Azure AD Guest Organization Management

[AdamCoulterOz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

A way to manage Allowed or Denied guest organisations in the Azure AD external organisational relationship settings.

Would like to be able to use an azuread_guest type resource (#41) but wouldn't be able to in many Azure AD tenancies until we can also whitelist the the domain for the guests.

New or Affected Resource(s)

• azuread_guest_organization

Potential Terraform Configuration

locals {
    domains = ["domain1.com","domain2.com","..."]
}

# if whitelisting collaboration with specified external organisations
resource "azuread_guest_organization" "allow-entity" {
    count = "${length(local.domains)}"
    type = "Allow"
    domain = "${local.domains[count.index]}"
}

# if blacklisting collaboration with specified external organisations
resource "azuread_guest_organization" "deny-entity" {
    count = "${length(local.domains)}"
    type = "Deny"
    domain = "${local.domains[count.index]}"
}

Specifically separating management of individual guest organisations rather than treating it as a single collection set. Organisations may be added from elsewhere, managed under other processes.

An error would be given if specifying Allow in an AAD tenant with the Deny invitations ... setting, and the reverse, if specifying Deny in an AAD tenant with the Allow invitations only ... setting.

References

• #0000

[AdamCoulterOz]

Microsoft Graph can be used for this:
https://docs.microsoft.com/en-us/graph/api/resources/policy?view=graph-rest-beta

{
    "B2BManagementPolicy": {
        "InvitationsAllowedAndBlockedDomainsPolicy": {
            "AllowedDomains": [
                "domain1.com",
                "domain2.com",
                "..."
            ]
        },
        "AutoRedeemPolicy": {
            "AdminConsentedForUsersIntoTenantIds": [],
            "NoAADConsentForUsersFromTenantsIds": []
        }
    }
}

[AdamCoulterOz]

Currently, the API doesn't support Applications to have permission to do this, only delegated work accounts. Not sure how this might be implemented without a direct Application permission.

[AdamCoulterOz]

So to achieve this the following is needed...

• Service Principal with AAD Global Admin role assignment
• Can use client_id and client_secret normally

1. Get the AAD Access token
2. Get the policy object ID: https://graph.windows.net/myorganization/policies?api-version=1.6, which gives this response:

{
	"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
	"value": [
		{
			"odata.type": "Microsoft.DirectoryServices.Policy",
			"objectType": "Policy",
			"objectId": "00000000-0000-0000-0000-000000000001",
			"deletionTimestamp": null,
			"alternativeIdentifier": null,
			"definition": [
				"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
			],
			"displayName": "B2BManagementPolicy",
			"isTenantDefault": true,
			"keyCredentials": [],
			"type": "B2BManagementPolicy"
		},
		{
			"odata.type": "Microsoft.DirectoryServices.Policy",
			"objectType": "Policy",
			"objectId": "00000000-0000-0000-0000-000000000002",
			"deletionTimestamp": null,
			"alternativeIdentifier": null,
			"definition": [
				"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"Worlintest.onmicrosoft.com\"]},\"PreviewPolicy\":{\"Features\":[\"OneTimePasscode\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
			],
			"displayName": "B2BManagementPolicy2",
			"isTenantDefault": false,
			"keyCredentials": [],
			"type": "B2BManagementPolicy"
		}
	]
}

3. Use the first policy object to change the setting. Here is the request (targeting https://graph.windows.net):

PATCH /myorganization/policies/00000000-0000-0000-0000-000000000001?api-version=1.6 HTTP/1.1
Content-Type: application/json;charset=UTF-8
Authorization: Bearer <token>

PATCH request body:

{
	"definition": [
		"{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"Worlintest.onmicrosoft.com\"]},\"PreviewPolicy\":{\"Features\":[\"OneTimePasscode\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
	],
	"displayName": "B2BManagementPolicy2",
	"type": "B2BManagementPolicy"
}

There seems to be a limitation using this where Allow invitations only to the specified domains (most restrictive) needs to be set on the portal (Azure AD > External Identities > External collaboration settings > Collaboration restrictions) first, then we can use the API to edit it. I haven't had a chance yet to find how to work around it, which I'm confident I will be able to.

FYI - @divyavmnair - this might also help your question

[divyavmnair]

Thanks Adam
The solution works perfect.
Please provide solution for setting Collaboration restrictions if you can find the solution.
It was a great help :)

[divyavmnair]

Hi Adam,

Collaboration settings also works perfect for me with this solution.

I can seethe settings changed on active directory after refreshing the page.

[manicminer]

It looks like this API was deprecated and/or removed from MS Graph. Marking as blocked for now.

[kieran-turnbull]

Looks like cross-tenant configuration is supported on Graph now, is there possibility to revive this?
https://learn.microsoft.com/en-us/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-52