As a company grows and matures, so too do their security requirements. During the COVID-19 pandemic, many organisations have made tactical decisions, such as deploying Microsoft Teams, to overcome immediate business challenges. Organisations are now looking to make sure their information is secure by enabling certain controls such as domain Allow and Block lists in Azure Active Directory, which allow you to control which external organisations your users collaborate with in Microsoft Teams. If you are deploying such controls but have already had Guest Access enabled for some time you will need to identify unwanted guest users that are already in your Azure AD. Here’s how!
Install and Connect to Azure AD PowerShell
Firstly, we need to get your External Collaboration policy from Azure AD. To do this, you will need to install the AzureADPreview PowerShell module:
Install-Module AzureADPreview
Then Connect to AzureAD:
Connect-AzureAD
Fetch External Collaboration Policy
Once we’re connected, we can fetch the current policy using Get-AzureADPolicy. I am specifically interested in the Allow or Block list so I am going to narrow in on them:
$currentPolicyDefinition = (Get-AzureADPolicy | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1).Definition | ConvertFrom-Json
$domainList = $currentPolicyDefinition.B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy
This gives us the Allow list or Block list currently configured that we can now use to identify which users in Azure AD are non-compliant.
Get Guest Users from AAD
Next, we need to get a list of Guest Users in AAD and produce a unique list of Guest Domains, as follows
$guestUsers = Get-AzureADUser -Filter "Usertype eq 'Guest'" -All $true
$guestDomains = @()
$guestUsers | % { $guestDomains += $_.Mail.Split("@")[1] }
$guestDomains = $guestDomains | Select -Unique
Now to get a list of non-compliant users we need to establish whether it is an Allow list or Block list that has been configured.
if ($domainList | gm -Name AllowedDomains) { $restrictionType = "Allow" }
if ($domainList | gm -Name BlockedDomains) { $restrictionType = "Block" }
Identify Unwanted Guest Users
Now for the important bit, identifying how many unwanted guest users you have in your directory. In this bit, we are going to produce a list of non-compliant Domains and a count of users within each domain. Just in case we want to do something with these users later on (e.g. delete them), we will also produce a list of the specific users and their ObjectID.
If it is a Block list that has been configured, we do this by looping through the list of blocked domains and finding users that match that domains:
if ($restrictionType -eq "Block") {
$domainList.BlockedDomains | % {
$rogueUsers += $guestUsers | select ObjectId,UserPrincipalName | ? UserPrincipalName -like "*$_*"
$userCount = ($rogueUsers).Count
$unwantedDomains | Add-Member -MemberType NoteProperty GuestDomain $_
$unwantedDomains | Add-Member -MemberType NoteProperty UserCount $userCount
}
}
If it is an Allow list that has been configured, we almost do the reverse. We instead loop through the Guest Domains we found in AAD and if it is not in the Allow list, we add the users of that domain to the list:
if ($restrictionType -eq "Allow") {
$guestDomains | % {
if ($domainList.AllowedDomains -notcontains $_) {
$rogueUsers += $guestUsers | select ObjectId,UserPrincipalName | ? UserPrincipalName -like "*$_*"
$userCount = ($rogueUsers).Count
$unwantedDomains | Add-Member -MemberType NoteProperty GuestDomain $_
$unwantedDomains | Add-Member -MemberType NoteProperty UserCount $userCount
}
}
}
When you run this all together, you will get two lists created. The first will be a list of potentially unwanted domains, stored in $unwantedDomains. In the example below, I have added ‘martinday.co’ to a Block list, so it is showing me that I have two guest users from that domain in my AAD.
The next is the actual list of users that are non-compliant with your Allow list or your Block list. This is stored in $rogueUsers, as follows:
Done!
And that’s all there is to it. Now you can identify unwanted guest users in your Azure AD and action as necessary. This could be removing them from the Directory, or it could even be adding their domain to the Allow list.
Full Script
To download the full script, simply click here! Or view it on GitHub.
