Update-MgPolicyCrossTenantAccessPolicyDefault
Update the default configuration of a cross-tenant access policy.
Note
To view the beta release of this cmdlet, view Update-MgBetaPolicyCrossTenantAccessPolicyDefault
Syntax
Update-MgPolicyCrossTenantAccessPolicyDefault
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-AutomaticUserConsentSettings <IMicrosoftGraphInboundOutboundPolicyConfiguration>]
[-B2BCollaborationInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-B2BCollaborationOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-B2BDirectConnectInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-B2BDirectConnectOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]
[-Id <String>]
[-InboundTrust <IMicrosoftGraphCrossTenantAccessPolicyInboundTrust>]
[-InvitationRedemptionIdentityProviderConfiguration <Hashtable>]
[-IsServiceDefault]
[-TenantRestrictions <IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Update-MgPolicyCrossTenantAccessPolicyDefault
-BodyParameter <IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Update the default configuration of a cross-tenant access policy.
Permissions
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Policy.ReadWrite.CrossTenantAccess | Not available. |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Policy.ReadWrite.CrossTenantAccess | Not available. |
Examples
Example 1: Block outbound B2B collaboration for a group of users
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
b2bCollaborationOutbound = @{
usersAndGroups = @{
accessType = "blocked"
targets = @(
@{
target = "0be493dc-cb56-4a53-936f-9cf64410b8b0"
targetType = "group"
}
)
}
applications = @{
accessType = "blocked"
targets = @(
@{
target = "AllApplications"
targetType = "application"
}
)
}
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $paramsThis example will block outbound b2b collaboration for a group of users
Example 2: Update default invitation redemption configuration
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
invitationRedemptionIdentityProviderConfiguration = @{
primaryIdentityProviderPrecedenceOrder = @(
"externalFederation"
"azureActiveDirectory"
"socialIdentityProviders"
)
fallbackIdentityProvider = "defaultConfiguredIdp"
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $paramsThis example will update default invitation redemption configuration
Example 3: Disallow Microsoft accounts as an option for redeeming B2B invitations
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
invitationRedemptionIdentityProviderConfiguration = @{
primaryIdentityProviderPrecedenceOrder = @(
"externalFederation"
"azureActiveDirectory"
"socialIdentityProviders"
)
fallbackIdentityProvider = "emailOneTimePasscode"
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $paramsThis example will disallow microsoft accounts as an option for redeeming b2b invitations
Parameters
-AdditionalProperties
Additional Parameters
| Type: | Hashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AutomaticUserConsentSettings
inboundOutboundPolicyConfiguration To construct, see NOTES section for AUTOMATICUSERCONSENTSETTINGS properties and create a hash table.
| Type: | IMicrosoftGraphInboundOutboundPolicyConfiguration |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-B2BCollaborationInbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BCOLLABORATIONINBOUND properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-B2BCollaborationOutbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BCOLLABORATIONOUTBOUND properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-B2BDirectConnectInbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BDIRECTCONNECTINBOUND properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-B2BDirectConnectOutbound
crossTenantAccessPolicyB2BSetting To construct, see NOTES section for B2BDIRECTCONNECTOUTBOUND properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyB2BSetting |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-BodyParameter
crossTenantAccessPolicyConfigurationDefault To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
| Type: | IDictionary |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InboundTrust
crossTenantAccessPolicyInboundTrust To construct, see NOTES section for INBOUNDTRUST properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyInboundTrust |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InvitationRedemptionIdentityProviderConfiguration
defaultInvitationRedemptionIdentityProviderConfiguration
| Type: | Hashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IsServiceDefault
If true, the default configuration is set to the system default configuration. If false, the default settings are customized.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
| Type: | ActionPreference |
| Aliases: | proga |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
| Type: | String |
| Aliases: | RHV |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TenantRestrictions
crossTenantAccessPolicyTenantRestrictions To construct, see NOTES section for TENANTRESTRICTIONS properties and create a hash table.
| Type: | IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault
System.Collections.IDictionary
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
AUTOMATICUSERCONSENTSETTINGS <IMicrosoftGraphInboundOutboundPolicyConfiguration>: inboundOutboundPolicyConfiguration
[(Any) <Object>]: This indicates any property can be added to this object.[InboundAllowed <Boolean?>]: Defines whether external users coming inbound are allowed.[OutboundAllowed <Boolean?>]: Defines whether internal users are allowed to go outbound.
