From 08cebb60ed43b2088d7cb20f15b374ab1850ece8 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 26 Aug 2025 17:47:52 -0700 Subject: [PATCH 01/14] Update Set-CsExternalAccessPolicy.md Updating to Public Preview and adding dependency on TenantFederationSettings in the description --- .../MicrosoftTeams/Set-CsExternalAccessPolicy.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md b/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md index 44a3aaa384..93543c9d97 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md @@ -91,7 +91,10 @@ This enables your users to use Skype for Business and log on to Skype for Busine After an external access policy has been created, you can use the `Set-CsExternalAccessPolicy` cmdlet to change the property values of that policy. For example, by default the global policy does not allow users to communicate with people who have accounts with a federated organization. -If you would like to grant this capability to all of your users you can call the `Set-CsExternalAccessPolicy` cmdlet and set the value of the global policy's EnableFederationAccess property to True. +If you would like to grant this capability to all of your users you can call the `Set-CsExternalAccessPolicy` cmdlet and set the value of the global policy's EnableFederationAccess property to True. + +> [!NOTE] +> For the domain settings defined under ExternalAccessPolicy to be applied, the value of the property AllowedFederatedUsers under TenantFederationConfiguration should be set to True for the Tenant. ## EXAMPLES @@ -152,7 +155,7 @@ In this example, we create an ExternalAccessPolicy named "GranularFederationExam > Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 > [!NOTE] -> Please note that this parameter is in Private Preview. +> Please note that this parameter is in Public Preview. Specifies the external domains allowed to communicate with users assigned to this policy. This setting is applicable only when `CommunicationWithExternalOrgs` is configured to `AllowSpecificExternalDomains`. This setting can be modified only in custom policy. In Global (default) policy `CommunicationWithExternalOrgs` can only be set to `OrganizationDefault` and cannot be changed. ```yaml @@ -172,7 +175,7 @@ Accept wildcard characters: False > Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 > [!NOTE] -> Please note that this parameter is in Private Preview. +> Please note that this parameter is in Public Preview. Specifies the external domains blocked from communicating with users assigned to this policy. This setting is applicable only when `CommunicationWithExternalOrgs` is configured to `BlockSpecificExternalDomains`. This setting can be modified only in custom policy. In Global (default) policy `CommunicationWithExternalOrgs` can only be set to `OrganizationDefault` and cannot be changed. ```yaml @@ -192,7 +195,7 @@ Accept wildcard characters: False > Applicable: Lync Server 2010, Lync Server 2013, Skype for Business Server 2015, Skype for Business Server 2019 > [!NOTE] -> Please note that this parameter is in Private Preview. +> Please note that this parameter is in Public Preview. Indicates how the users get assigned by this policy can communicate with the external orgs. There are 5 options: From 94d8f29e8ef5cd4b71c0966a8f5adec84a634db2 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 10:36:18 -0700 Subject: [PATCH 02/14] Update Set-CsTenantFederationConfiguration.md Updating reliance on AllowFederatedUsers --- .../MicrosoftTeams/Set-CsTenantFederationConfiguration.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md index cdc8e8077b..8f47d4061a 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md @@ -234,7 +234,7 @@ If the `New-CsEdgeAllowList` cmdlet is used then users can only communicate with Note that string values cannot be passed directly to the AllowedDomains parameter. Instead, you must create an object reference using the `New-CsEdgeAllowList` cmdlet or the `New-CsEdgeAllowAllKnownDomains` cmdlet and then use the object reference variable as the parameter value. -The AllowedDomains parameter can support up to 4,000 domains. +The AllowedDomains parameter can support up to 4,000 domains. Please note that the property AllowFederatedUsers must be set to True for values under AllowedDomains to be considered. ```yaml Type: Boolean @@ -294,7 +294,9 @@ Accept wildcard characters: False > Applicable: Microsoft Teams When set to True (the default value) users will be potentially allowed to communicate with users from other domains. -If this property is set to False then users cannot communicate with users from other domains regardless of the values assigned to the AllowedDomains and BlockedDomains properties. +If this property is set to False then users cannot communicate with users from other domains, regardless of the values assigned to the AllowedDomains and BlockedDomains properties or any instances of the ExternalAccessPolicy. In effect, the AllowFederatedUsers property serves as a master switch that globally enables or disables federation across the Tenant, overridding all other policy settings. + +To block all domains while selectively allowing specific users to communicate externally via explicit ExternalAccessPolicy instances, set AllowFederatedUsers to True and leave the AllowedDomains property empty. ```yaml Type: Boolean From c16099fb7f1ea01fcfedbbbfbf15f74116de7750 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 10:43:16 -0700 Subject: [PATCH 03/14] Update Set-CsTenantFederationConfiguration.md Updating reliance on AllowFederatedUsers --- .../Set-CsTenantFederationConfiguration.