Update-MgPolicyCrossTenantAccessPolicyDefault
Update the default configuration of a cross-tenant access policy.
Note
To view the beta release of this cmdlet, view Update-MgBetaPolicyCrossTenantAccessPolicyDefault
Syntax
Update-MgPolicyCrossTenantAccessPolicyDefault
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-AutomaticUserConsentSettings <IMicrosoftGraphInboundOutboundPolicyConfiguration>]
[-B2BCollaborationInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-B2BCollaborationOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-B2BDirectConnectInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-B2BDirectConnectOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-Id <String>]
[-InboundTrust <IMicrosoftGraphCrossTenantAccessPolicyInboundTrust>]
[-InvitationRedemptionIdentityProviderConfiguration <Hashtable>]
[-IsServiceDefault]
[-TenantRestrictions <IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgPolicyCrossTenantAccessPolicyDefault
-BodyParameter <IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Update the default configuration of a cross-tenant access policy.
Permissions
Permission type | Least privileged permissions | Higher privileged permissions |
---|---|---|
Delegated (work or school account) | Policy.ReadWrite.CrossTenantAccess | Not available. |
Delegated (personal Microsoft account) | Not supported. | Not supported. |
Application | Policy.ReadWrite.CrossTenantAccess | Not available. |
Examples
Example 1: Block outbound B2B collaboration for a group of users
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
b2bCollaborationOutbound = @{
usersAndGroups = @{
accessType = "blocked"
targets = @(
@{
target = "0be493dc-cb56-4a53-936f-9cf64410b8b0"
targetType = "group"
}
)
}
applications = @{
accessType = "blocked"
targets = @(
@{
target = "AllApplications"
targetType = "application"
}
)
}
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $params
This example will block outbound b2b collaboration for a group of users
Example 2: Update default invitation redemption configuration
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
invitationRedemptionIdentityProviderConfiguration = @{
primaryIdentityProviderPrecedenceOrder = @(
"externalFederation"
"azureActiveDirectory"
"socialIdentityProviders"
)
fallbackIdentityProvider = "defaultConfiguredIdp"
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $params
This example will update default invitation redemption configuration
Example 3: Disallow Microsoft accounts as an option for redeeming B2B invitations
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
invitationRedemptionIdentityProviderConfiguration = @{
primaryIdentityProviderPrecedenceOrder = @(
"externalFederation"
"azureActiveDirectory"
"socialIdentityProviders"
)
fallbackIdentityProvider = "emailOneTimePasscode"
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $params
This example will disallow microsoft accounts as an option for redeeming b2b invitations
Parameters
-AdditionalProperties
Additional Parameters
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AutomaticUserConsentSettings
inboundOutboundPolicyConfiguration To construct, see NOTES section for AUTOMATICUSERCONSENTSETTINGS properties and create a hash table.
Type: | IMicrosoftGraphInboundOutboundPolicyConfiguration |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-B2BCollaborationInbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BCOLLABORATIONINBOUND properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-B2BCollaborationOutbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BCOLLABORATIONOUTBOUND properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-B2BDirectConnectInbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BDIRECTCONNECTINBOUND properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-B2BDirectConnectOutbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BDIRECTCONNECTOUTBOUND properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BodyParameter
crossTenantAccessPolicyConfigurationDefault To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InboundTrust
crossTenantAccessPolicyInboundTrust To construct, see NOTES section for INBOUNDTRUST properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyInboundTrust |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InvitationRedemptionIdentityProviderConfiguration
defaultInvitationRedemptionIdentityProviderConfiguration
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IsServiceDefault
If true, the default configuration is set to the system default configuration. If false, the default settings are customized.
Type: | SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TenantRestrictions
crossTenantAccessPolicyTenantRestrictions To construct, see NOTES section for TENANTRESTRICTIONS properties and create a hash table.
Type: | IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault
System.Collections.IDictionary
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
AUTOMATICUSERCONSENTSETTINGS <IMicrosoftGraphInboundOutboundPolicyConfiguration>
: inboundOutboundPolicyConfiguration
[(Any) <Object>]
: This indicates any property can be added to this object.[InboundAllowed <Boolean?>]
: Defines whether external users coming inbound are allowed.[OutboundAllowed <Boolean?>]
: Defines whether internal users are allowed to go outbound.
