Collaboration restrictions at External Identities | External collaboration settings

Question

Collaboration restrictions at External Identities | External collaboration settings

Leonardo A. Barbastefano 21

Hi All,

screencapture-entra-microsoft-2024-08-13-09_48_47

I am trying to Add and delete domains via "Microsoft Grap" at Entra Id > External Identities > External collaboration settings.

Does anyone know how to add and remove domains using Microsoft Graph when I select "Allow invitations only to the specified domains (most restrictive)" or "Deny invitations to the specified domains"?

Thanks

Leonardo

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Vasil Michev 123.5K MVP Volunteer Moderator

You can manage those via the B2BManagementPolicy policy under https://graph.microsoft.com/beta/legacy/policies

Going forward, you should be using the cross-tenant collaboration policies instead.

Leonardo A. Barbastefano 21 Reputation points

2024-09-03T14:34:48.66+00:00

Thanks for your answer.
Leonardo A. Barbastefano 21 Reputation points

2024-09-03T15:57:52.2033333+00:00
Thanks for your answer, now I can view my policy, but when I try to PATCH it I get this response. I tried to configure my application permissions to allow "Policy.ReadWrite.All" but I did not found.

JSON

{ "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2024-09-03T14:55:09", "request-id": "c872259d-0f79-425e-a082-cd5edaec304b", "client-request-id": "c872259d-0f79-425e-a082-cd5edaec304b" } } }

This is my curl

YAML

curl

These are my Bearer Token Roles

"roles": [ "User.ReadWrite.All", "Policy.ReadWrite.ConditionalAccess", "Directory.ReadWrite.All", "AuditLog.Read.All", "Policy.Read.All" ],
Vasil Michev 123.5K Reputation points MVP Volunteer Moderator

2024-09-03T16:49:45.9566667+00:00

You would need Global admin/Directory.AccessAsUser.All permissions for PATCH. Best use cross-tenant collaboration policies instead, as suggested above.

Leonardo A. Barbastefano 21

Thanks for your answer.

My PATCH is working!, it is not a good practice to use "graph.microsoft.com/beta" to go to production. Is there another way for me to PATCH my policy using "https://graph.microsoft.com/1.0/"?

curl --location --request PATCH 'https://graph.microsoft.com/beta/legacy/policies/14928e78-a165-40f1-99bc-003187112345' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6InQ5V05yQ................' \
--data '{  
  "definition": [
   "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"domain1.com\",\"domain2.com\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":null,\"NoAADConsentForUsersFromTenantsIds\":null}}}"
  ],
  "displayName": "B2BManagementPolicy",
  "isOrganizationDefault": true,
  "type": "B2BManagementPolicy",
  "keyCredentials": []
}'

Vasil Michev 123.5K Reputation points MVP Volunteer Moderator

2024-09-04T15:39:59.25+00:00

No, this endpoint is not available on /v1.0 (and again, not supported, so you should not use it in production).
Raja Pothuraju 43,425 Reputation points Microsoft External Staff Moderator

2024-09-09T20:13:52.65+00:00

Hello @Leonardo A. Barbastefano,

Just checking in to see if the above answer provided by @Vasil Michev helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Raja Pothuraju 43,425 Reputation points Microsoft External Staff Moderator

2024-09-12T21:16:24.5066667+00:00

Hello @Leonardo A. Barbastefano,

I would like to follow up with you regarding the issue. Please let me know if you're still facing any problems or if you have any additional questions.

If this answers your query, do click Accept Answer and Yes for was this answer helpful.
Leonardo A. Barbastefano 21 Reputation points

2024-09-13T08:29:41.4266667+00:00

Hi Raja,

I can update the domain list, but unfortunately, this is in the beta version and is not supposed to be used in production. I just hope that this endpoint moves to version 1.0 soon.

Regards

Leonardo
Raja Pothuraju 43,425 Reputation points Microsoft External Staff Moderator

2024-09-13T08:46:43.2366667+00:00

Hello @Leonardo A. Barbastefano,

Thank you for your response.

Yes, as Vasil mentioned, this endpoint is currently not supported in v1.0, and there is no ETA for when it will be available. Please let me know if you have any other questions.

Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the solution.

Answer 2

Thanks for your answer, now I can view my policy, but when I try to PATCH it I get this response. I tried to configure my application permissions to allow "Policy.ReadWrite.All" but I did not found.

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2024-09-03T14:55:09",
            "request-id": "c872259d-0f79-425e-a082-cd5edaec304b",
            "client-request-id": "c872259d-0f79-425e-a082-cd5edaec304b"
        }
    }
}

This is my curl

curl --location --request PATCH 'https://graph.microsoft.com/beta/legacy/policies/14928e78-a165-40f1-99bc-003187122345' \

--header 'Content-Type: application/json' \

--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Inh2eGcxQ25sN2xPc1N........................' \

--data '{

        "definition": [

            "{\"InvitationsAllowedAndBlockedDomainsPolicy\":{ \"AllowedDomains\":[\"example.com\",\"newdomain.com\",\"anotherdomain.org\"] }}"

        ]

      }'

These are my Bearer Token Roles

"roles": [ "User.ReadWrite.All", "Policy.ReadWrite.ConditionalAccess", "Directory.ReadWrite.All", "AuditLog.Read.All", "Policy.Read.All" ],

Share via

Collaboration restrictions at External Identities | External collaboration settings

1 additional answer

Your answer