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md index 8f47d4061a..25da4b5274 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md @@ -234,7 +234,8 @@ If the `New-CsEdgeAllowList` cmdlet is used then users can only communicate with Note that string values cannot be passed directly to the AllowedDomains parameter. Instead, you must create an object reference using the `New-CsEdgeAllowList` cmdlet or the `New-CsEdgeAllowAllKnownDomains` cmdlet and then use the object reference variable as the parameter value. -The AllowedDomains parameter can support up to 4,000 domains. Please note that the property AllowFederatedUsers must be set to True for values under AllowedDomains to be considered. +The AllowedDomains parameter can support up to 4,000 domains. +**Important:** The _AllowFederatedUsers_ property must be set to _True_ for the _AllowedDomains_ list to take effect. If _AllowFederatedUsers_ is set to _False_, users will be blocked from communicating with all external domains regardless of the values in _AllowedDomains_ or any _ExternalAccessPolicy_ instance. ```yaml Type: Boolean @@ -294,9 +295,9 @@ Accept wildcard characters: False > Applicable: Microsoft Teams When set to True (the default value) users will be potentially allowed to communicate with users from other domains. -If this property is set to False then users cannot communicate with users from other domains, regardless of the values assigned to the AllowedDomains and BlockedDomains properties or any instances of the ExternalAccessPolicy. In effect, the AllowFederatedUsers property serves as a master switch that globally enables or disables federation across the Tenant, overridding all other policy settings. +If this property is set to False then users cannot communicate with users from other domains, regardless of the values assigned to the _AllowedDomains_ and _BlockedDomains_ properties or any _ExternalAccessPolicy_ instances. In effect, the _AllowFederatedUsers_ property serves as a master switch that globally enables or disables federation across the Tenant, overridding all other policy settings. -To block all domains while selectively allowing specific users to communicate externally via explicit ExternalAccessPolicy instances, set AllowFederatedUsers to True and leave the AllowedDomains property empty. +To block all domains while selectively allowing specific users to communicate externally via explicit _ExternalAccessPolicy_ instances, set _AllowFederatedUsers_ to _True_ and leave the _AllowedDomains_ property empty. ```yaml Type: Boolean @@ -367,7 +368,9 @@ Accept wildcard characters: False If the AllowedDomains property has been set to AllowAllKnownDomains, then users will be allowed to communicate with users from any domain except domains that appear in the blocked domains list. If the AllowedDomains property has not been set to AllowAllKnownDomains, then the blocked list is ignored, and users can only communicate with domains that have been expressly added to the allowed domains list. + The BlockedDomains parameter can support up to 4,000 domains. +**Important:** The _AllowFederatedUsers_ property must be set to _True_ for the _BlockedDomains_ list to take effect. If _AllowFederatedUsers_ is set to _False_, users will be blocked from communicating with all external domains regardless of the values in _BlockedDomains_ or any _ExternalAccessPolicy_ instance. ```yaml Type: List From fa99734a4089273b80ba9fcddb41c1f7a9b1a68f Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 10:47:54 -0700 Subject: [PATCH 04/14] Update New-CsEdgeDomainPattern.md Updating reliance on value of AllowFederatedUsers --- teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md index b4707cac30..25f7bbd78a 100644 --- a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md +++ b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md @@ -37,7 +37,8 @@ Whether or not users can communicate with people who have accounts on public IM Federation is managed, in part, by using allowed domain and blocked domain lists. The allowed domain list specifies the domains that users are allowed to communicate with; the blocked domain list specifies the domains that users are not allowed to communicate with. By default, users can communicate with any domain that does not appear on the blocked list. -However, administrators can modify this default setting and limit communication to domains that are on the allowed