B2BCOLLABORATIONINBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>
: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[AccessType <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-
[]>]
: Specifies whether to target users, groups, or applications with this rule.[Target <String>]
: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]
: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration
B2BCOLLABORATIONOUTBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>
: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[AccessType <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-
[]>]
: Specifies whether to target users, groups, or applications with this rule.[Target <String>]
: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]
: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration
B2BDIRECTCONNECTINBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>
: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[AccessType <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-
[]>]
: Specifies whether to target users, groups, or applications with this rule.[Target <String>]
: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]
: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration
B2BDIRECTCONNECTOUTBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>
: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[AccessType <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-
[]>]
: Specifies whether to target users, groups, or applications with this rule.[Target <String>]
: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]
: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration
BODYPARAMETER <IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault>
: crossTenantAccessPolicyConfigurationDefault
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AutomaticUserConsentSettings <IMicrosoftGraphInboundOutboundPolicyConfiguration>]
: inboundOutboundPolicyConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[InboundAllowed <Boolean?>]
: Defines whether external users coming inbound are allowed.[OutboundAllowed <Boolean?>]
: Defines whether internal users are allowed to go outbound.
[B2BCollaborationInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
: crossTenantAccessPolicyB2BSetting[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[AccessType <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-
[]>]
: Specifies whether to target users, groups, or applications with this rule.[Target <String>]
: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]
: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration
[B2BCollaborationOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
: crossTenantAccessPolicyB2BSetting[B2BDirectConnectInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
: crossTenantAccessPolicyB2BSetting[B2BDirectConnectOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
: crossTenantAccessPolicyB2BSetting[InboundTrust <IMicrosoftGraphCrossTenantAccessPolicyInboundTrust>]
: crossTenantAccessPolicyInboundTrust[(Any) <Object>]
: This indicates any property can be added to this object.[IsCompliantDeviceAccepted <Boolean?>]
: Specifies whether compliant devices from external Microsoft Entra organizations are trusted.[IsHybridAzureAdJoinedDeviceAccepted <Boolean?>]
: Specifies whether Microsoft Entra hybrid joined devices from external Microsoft Entra organizations are trusted.[IsMfaAccepted <Boolean?>]
: Specifies whether MFA from external Microsoft Entra organizations is trusted.
[InvitationRedemptionIdentityProviderConfiguration <IMicrosoftGraphDefaultInvitationRedemptionIdentityProviderConfiguration>]
: defaultInvitationRedemptionIdentityProviderConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[FallbackIdentityProvider <String>]
: b2bIdentityProvidersType[PrimaryIdentityProviderPrecedenceOrder <String-
[]>]
: Collection of identity providers in priority order of preference to be used for guest invitation redemption. Possible values are: azureActiveDirectory, externalFederation, or socialIdentityProviders.
[IsServiceDefault <Boolean?>]
: If true, the default configuration is set to the system default configuration. If false, the default settings are customized.[TenantRestrictions <IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions>]
: crossTenantAccessPolicyTenantRestrictions[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[Devices <IMicrosoftGraphDevicesFilter>]
: devicesFilter[(Any) <Object>]
: This indicates any property can be added to this object.[Mode <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Rule <String>]
: Defines the rule to filter the devices. For example, device.deviceAttribute2 -eq 'PrivilegedAccessWorkstation'.
INBOUNDTRUST <IMicrosoftGraphCrossTenantAccessPolicyInboundTrust>
: crossTenantAccessPolicyInboundTrust
[(Any) <Object>]
: This indicates any property can be added to this object.[IsCompliantDeviceAccepted <Boolean?>]
: Specifies whether compliant devices from external Microsoft Entra organizations are trusted.[IsHybridAzureAdJoinedDeviceAccepted <Boolean?>]
: Specifies whether Microsoft Entra hybrid joined devices from external Microsoft Entra organizations are trusted.[IsMfaAccepted <Boolean?>]
: Specifies whether MFA from external Microsoft Entra organizations is trusted.
TENANTRESTRICTIONS <IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions>
: crossTenantAccessPolicyTenantRestrictions
[(Any) <Object>]
: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]
: This indicates any property can be added to this object.[AccessType <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-
[]>]
: Specifies whether to target users, groups, or applications with this rule.[Target <String>]
: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]
: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]
: crossTenantAccessPolicyTargetConfiguration[Devices <IMicrosoftGraphDevicesFilter>]
: devicesFilter[(Any) <Object>]
: This indicates any property can be added to this object.[Mode <String>]
: crossTenantAccessPolicyTargetConfigurationAccessType[Rule <String>]
: Defines the rule to filter the devices. For example, device.deviceAttribute2 -eq 'PrivilegedAccessWorkstation'.