This page provides a workaround for organizations that are approaching the limit on the Allow/Block Domains for guest invites. The domain list is currently limited to 25kb.
The high level overview for this solution involves
- Creating a new extension attribute (eg 'approvedForCollab')
- Create a Conditional Access policy that blocks all guests that don't have 'approvedForCollab' = Yes
- Create a Logic app that runs every 5/10 minutes. This logic app will
- Check for new guests invited to the tenant (querying /users)
- Verify if the user's domain/tenant Id matches a known list (or is included in Connected orgs)
- Updates the approvedForCollab to Yes/No
- Disable the out of the box Allow/Deny option
- No limit on the list of allowed domains
- Basic solution in the Logic app can be extended to suite business requirements, eg
- Look up Allow/Deny from a SharePoint list
- SharePoint list can have custom approval process to add new domains to the list
- Include meta data on business owner that requested a domain etc
- Support for adding a single Tenant ID and including all verified domains associated with the TenantId
- Logic app includes support for looking up connected orgs
- IT Admins can update 'approvedForCollab' user attribute to allow one-off users instead of allowing the entire domain.
- In Azure create Logic App
- In the Identity blade enable System Assigned Managed Identity (Use this Service Principal ID in the script below)
- Switch to Code view and copy/paste the attached .json file
- Scehdule the Logic app to run every 10 minutes
- Grant Application permissions to the managed identity
Connect-AzureAD $spID = '680210cc-fa88-4b4f-89f9-d3d7aab98cb4 TODO Replace with your Managed Identity ID' # Managed Identity ID for the Logic App's system account # Check the Microsoft Graph documentation for the permission you need for the operation. $permissions = @('User.ReadWrite.All', 'AuditLog.Read.All', 'EntitlementManagement.Read.All') # Get the service principal for Microsoft Graph. # First result should be AppId 00000003-0000-0000-c000-000000000000 $GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1 foreach($perm in $permissions){ # Assign permissions to the managed identity service principal. $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $perm -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id }
- Create Extension Attribute to store guest status
$MyApp = (New-AzureADApplication -DisplayName "GuestAccessUserAttributeApp" -IdentifierUris "https://GuestAccessUserAttributeApp").ObjectId New-AzureADServicePrincipal -AppId (Get-AzureADApplication -SearchString "GuestAccessUserAttributeApp").AppId New-AzureADApplicationExtensionProperty -ObjectId $MyApp -Name "approvedForCollab" -DataType "String" -TargetObjects "User"
- Create a conditional access policy that blocks guest users that don't have the 'approvedForCollab' extension attribute set to Yes