domains list. +However, administrators can modify this default setting and limit communication to domains that are on the allowed domains list. +**Important:** The _AllowFederatedUsers_ property must be set to _True_ for the _AllowedDomains_ or _BlockedDomains_ list to take effect. If _AllowFederatedUsers_ is set to _False_, users will be blocked from communicating with all external domains regardless of the values in _AllowedDomains_, _BlockedDomains_ or any _ExternalAccessPolicy_ instance. Skype for Business Online does not allow you to directly modify the allowed list or the blocked list; for example, you cannot use a command similar to this one, which passes a string value representing a domain name to the blocked domains list: From 40e3348e7c37aa7b93285eba56971c25cbd51fb8 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:01:48 -0700 Subject: [PATCH 05/14] Update Set-CsExternalAccessPolicy.md Updating formatting for AllowFederatedUser changes --- teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md b/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md index 93543c9d97..e5d3cef57b 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md @@ -94,7 +94,7 @@ For example, by default the global policy does not allow users to communicate wi If you would like to grant this capability to all of your users you can call the `Set-CsExternalAccessPolicy` cmdlet and set the value of the global policy's EnableFederationAccess property to True. > [!NOTE] -> For the domain settings defined under ExternalAccessPolicy to be applied, the value of the property AllowedFederatedUsers under TenantFederationConfiguration should be set to True for the Tenant. +> For the domain settings defined under `AllowFederatedUsers` to be applied, the value of the property `AllowedFederatedUsers` under `TenantFederationConfiguration` should be set to `True` for the Tenant. ## EXAMPLES From 139b2ee8aacb47665793680dc944f02b84291e2c Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:08:57 -0700 Subject: [PATCH 06/14] Update Set-CsTenantFederationConfiguration.md Updating formatting for the ALlowFederatedUser update --- .../MicrosoftTeams/Set-CsTenantFederationConfiguration.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md index 25da4b5274..eb49818f85 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md @@ -235,7 +235,7 @@ Note that string values cannot be passed directly to the AllowedDomains paramete Instead, you must create an object reference using the `New-CsEdgeAllowList` cmdlet or the `New-CsEdgeAllowAllKnownDomains` cmdlet and then use the object reference variable as the parameter value. The AllowedDomains parameter can support up to 4,000 domains. -**Important:** The _AllowFederatedUsers_ property must be set to _True_ for the _AllowedDomains_ list to take effect. If _AllowFederatedUsers_ is set to _False_, users will be blocked from communicating with all external domains regardless of the values in _AllowedDomains_ or any _ExternalAccessPolicy_ instance. +**Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. ```yaml Type: Boolean @@ -295,9 +295,9 @@ Accept wildcard characters: False > Applicable: Microsoft Teams When set to True (the default value) users will be potentially allowed to communicate with users from other domains. -If this property is set to False then users cannot communicate with users from other domains, regardless of the values assigned to the _AllowedDomains_ and _BlockedDomains_ properties or any _ExternalAccessPolicy_ instances. In effect, the _AllowFederatedUsers_ property serves as a master switch that globally enables or disables federation across the Tenant, overridding all other policy settings. +If this property is set to False then users cannot communicate with users from other domains, regardless of the values assigned to the `AllowedDomains` and `BlockedDomains` properties or any `ExternalAccessPolicy` instances. In effect, the `AllowFederatedUsers` property serves as a master switch that globally enables or disables federation across the Tenant, overridding all other policy settings. -To block all domains while selectively allowing specific users to communicate externally via explicit _ExternalAccessPolicy_ instances, set _AllowFederatedUsers_ to _True_ and leave the _AllowedDomains_ property empty. +To block all domains while selectively allowing specific users to communicate externally via explicit `ExternalAccessPolicy` instances, set `AllowFederatedUsers` to `True` and leave the `AllowedDomains` property empty. ```yaml Type: Boolean @@ -370,7 +370,7 @@ If the AllowedDomains property has been set to AllowAllKnownDomains, then users If the AllowedDomains property has not been set to AllowAllKnownDomains, then the blocked list is ignored, and users can only communicate with domains that have been expressly added to the allowed domains list. The BlockedDomains parameter can support up to 4,000 domains. -**Important:** The _AllowFederatedUsers_ property must be set to _True_ for the _BlockedDomains_ list to take effect. If _AllowFederatedUsers_ is set to _False_, users will be blocked from communicating with all external domains regardless of the values in _BlockedDomains_ or any _ExternalAccessPolicy_ instance. +**Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. ```yaml Type: List From 43e1fd63774044100be04afb8c97ff2487bb22a0 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:09:29 -0700 Subject: [PATCH 07/14] Update New-CsEdgeDomainPattern.md Updating formatting for the AllowFederatedUser update --- teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md index 25f7bbd78a..a2a8abddc3 100644 --- a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md +++ b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md @@ -38,7 +38,7 @@ Federation is managed, in part, by using allowed domain and blocked domain lists The allowed domain list specifies the domains that users are allowed to communicate with; the blocked domain list specifies the domains that users are not allowed to communicate with. By default, users can communicate with any domain that does not appear on the blocked list. However, administrators can modify this default setting and limit communication to domains that are on the allowed domains list. -**Important:** The _AllowFederatedUsers_ property must be set to _True_ for the _AllowedDomains_ or _BlockedDomains_ list to take effect. If _AllowFederatedUsers_ is set to _False_, users will be blocked from communicating with all external domains regardless of the values in _AllowedDomains_, _BlockedDomains_ or any _ExternalAccessPolicy_ instance. +**Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. Skype for Business Online does not allow you to directly modify the allowed list or the blocked list; for example, you cannot use a command similar to this one, which passes a string value representing a domain name to the blocked domains list: From 2c657e13e75bb0e8d0234ad7aee8d375f4dba34a Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:10:00 -0700 Subject: [PATCH 08/14] Update New-CsEdgeDomainPattern.md --- teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md | 1 + 1 file changed, 1 insertion(+) diff --git a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md index a2a8abddc3..0c40e7f629 100644 --- a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md +++ b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md @@ -38,6 +38,7 @@ Federation is managed, in part, by using allowed domain and blocked domain lists The allowed domain list specifies the domains that users are allowed to communicate with; the blocked domain list specifies the domains that users are not allowed to communicate with. By default, users can communicate with any domain that does not appear on the blocked list. However, administrators can modify this default setting and limit communication to domains that are on the allowed domains list. + **Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. Skype for Business Online does not allow you to directly modify the allowed list or the blocked list; for example, you cannot use a command similar to this one, which passes a string value representing a domain name to the blocked domains list: From 3ae4c6d050b16540b5d695d3a96df4154063d329 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:11:14 -0700 Subject: [PATCH 09/14] Update Set-CsTenantFederationConfiguration.md --- .../MicrosoftTeams/Set-CsTenantFederationConfiguration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md index eb49818f85..bb7ca0d260 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md @@ -235,6 +235,7 @@ Note that string values cannot be passed directly to the AllowedDomains paramete Instead, you must create an object reference using the `New-CsEdgeAllowList` cmdlet or the `New-CsEdgeAllowAllKnownDomains` cmdlet and then use the object reference variable as the parameter value. The AllowedDomains parameter can support up to 4,000 domains. + **Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. ```yaml @@ -370,6 +371,7 @@ If the AllowedDomains property has been set to AllowAllKnownDomains, then users If the AllowedDomains property has not been set to AllowAllKnownDomains, then the blocked list is ignored, and users can only communicate with domains that have been expressly added to the allowed domains list. The BlockedDomains parameter can support up to 4,000 domains. + **Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. ```yaml From 272cf388e578fc33f47cd54da8e15ec27bb1a46d Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:20:01 -0700 Subject: [PATCH 10/14] Update New-CsEdgeDomainPattern.md Updating additional examples --- .../MicrosoftTeams/New-CsEdgeDomainPattern.md | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md index 0c40e7f629..f323a85a3b 100644 --- a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md +++ b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md @@ -61,8 +61,30 @@ Set-CsTenantFederationConfiguration -BlockedDomains $x ``` Example 1 demonstrates how you can assign a single domain to the blocked domains list for a specified tenant. -To do this, the first command in the example creates a domain object for the domain fabrikam.com; this is done by calling the New-CsEdgeDomainPattern cmdlet and by saving the resulting domain object in a variable named $x. -The second command then uses the Set-CsTenantFederationConfiguration cmdlet and the BlockedDomains parameter to configure fabrikam.com as the only domain blocked by the current tenant. +To do this, the first command in the example creates a domain object for the domain fabrikam.com; this is done by calling the `New-CsEdgeDomainPattern` cmdlet and by saving the resulting domain object in a variable named $x. +The second command then uses the `Set-CsTenantFederationConfiguration` cmdlet and the `BlockedDomains` parameter to configure fabrikam.com as the only domain blocked by the current tenant. Please note that `AllowFederatedUsers` should be `True` for this to work. + +### Example 2 +``` +$x = New-CsEdgeDomainPattern -Domain "fabrikam.com" + +Set-CsTenantFederationConfiguration -AllowedDomains $x +``` + +Example 2 demonstrates how you can assign a single domain to the allowed domains list for a specified tenant. +To do this, the first command in the example creates a domain object for the domain fabrikam.com; this is done by calling the `New-CsEdgeDomainPattern` cmdlet and by saving the resulting domain object in a variable named $x. +The second command then uses the `Set-CsTenantFederationConfiguration` cmdlet and the `AllowedDomains` parameter to configure fabrikam.com as the only domain allowed by the current tenant. Please note that `AllowFederatedUsers` should be `True` for this to work. + +### Example 3 +``` +$x = New-CsEdgeDomainPattern -Domain "" + +Set-CsTenantFederationConfiguration -AllowedDomains $x +``` + +Example 3 demonstrates how you can block a specified tenant from any external federation. +To do this, the first command in the example creates an empty domain object; this is done by calling the `New-CsEdgeDomainPattern` cmdlet and by saving the resulting domain object in a variable named $x. +The second command then uses the `Set-CsTenantFederationConfiguration` cmdlet and the `AllowedDomains` parameter to configure the current tenant with a Block-All setting. Please note that `AllowFederatedUsers` should be `True` in case you want to allow specific users to be able to communicate externally via `ExternalAccessPolicy` instances. ## PARAMETERS From ed290b2b0773b53d1b1ede78262e1c458f460ed1 Mon Sep 17 00:00:00 2001 From: d-chetan Date: Tue, 2 Sep 2025 11:26:50 -0700 Subject: [PATCH 11/14] Update Set-CsTenantFederationConfiguration.md Adding Block-All example --- .../Set-CsTenantFederationConfiguration.md | 49 +++++++++++-------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md index bb7ca0d260..33fbb02ee3 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md @@ -108,17 +108,26 @@ When this command completes, the blocked domain list will be cleared. ### Example 6 ``` +Set-CsTenantFederationConfiguration -AllowedDomains $Null +``` + +Example 6 shows how you can remove all the domains assigned to the allowed domains list for the current tenant, thereby blocking external communication for all users in the Tenant. In case `AllowFederatedUsers` is set to `True`, then explicit `ExternalAccessPolicy` instances can be leveraged to set a per-user federation setting. +To do this, simply include the AllowedDomains parameter and set the parameter value to null ($Null). +When this command completes, the allowed domain list will be cleared. + +### Example 7 +``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") $list.add("fabrikam.com") Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list ``` -Example 6 shows how you can replace domains in the Allowed Domains using a List collection object. +Example 7 shows how you can replace domains in the Allowed Domains using a List collection object. First, a List collection is created and domains are added to it, then, simply include the AllowedDomainsAsAList parameter and set the parameter value to the List object. When this command completes, the allowed domains list will be replaced with those domains. -### Example 7 +### Example 8 ``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") @@ -126,10 +135,10 @@ $list.add("fabrikam.com") Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$list} ``` -Example 7 shows how you can add domains to the existing Allowed Domains using a List object. +Example 8 shows how you can add domains to the existing Allowed Domains using a List object. First, a List is created and domains are added to it, then use the Add method in the AllowedDomainsAsAList parameter to add the domains to the existing allowed domains list. When this command completes, the domains in the list will be added to any domains already on the AllowedDomains list. -### Example 8 +### Example 9 ``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") @@ -137,17 +146,17 @@ $list.add("fabrikam.com") Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Remove=$list} ``` -Example 8 shows how you can remove domains from the existing Allowed Domains using a List object. +Example 9 shows how you can remove domains from the existing Allowed Domains using a List object. First, a List is created and domains are added to it, then use the Remove method in the AllowedDomainsAsAList parameter to remove the domains from the existing allowed domains list. When this command completes, the domains in the list will be removed from the AllowedDomains list. -### Example 9 +### Example 10 ``` Set-CsTenantFederationConfiguration -AllowTeamsConsumer $True -AllowTeamsConsumerInbound $False ``` -The command shown in Example 9 enables communication with people using Teams with an account that's not managed by an organization, to only be initiated by people in your organization. This means that people using Teams with an account that's not managed by an organization will not be able to discover or start a conversation with people in your organization. +The command shown in Example 10 enables communication with people using Teams with an account that's not managed by an organization, to only be initiated by people in your organization. This means that people using Teams with an account that's not managed by an organization will not be able to discover or start a conversation with people in your organization. -### Example 10 +### Example 11 ``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") @@ -157,20 +166,20 @@ Set-CsTenantFederationConfiguration -BlockedDomains $list Set-CsTenantFederationConfiguration -BlockAllSubdomains $True ``` -Example 10 shows how you can block all subdomains of domains in BlockedDomains list. +Example 11 shows how you can block all subdomains of domains in BlockedDomains list. In this example, all users from contoso.com and fabrikam.com will be blocked. When the BlockAllSubdomains is enabled, all users from all subdomains of all domains in BlockedDomains list will also be blocked. So, users from subdomain.contoso.com and subdomain.fabrikam.com will be blocked. Note: Users from subcontoso.com will not be blocked because it's a completely different domain rather than a subdomain of contoso.com. -### Example 11 +### Example 12 ``` Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed" ``` -Example 11 shows how you can allow users to communicate with users in tenants that contain only trial licenses (default value is Blocked). +Example 12 shows how you can allow users to communicate with users in tenants that contain only trial licenses (default value is Blocked). -### Example 12 +### Example 13 ``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") @@ -179,20 +188,20 @@ $list.add("fabrikam.com") Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains $list ``` -Using the `AllowedTrialTenantDomains` parameter, you can whitelist specific "trial-only" tenant domains, while keeping the `ExternalAccessWithTrialTenants` set to `Blocked`. Example 12 shows how you can set or replace domains in the Allowed Trial Tenant Domains using a List collection object. +Using the `AllowedTrialTenantDomains` parameter, you can whitelist specific "trial-only" tenant domains, while keeping the `ExternalAccessWithTrialTenants` set to `Blocked`. Example 13 shows how you can set or replace domains in the Allowed Trial Tenant Domains using a List collection object. First, a List collection is created and domains are added to it, then, simply include the `AllowedTrialTenantDomains` parameter and set the parameter value to the List object. When this command completes, the Allowed Trial Tenant Domains list will be replaced with those domains. -### Example 13 +### Example 14 ``` Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains @("contoso.com", "fabrikam.com") ``` -Example 13 shows another way to set a value of `AllowedTrialTenantDomains`. It uses array of objects and it always replaces value of the `AllowedTrialTenantDomains`. When this command completes, the result is the same as in example 12. +Example 14 shows another way to set a value of `AllowedTrialTenantDomains`. It uses array of objects and it always replaces value of the `AllowedTrialTenantDomains`. When this command completes, the result is the same as in example 13. The array of `AllowedTrialTenantDomains` can be emptied by running the following command: `Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains @()`. -### Example 14 +### Example 15 ``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") @@ -200,11 +209,11 @@ $list.add("contoso.com") Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains @{Add=$list} ``` -Example 14 shows how you can add domains to the existing Allowed Trial Tenant Domains using a List collection object. +Example 15 shows how you can add domains to the existing Allowed Trial Tenant Domains using a List collection object. First, a List is created and domains are added to it, then, use the Add method in the `AllowedTrialTenantDomains` parameter to add the domains to the existing allowed domains list. When this command completes, the domains in the list will be added to any domains already on the Allowed Trial Tenant Domains list. -### Example 15 +### Example 16 ``` $list = New-Object Collections.Generic.List[String] $list.add("contoso.com") @@ -212,11 +221,11 @@ $list.add("contoso.com") Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains @{Remove=$list} ``` -Example 15 shows how you can remove domains from the existing Allowed Trial Tenant Domains using a List collection object. +Example 16 shows how you can remove domains from the existing Allowed Trial Tenant Domains using a List collection object. First, a List is created and domains are added to it, then use the Remove method in the `AllowedTrialTenantDomains` parameter to remove the domains from the existing allowed domains list. When this command completes, the domains in the list will be removed from the Allowed Trial Tenant Domains list. -### Example 16 +### Example 17 ``` Set-CsTenantFederationConfiguration -DomainBlockingForMDOAdminsInTeams "Enabled" ``` From ae88dc8431ce2a1192f393e514b63569603dbf5a Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Sat, 6 Sep 2025 02:29:05 +0530 Subject: [PATCH 12/14] typo fix --- teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md b/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md index e5d3cef57b..88ea6e8338 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsExternalAccessPolicy.md @@ -121,7 +121,7 @@ Get-CsExternalAccessPolicy -Filter tag:* | Set-CsExternalAccessPolicy -EnableFed ``` Example 3 enables federation access for all the external access policies that have been configured at the per-user scope. -To carry out this task, the first thing the command does is use the `Get-CsExternalAcessPolicy` cmdlet and the Filter parameter to return a collection of all the policies that have been configured at the per-user scope. +To carry out this task, the first thing the command does is use the `Get-CsExternalAccessPolicy` cmdlet and the Filter parameter to return a collection of all the policies that have been configured at the per-user scope. (The filter value "tag:*" limits returned data to policies that have an Identity that begins with the string value "tag:". Any policy with an Identity that begins with "tag:" has been configured at the per-user scope.) The filtered collection is then piped to the `Set-CsExternalAccessPolicy` cmdlet, which modifies the EnableFederationAccess property for each policy in the collection. From f1c75047b84373326e8cf71a3d39dec09fd2f056 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Sat, 6 Sep 2025 02:55:58 +0530 Subject: [PATCH 13/14] note formatting --- teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md index f323a85a3b..21fb1338f9 100644 --- a/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md +++ b/teams/teams-ps/MicrosoftTeams/New-CsEdgeDomainPattern.md @@ -39,7 +39,8 @@ The allowed domain list specifies the domains that users are allowed to communic By default, users can communicate with any domain that does not appear on the blocked list. However, administrators can modify this default setting and limit communication to domains that are on the allowed domains list. -**Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. +> [!IMPORTANT] +> The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. Skype for Business Online does not allow you to directly modify the allowed list or the blocked list; for example, you cannot use a command similar to this one, which passes a string value representing a domain name to the blocked domains list: From f507098c2b130c997db0172e2d44859762a10b46 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Sat, 6 Sep 2025 02:58:29 +0530 Subject: [PATCH 14/14] note formatting --- .../MicrosoftTeams/Set-CsTenantFederationConfiguration.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md index 33fbb02ee3..1ecb9add21 100644 --- a/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md +++ b/teams/teams-ps/MicrosoftTeams/Set-CsTenantFederationConfiguration.md @@ -245,7 +245,8 @@ Instead, you must create an object reference using the `New-CsEdgeAllowList` cmd The AllowedDomains parameter can support up to 4,000 domains. -**Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. +> [!IMPORTANT] +> The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. ```yaml Type: Boolean @@ -381,7 +382,8 @@ If the AllowedDomains property has not been set to AllowAllKnownDomains, then th The BlockedDomains parameter can support up to 4,000 domains. -**Important:** The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. +> [!IMPORTANT] +> The `AllowFederatedUsers` property must be set to `True` for the `AllowedDomains` list to take effect. If `AllowFederatedUsers` is set to `False`, users will be blocked from communicating with all external domains regardless of the values in `AllowedDomains` or any `ExternalAccessPolicy` instance. ```yaml Type: List