We can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources.
Before you begin , Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. By default, all users and admins can invite guests.
But your organization's external collaboration policies might be configured to prevent certain types of users or admins from inviting guests.
To find out how to view and set these policies, see Enable B2B external collaboration and manage who can invite guests
In our Org, we don’t allow normal users to invite guests and we have collaboration restrictions to allow invitations only to specified domains .These specific domains must go through some approval process internally .
If user try to invite user (eswar@eskonr.com) and eskonr.com is not whitelisted then it will fail to send invitation.
As you see below ,we opted for Allow invitations only to the specified domains (most restrictive) is opted and we have many domains added to our Azure portal for B2B collaboration .
With the list growing , at one of time ,our security team have requested to get list of all domains that are whitelisted . I started looking at the list of domains if there is manual way to select list of all domains ,copy them but it doesn't allow me to select all and only option is select one by one domain and copy.
So i started exploring the powershell script to automate this . This request is going to come again & again so it is better to spend sometime to prepare script and keep it ready when asked for it.
Here is the simple powershell script (bad way of writing ) to get all whitelisted domains in azure AD.
$scriptpath = $MyInvocation.MyCommand.Path
#Get the current directory of the file stored.
$dir = Split-Path $scriptpath
#Get current date
$date = (get-date -f dd-MM-yyyy-hhmmss)
#Set filename to store the output
$Outfile = "$dir\Whitelisteddomains-"+$date+".csv"
#connect to Azure AD (assuming ,the AzureADPreview for now is being installed.)
Connect-AzureAD
#List all B2B domains based on the condition
$data = (Get-AzureADPolicy | ? {$_.DisplayName -eq "B2BManagementPolicy" } | select definition)
#replace single quote with escape charcter and double quotes
$defs = $data.Definition.Replace('"',"\""""")
$allowedDomains = $defs.Substring($defs.indexof("[")+1)
$allowedDomains = $allowedDomains.Substring(0,$allowedDomains.IndexOf("]"))
#revert back the quotes back to normal node to see the real output
$allowedDomains.Replace("\""""","") | out-file $Outfile –Force
Save the script to location and run the script .
On the PC that you run this script ,make sure you have AzureADPreview module installed. Why preview ? because the Get-AzureADPolicy cmdlet is still in preview and not in AzureAD module.
When you run the script ,it prompt for authentication and follow the conditional access (if you have any) before you connect to Azure portal .
Once you pass the authentication ,you will see file named with whitelisteddomains-date.csv
References :
Azure Active Directory B2B Documentation https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/b2b/?view=azuremgmtcdn-fluent-1.0.0
Allow or block invitations to B2B users from specific organizations https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/b2b/allow-deny-list?view=azuremgmtcdn-fluent-1.0.0
Hope it helps!