ] +Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-CommunicationWithExternalOrgs ] [-AllowedExternalDomains ] [-BlockedExternalDomains ] [-EnableAcsFederationAccess ] [-EnableXmppAccess ] [-EnablePublicCloudAccess ] [-EnablePublicCloudAudioVideoAccess ] [-EnableTeamsConsumerAccess ] [-EnableTeamsConsumerInbound ] [-EnableOutsideAccess ] [[-Identity] ] [-RestrictTeamsConsumerAccessToExternalUserProfiles ] [-EnableTeamsSmsAccess ] @@ -28,7 +28,7 @@ Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFede ### Instance ``` -Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-EnableAcsFederationAccess ] +Set-CsExternalAccessPolicy [-Tenant ] [-Description ] [-EnableFederationAccess ] [-CommunicationWithExternalOrgs ] [-AllowedExternalDomains ] [-BlockedExternalDomains ] [-EnableAcsFederationAccess ] [-EnableXmppAccess ] [-EnablePublicCloudAccess ] [-RestrictTeamsConsumerAccessToExternalUserProfiles ] [-EnableTeamsSmsAccess ] [-EnablePublicCloudAudioVideoAccess ] [-EnableTeamsConsumerAccess ] [-EnableTeamsConsumerInbound ] [-EnableOutsideAccess ] [-Instance ] @@ -118,6 +118,14 @@ New-CsExternalAccessPolicy -Identity AcsFederationNotAllowed -EnableAcsFederatio In this example, the Global policy is updated to allow Teams-ACS federation for all users, then a new external access policy instance is created with Teams-ACS federation disabled and which can then be assigned to selected users for which Team-ACS federation will not be allowed. +### -------------------------- Example 6 ------------------------ +``` +New-CsExternalAccessPolicy -Identity GranularFederationExample -CommunicationWithExternalOrgs "AllowSpecificExternalDomains" -AllowedExternalDomains @("example1.com", "example2.com") +Set-CsTenantFederationConfiguration -CustomizeFederation $true +``` + +In this example, we create an ExternalAccessPolicy named "GranularFederationExample" that allows communication with specific external domains, namely `example1.com` and `example2.com`. The federation policy is set to restrict communication to only these allowed domains. After that, we still have to enable the `CustomizeFederation` setting in the TenantFederationConfiguration to allow the federation settings as defined in the ExternalAccessPolicy to work. + ## PARAMETERS ### -Identity @@ -194,6 +202,56 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -CommunicationWithExternalOrgs +Indicates how the users get assigned by this policy can communicate with the external orgs. There are 5 options: +* OrganizationDefault: the users of this policy will follow the federation settings defined in TenantFederationConfiguration +* AllowAllExternalDomains: the users are open to communicate with all domains +* AllowSpecificExternalDomains: the users can only communicate with the users of the domains defined in `AllowedExternalDomains` +* BlockSpecificExternalDomains: only users from the domains defined in `BlockedExternalDomains` are blocked from communicating with the users of this policy +* BlockAllExternalDomains: the users are not able to communicate with any external domains +```yaml +Type: String +Parameter Sets: (All) +Aliases: +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Online, Skype for Business Server 2015, Skype for Business Server 2019 + +Required: False +Position: Named +Default value: OrganizationDefault +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllowedExternalDomains +Indicates the domains that are allowed to communicate with the users of this policy. This is referenced only when `CommunicationWithExternalOrgs` is set to be `AllowSpecificExternalDomains` +```yaml +Type: List +Parameter Sets: (All) +Aliases: +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Online, Skype for Business Server 2015, Skype for Business Server 2019 + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BlockedExternalDomains +Indicates the domains that are blocked from communicating with the users of this policy. This is referenced only when `CommunicationWithExternalOrgs` is set to be `BlockSpecificExternalDomains` +```yaml +Type: List +Parameter Sets: (All) +Aliases: +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Online, Skype for Business Server 2015, Skype for Business Server 2019 + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -EnableAcsFederationAccess Indicates whether Teams meeting organized by the user can be joined by users of customer applications built using Azure Communication Services (ACS). This policy setting only applies if ACS Teams federation has been enabled at the tenant level using the cmdlet Set-CsTeamsAcsFederationConfiguration. From 8f0e276a4a237463369dc978271ff36ec114af88 Mon Sep 17 00:00:00 2001 From: Krammer Liu <99905184+krammerliu@users.noreply.github.com> Date: Mon, 30 Sep 2024 14:25:46 -0700 Subject: [PATCH 3/4] Update Set-CsTenantFederationConfiguration.md update the default value of CustomizeFederation --- teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md index 25763108d7..a34da336e3 100644 --- a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md @@ -502,7 +502,7 @@ Aliases: Required: False Position: Named -Default value: None +Default value: False Accept pipeline input: False Accept wildcard characters: False ``` From 96a32ee498e140b0ae5b165e62f1f992976539f9 Mon Sep 17 00:00:00 2001 From: Krammer Liu <99905184+krammerliu@users.noreply.github.com> Date: Tue, 1 Oct 2024 21:37:53 -0700 Subject: [PATCH 4/4] remove Skype for Business Online remove "Skype for Business Online" based on a feedback --- teams/teams-ps/teams/Set-CsExternalAccessPolicy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md b/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md index 91387af956..c31affcceb 100644 --- a/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md +++ b/teams/teams-ps/teams/Set-CsExternalAccessPolicy.md @@ -213,7 +213,7 @@ Indicates how the users get assigned by this policy can communicate with the ext Type: String Parameter Sets: (All) Aliases: -Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Online, Skype for Business Server 2015, Skype for Business Server 2019 +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 Required: False Position: Named @@ -228,7 +228,7 @@ Indicates the domains that are allowed to communicate with the users of this pol Type: List Parameter Sets: (All) Aliases: -Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Online, Skype for Business Server 2015, Skype for Business Server 2019 +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 Required: False Position: Named @@ -243,7 +243,7 @@ Indicates the domains that are blocked from communicating with the users of this Type: List Parameter Sets: (All) Aliases: -Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Online, Skype for Business Server 2015, Skype for Business Server 2019 +Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 Required: False Position: Named