Created
February 8, 2024 23:30
-
-
Save AlexanderHolmeset/d0981e2d46030d1b2168030e71e2d5db to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Connect to Azure Account | |
Connect-AzAccount | |
# Connect to Microsoft Teams | |
Connect-MicrosoftTeams | |
# Connect to Exchange Online | |
Connect-ExchangeOnline | |
# Connect to SharePoint Online | |
$SPConnection = Connect-PnPOnline -Url https://alexholmeset-admin.sharepoint.com -Interactive | |
# Get access token for Microsoft Graph API | |
$authToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com" | |
# Set the header for the API requests | |
$Header = @{authorization = "Bearer " + $authToken.Token} | |
# Get the organization relationship in Exchange Online | |
$ExchangeOrganization = Get-OrganizationRelationship | |
$ExchangeOrganization = $ExchangeOrganization.DomainNames| Where-Object {$_ -notlike "*Calendar*"} | |
# Get the individual sharing policy in Exchange Online | |
$ExchangeInduvidual = Get-SharingPolicy | |
$ExchangeInduvidual = ($ExchangeInduvidual.Domains | Where-Object {$_ -like "*.*:*"}).split(":") | Where-Object {$_ -notlike "*Calendar*"} | |
# Get the Teams tenant federation configuration | |
$Teams = Get-CsTenantFederationConfiguration | |
$Teams = $Teams.AllowedDomains.alloweddomain.domain | |
# Get the tenant information in SharePoint | |
$SharePoint = Get-PNPTenant -connection $SPConnection | |
$SharePointPreSplit = $SharePoint.SharingAllowedDomainList | |
$SharePoint = ($SharePoint.SharingAllowedDomainList).split(" ") | |
$SharePointDomainlist = $SharePointPreSplit | |
# Get the Azure AD legacy policies | |
$AzureAD = (invoke-restmethod -Method get -Uri "https://graph.microsoft.com/beta/legacy/policies/" -Headers $Header -ContentType "application/json").value | |
$AzureADID = $AzureAD.id | |
$AzureADRequest = (((($AzureAD.definition).split('{"AllowedDomains":['))[1].split(']'))[0]).replace('"','\"') | |
$AzureAD = ($AzureAD.definition | convertfrom-json ).b2bmanagementpolicy.InvitationsAllowedAndBlockedDomainsPolicy.alloweddomains | |
# Set the sharing policy in Exchange Online | |
# Set-SharingPolicy -Identity Contoso.com -Domains "contoso.com: CalendarSharingFreeBusySimple" | |
# Print the information gathered | |
"Exchange Online Organization:" | |
$ExchangeOrganization | |
"" | |
"Exchange Online Induvidual:" | |
$ExchangeInduvidual | |
"" | |
"Teams:" | |
$Teams | |
"" | |
"SharePoint:" | |
$SharePoint | |
"" | |
"Azure AD:" | |
$AzureAD | |
# Combine all the domains | |
$Domains = @() | |
$Domains += $ExchangeOrganization | |
$Domains += $ExchangeInduvidual | |
$Domains += $Teams | |
$Domains += $SharePoint | |
$Domains += $AzureAD | |
$Domains = ($Domains | Select-Object -Unique | Group-Object).Name | |
$AzureADList = @() | |
# Check each domain and add to the respective allowed domains list if not already present | |
foreach ($Domain in $Domains){ | |
if (-not ($ExchangeOrganization -contains $Domain)) { | |
New-OrganizationRelationship -Name "$Domain" -DomainNames "$Domain" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel AvailabilityOnly -TargetAutodiscoverEpr "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity" -TargetApplicationUri "outlook.com" | |
} | |
if (-not ($ExchangeInduvidual -contains $Domain)) { | |
$domaininduvidual = $Domain+": CalendarSharingFreeBusySimple" | |
# New-SharingPolicy -Name $Domain -Domains "$domaininduvidual" | |
} | |
if (-not ($Teams -contains $Domain)) { | |
$list = New-Object Collections.Generic.List[String] | |
$list.add("$Domain") | |
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$list} | |
} | |
if (-not ($SharePoint -contains $Domain)) { | |
$SharePointDomainlist += " $Domain" | |
} | |
if (-not ($AzureAD -contains $Domain)) { | |
$AzureADList += ',\"'+$domain+'\"' | |
} | |
} | |
# Update the Azure AD legacy policies with the new allowed domains | |
If($AzureADList){ | |
$AzureADList = $AzureADList -join "" | |
$Policy = @" | |
{ | |
"definition": [ | |
"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[$($AzureADRequest+$AzureADList)]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}" | |
] | |
} | |
"@ | |
invoke-restmethod -Method patch -Uri "https://graph.microsoft.com/beta/legacy/policies/$AzureADID" -Headers $Header -ContentType "application/json" -Body $Policy | |
} | |
# Update the SharePoint allowed domains list | |
$domainlist = $SharePointPreSplit+" $Domain" | |
Set-PnPTenant -SharingCapability ExistingExternalUserSharingOnly -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList "$SharePointDomainlist" -connection $SPConnection |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment