Teams governance becomes increasingly important as we increase our investment in Microsoft Teams. We must build smart processes and use automation to scale well. Here's an example.
Recently, I worked with a customer in a highly regulated industry. These organizations tend to lock down their Microsoft 365 tenants in different ways, and Teams federation (External access in the Teams admin center) is one of them. Users can freely chat and call other Microsoft 365 tenants when federation is enabled, which it is by default. However, sometimes compliance or security restrictions prevent this from happening.
Federation can be enabled and disabled at the tenant level, as well as blocked and allowed domains. By adding one or more allowed domains, federation is restricted to those organisations, the rest of the world is not allowed to federate. If you've ever set up Teams federation manually in Teams admin center, then you know it's a tedious process since you have to input one domain at a time.
The purpose of this article is to show you how this can be automated with PowerShell, and I will take it one step further by integrating an approval flow using Teams Approvals to make it available to your entire organization.
Let's start with the basics. You can use this script to sign into Teams, enable federation (if it was disabled), and add a list of trusted domains to the list of allowed domains for federation (use this for bulk). After the script completes, users from those domains can chat and make calls. Adding new domains is removed from the list by using the switch -RemoveExistingDomains in Enable-TeamsFederationForAllowedDomainsOnly.
"# Check if the Teams module is installed.
if (Get-Module -ListAvailable -Name "MicrosoftTeams") {
# Do nothing.
}
else {
Write-Error -Exception "The Microsoft Teams PowerShell module is not installed. Please, run 'Install-Module MicrosoftTeams' and try again." -ErrorAction Stop
}
# Connect to Microsoft Teams.
$sfbSession = New-CsOnlineSession
Import-PSSession $sfbSession
# Get current Teams federation settings before change.
Write-Verbose -Verbose -Message "Before change:"
Get-CsTenantFederationConfiguration
# Disable communication with accounts on public IM and presence providers such as Windows Live, Yahoo, and AOL.
Set-CsTenantFederationConfiguration -AllowPublicUsers $false
# Enable Teams federation.
Set-CsTenantFederationConfiguration -AllowFederatedUsers $true
# Function to add allowed domain for Teams federation.
function Enable-TeamsFederationForAllowedDomainsOnly {
param (
[parameter(Mandatory = $true)]
[string[]]$AllowedDomains,
[parameter(Mandatory = $false)]
[switch]$RemoveExistingDomains
)
# Remove existing domains (if requested).
if ($RemoveExistingDomains) {
Write-Verbose -Verbose -Message "Removing existing domains..."
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $null
}
# Add each domain to the list of allowed domains.
foreach ($Domain in $AllowedDomains) {
Write-Verbose -Verbose -Message "Adding $Domain..."
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$Domain}
}
}
# List of domain to allow.
$AllowedDomains = "example1.com",
"example2.com",
"example3.com",
"example4.com",
"example5.com"
# Set Teams federation settings to allowed domains only.
Enable-TeamsFederationForAllowedDomainsOnly -AllowedDomains $AllowedDomains -RemoveExistingDomains
# Get current Teams federation settings after change.
Write-Verbose -Verbose -Message "After change:"
Get-CsTenantFederationConfiguration"
You don't need anything else as an admin to maintain a list of allowed domains and automate that list's configuration in Teams. The best way to make it even better is to provide a form your users can use to apply for additional federated domains in Teams. Now, things start to get really exciting!
We will use Microsoft Forms as our input, and our users will have access to the form through a tab in Teams. It makes it easier for them to find it and to request new domains for Teams federation.
PowerShell script from above will be used, slightly modified to work with Azure Automation. Due to the lack of support for managing federation in Microsoft Graph at the time of writing this, we will use a service account with Teams admin permissions and the MicrosoftTeams PowerShell module instead. Remember to add this module to Azure Automation from the Gallery. Don't forget to protect and monitor this service account!
This is the modified script, using an Azure Automation credential called ServiceAccount for the authentication.
"param (
[parameter(Mandatory = $true)]
[string]$AllowedDomain
)
# Connect to Microsoft Teams.
$Cred = Get-AutomationPSCredential -Name "ServiceAccount"
$sfbSession = New-CsOnlineSession -Credential $Cred
Import-PSSession $sfbSession
# Function to add allowed domain for Teams federation.
function Enable-TeamsFederationForAllowedDomainsOnly {
param (
[parameter(Mandatory = $true)]
[string]$AllowedDomain
)
# Add domain to the list of allowed domains.
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$AllowedDomain}
}
# Set Teams federation settings to allowed domains only.
$AllowedDomain "Enable-TeamsFederationForAllowedDomainsOnly -AllowedDomain $AllowedDomain"
The new Teams Approvals app will then ping an administrator in Teams for approval before adding the new domain. This task is handled by Power Automate. A flow will be created when someone submits a form. After that, it starts the approval process and notifies the admin via chat in Teams. As soon as the admin approves the request, Power Automate will run the Azure Automation PowerShell runbook with our script, and the domain variable from Forms will be used as input. That's how it works!
Power Automate starts the PowerShell runbook in Azure Automation if the request is approved.
In the runbook, a PowerShell script is used to add the new domain as an allowed domain in Teams External access. That's it!
When it has completed, this is what it looks like in the Admin center:
This may inspire you to build similar governance processes for Teams.
I'm on LinkedIn, Twitter, and here!