B2BCOLLABORATIONINBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[AccessType <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-[]>]: Specifies whether to target users, groups, or applications with this rule.[Target <String>]: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration
B2BCOLLABORATIONOUTBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[AccessType <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-[]>]: Specifies whether to target users, groups, or applications with this rule.[Target <String>]: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration
B2BDIRECTCONNECTINBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[AccessType <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-[]>]: Specifies whether to target users, groups, or applications with this rule.[Target <String>]: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration
B2BDIRECTCONNECTOUTBOUND <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>: crossTenantAccessPolicyB2BSetting
[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[AccessType <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-[]>]: Specifies whether to target users, groups, or applications with this rule.[Target <String>]: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration
BODYPARAMETER <IMicrosoftGraphCrossTenantAccessPolicyConfigurationDefault>: crossTenantAccessPolicyConfigurationDefault
[(Any) <Object>]: This indicates any property can be added to this object.[Id <String>]: The unique identifier for an entity. Read-only.[AutomaticUserConsentSettings <IMicrosoftGraphInboundOutboundPolicyConfiguration>]: inboundOutboundPolicyConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[InboundAllowed <Boolean?>]: Defines whether external users coming inbound are allowed.[OutboundAllowed <Boolean?>]: Defines whether internal users are allowed to go outbound.
[B2BCollaborationInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]: crossTenantAccessPolicyB2BSetting[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[AccessType <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-[]>]: Specifies whether to target users, groups, or applications with this rule.[Target <String>]: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration
[B2BCollaborationOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]: crossTenantAccessPolicyB2BSetting[B2BDirectConnectInbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]: crossTenantAccessPolicyB2BSetting[B2BDirectConnectOutbound <IMicrosoftGraphCrossTenantAccessPolicyB2BSetting>]: crossTenantAccessPolicyB2BSetting[InboundTrust <IMicrosoftGraphCrossTenantAccessPolicyInboundTrust>]: crossTenantAccessPolicyInboundTrust[(Any) <Object>]: This indicates any property can be added to this object.[IsCompliantDeviceAccepted <Boolean?>]: Specifies whether compliant devices from external Microsoft Entra organizations are trusted.[IsHybridAzureAdJoinedDeviceAccepted <Boolean?>]: Specifies whether Microsoft Entra hybrid joined devices from external Microsoft Entra organizations are trusted.[IsMfaAccepted <Boolean?>]: Specifies whether MFA from external Microsoft Entra organizations is trusted.
[InvitationRedemptionIdentityProviderConfiguration <IMicrosoftGraphDefaultInvitationRedemptionIdentityProviderConfiguration>]: defaultInvitationRedemptionIdentityProviderConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[FallbackIdentityProvider <String>]: b2bIdentityProvidersType[PrimaryIdentityProviderPrecedenceOrder <String-[]>]: Collection of identity providers in priority order of preference to be used for guest invitation redemption. Possible values are: azureActiveDirectory, externalFederation, or socialIdentityProviders.
[IsServiceDefault <Boolean?>]: If true, the default configuration is set to the system default configuration. If false, the default settings are customized.[TenantRestrictions <IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions>]: crossTenantAccessPolicyTenantRestrictions[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[Devices <IMicrosoftGraphDevicesFilter>]: devicesFilter[(Any) <Object>]: This indicates any property can be added to this object.[Mode <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Rule <String>]: Defines the rule to filter the devices. For example, device.deviceAttribute2 -eq 'PrivilegedAccessWorkstation'.
INBOUNDTRUST <IMicrosoftGraphCrossTenantAccessPolicyInboundTrust>: crossTenantAccessPolicyInboundTrust
[(Any) <Object>]: This indicates any property can be added to this object.[IsCompliantDeviceAccepted <Boolean?>]: Specifies whether compliant devices from external Microsoft Entra organizations are trusted.[IsHybridAzureAdJoinedDeviceAccepted <Boolean?>]: Specifies whether Microsoft Entra hybrid joined devices from external Microsoft Entra organizations are trusted.[IsMfaAccepted <Boolean?>]: Specifies whether MFA from external Microsoft Entra organizations is trusted.
TENANTRESTRICTIONS <IMicrosoftGraphCrossTenantAccessPolicyTenantRestrictions>: crossTenantAccessPolicyTenantRestrictions
[(Any) <Object>]: This indicates any property can be added to this object.[Applications <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[(Any) <Object>]: This indicates any property can be added to this object.[AccessType <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Targets <IMicrosoftGraphCrossTenantAccessPolicyTarget-[]>]: Specifies whether to target users, groups, or applications with this rule.[Target <String>]: Defines the target for cross-tenant access policy settings and can have one of the following values: The unique identifier of the user, group, or application AllUsers AllApplications - Refers to any Microsoft cloud application. Office365 - Includes the applications mentioned as part of the Office 365 suite.[TargetType <String>]: crossTenantAccessPolicyTargetType
[UsersAndGroups <IMicrosoftGraphCrossTenantAccessPolicyTargetConfiguration>]: crossTenantAccessPolicyTargetConfiguration[Devices <IMicrosoftGraphDevicesFilter>]: devicesFilter[(Any) <Object>]: This indicates any property can be added to this object.[Mode <String>]: crossTenantAccessPolicyTargetConfigurationAccessType[Rule <String>]: Defines the rule to filter the devices. For example, device.deviceAttribute2 -eq 'PrivilegedAccessWorkstation'.