Manage guest access to Microsoft 365 groups in Exchange Online
Article
You can allow or block guest users who are using a specific domain. For example, let's say your business (Contoso) has a partnership with another business (Fabrikam). You can add Fabrikam to your allowlist so your users can add those guests to their groups.
Or, let's say you want to block personal email address domains. You can set up a blocklist that contains domains like Gmail.com and Outlook.com.
Important information about how blocklists work
You can create either an allowlist or blocklist. But you can't set up both types of lists. By default, whatever domains aren't in an allowlist are on a blocklist, and vice versa.
You can create only one policy per organization. You can update that policy with more domains, or you can delete that policy to create a new one.
This list works independently from SPO allow/block list. You would need to set up Allow/Block list for SPO if you want to restrict individual file sharing of Group connected site.
This list doesn't apply to already added guest members. This will be enforced for all the guests added after the list is set up.
Install the preview version of the Azure Active Directory module for Windows PowerShell
IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory module for Windows PowerShell, specifically, the AzureADPreview module version 2.0.0.98 or later.
Open Windows PowerShell as an administrator:
In your search bar, type Windows PowerShell.
Right-click on Windows PowerShell and select Run as Administrator.
The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an administrator.
Run this command to see if you have any versions of the Azure Active Directory module for Windows PowerShell installed on your computer:
Get-Module -ListAvailable AzureAD*
If no results are returned, run this command to install the latest version of the AzureADPreview module:
Install-Module AzureADPreview
If only the AzureAD module is shown in the results, run these commands to install the AzureADPreview module:
Uninstall-Module AzureAD
Install-Module AzureADPreview
If only the AzureADPreview module is shown in the results, but the version is less than 2.0.0.98, run these commands to update it:
Uninstall-Module AzureADPreview
Install-Module AzureADPreview
If both the AzureADandAzureADPreview modules are shown in the results, but the version of the AzureADPreview module is less than 2.0.0.98, run these commands to update it:
Uninstall-Module AzureAD
Uninstall-Module AzureADPreview
Install-Module AzureADPreview
Create a new Allow or blocklist policy
Did you install the AzureADPreview module as instructed above? Not having the preview version is the #1 reason these steps don't work for people.
Go to Script for Allow/Block policy at Microsoft Download Center to download the script ( Set-GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.
Migrate the existing allow/block policy from SharePoint Online
This list works independently from the SharePoint Online allow/block list. You would need to set up allow/block list for SharePoint Online if you want to restrict individual file sharing of Group connected site.
However, if your organization already has an allow/block list for SharePoint Online, you can migrate that list using this command.
This module provides instruction on how to create groups for distributing email to multiple users within Exchange Online. It also explains how to create groups to support collaboration in SharePoint Online.