Share via

Improving B2BManagementPolicy updating

Dennis Johansson 5 Reputation points
2024-01-04T08:53:44.4866667+00:00

The current solution for updating our B2BManagementPolicy involves a PowerShell script that sets the Allow list for external domains obtained from Sharepoint to the B2BManagementPolicy via Set-AzureADPolicy and also writes it to Teams collaboration settings. However, as this requires Global Administrator rights, we want to find an alternative solution.

I have tried using several Graph API permissions for an App registration but none seem to work in updating the B2B policy as an application. The AzureAD PowerShell module is also no longer maintained and we want to update this feature using the Graph module.

I attempted patching the list via PowerShell to the Graph Endpoint at https://graph.microsoft.com/beta/legacy/policies/d7ab3cf3-4bb2-491f-a29f-fa2030b0a873/definition but that did not seem to work either.

I am seeking advice on how to update B2BManagementPolicy in a way that does not require Global Administrator rights and uses the Graph module or talks directly to Graph instead of the AzureAD PowerShell module.

Service: B2BManagementPolicy, AzureAD PowerShell module, Microsoft Graph.

Scenario: The current PowerShell script updates the Allow list for external domains in B2BManagementPolicy, obtained from Sharepoint.

Result: Seeking an alternative solution that does not require Global Administrator rights.

Troubleshooting efforts: Patching via PowerShell to the Graph Endpoint did not work.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,598 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jens Westerlund 15 Reputation points
    2024-01-09T07:37:03.4466667+00:00

    I am trying to do the same thing via power automate using graph and struck the same wall.

    I can get the policy fine via GET https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<policyid>
    But when trying to update it with PATCH following the instruction in.
    https://learn.microsoft.com/en-us/graph/api/homerealmdiscoverypolicy-update?view=graph-rest-1.0&tabs=http
    I get Forbidden - 403 with the message "Insufficient privileges to complete the operation."

    The app registration used in the call has the permission Policy.ReadWrite.ApplicationConfiguration.

    I have also tried to temporarily give all ReadWrite permissions I could find in graph but still got the same error.

    I also tried to create a new policy supplying the response from when getting the current policy

    {
  "definition": [
    "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"atea.se\",\"gmail.com\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
  ],
  "displayName": "B2BManagementPolicy",
  "type": "B2BManagementPolicy",
  "isOrganizationDefault": true
}

    I have tried both with and without the property "type" and that runs without error, but it creates a policy with the type "HomeRealmDiscoveryPolicy" that doesn't seem to do anything. On that policy it does work to use PATCH to update it.

    Is it just not possible to update the B2BManagementPolicy via graph yet?

    1 person found this answer helpful.
  2. Jens Westerlund 15 Reputation points
    2024-02-15T13:01:28.16+00:00

    I raised a ticket about this and have now been in contact with Microsoft.
    The good thing is that it is possible to update the B2BManagementPolicy via graph using both the /beta/lagacy/policies and /v1.0/policies/homeRealmDiscoveryPolicies-andpoint.

    But the first bad thing is that it still requires Global Administrator to modify the external collaboration settings as written in this document:
    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task#external-identitiesb2c
    So if you grant grant global administrator to the app registration (In azure portal: Entra ID->Roles and administrators->Assignments) you can then use Graph to update the B2BManagementPolicy.
    I'm not sure if that is more secure than the PowerShell way of doing it though but for me it's much easier since the plan is to use power automate approval flows to add new domains.

    But another not so great thing is that neither of these ways of updating it is officially supported.
    The beta endpoint is ofc beta and the homeRealmDiscoveryPolicies-endpoint is according to the support engineer I talked to only meant for that kind of policies and wasn't really meant to update the B2BManagementPolicy, so even if it works now it might stop working at some point. But one can hope that once that happens there is an official way to do it.

    1 person found this answer helpful.
  3. Jens Westerlund 15 Reputation points
    2024-05-24T11:19:23.3366667+00:00

    Seems like Microsoft has patched the possiblility to see and modify the B2BManagementPolicy from /v1.0/policies/homeRealmDiscoveryPolicies.
    Was going to go live the other day with the solution I made where I was using that endpoint. It had been some time since i made it and hadn't tested it for a while so was just goinna to a quick test befor pushing to production and then graph request failed since it could no longer find the policy.

    Luckily /beta/lagacy/policies still works so O could just change the endpoint in the requests and everything else worked the same.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.