本文為機器翻譯文章。如需檢視英文版,請選取 [原文] 核取方塊。您也可以將滑鼠指標移到文字上,即可在快顯視窗顯示英文原文。
譯文
原文

允許/封鎖來賓存取 Office 365 群組

Exchange Online
 

上次修改主題的時間:2017-09-13

您可以允許或封鎖來賓使用特定網域的使用者。例如,假設您的業務 (Contoso) 有另一個 business (Fabrikam) 合作關係。 您可以讓使用者可以將這些來賓新增至其群組新增您的 [允許] 清單 Fabrikam。

或者,假設您要封鎖個人電子郵件地址的網域。您可以設定封鎖清單會包含類似 Gmail.com 和 Outlook.com 的網域。

  • 您可以建立允許清單 」 或 「 封鎖清單。但是您無法設定這兩種類型的清單。根據預設,列傳網域不在 [允許] 清單會封鎖清單上,反之亦然。

  • 您可以建立一個組織各原則。您可以使用多個網域更新該原則或您可以刪除該原則來建立新的專案。

  • 這份清單的運作方式分別從 SPO 允許/封鎖清單。就必須安裝允許/封鎖清單的 SPO 如果您想要限制個別的檔案共用的群組連線的網站。

  • 這份清單不會套用至尚未加入的來賓成員,這將針對清單中已安裝後新增的所有來賓強制執行。不過,您可以透過指令碼移除它們。

重要: 本文中的程序需要預覽版本 Azure Active Directory Module for Windows PowerShell,尤其是AzureADPreview模組版本2.0.0.98或更新版本。

  1. 以管理員身分開啟 Windows PowerShell:

    1. 在 [搜尋列中,輸入Windows PowerShell

    2. 以滑鼠右鍵按一下 Windows PowerShell,並選取 [以系統管理員身分執行]。

    Windows PowerShell 視窗會顯開啟。C:\Windows\system32 提示表示您的系統管理員身分開啟它。

  2. 執行此命令以查看是否有任何版本的 Azure Active Directory Module for Windows PowerShell 安裝在您的電腦上:

    Get-Module -ListAvailable AzureAD*
    
    • 如果不傳回任何結果,執行下列命令以安裝最新版的AzureADPreview模組:

      Install-Module AzureADPreview
      
    • 如果AzureAD模組會顯示結果中,執行下列命令以安裝AzureADPreview模組:

      Uninstall-Module AzureAD
      
      Install-Module AzureADPreview
      
    • 如果AzureADPreview模組會顯示結果中,但版本小於2.0.0.98,執行下列命令以其更新為:

      Uninstall-Module AzureADPreview
      
      Install-Module AzureADPreview
      
    • 如果同時結果中顯示AzureAD AzureADPreview模組但AzureADPreview模組的版本小於2.0.0.98,執行下列命令來更新它:

      Uninstall-Module AzureAD
      
      Uninstall-Module AzureADPreview
      
      Install-Module AzureADPreview
      

  1. 您為 instructioned 上方安裝AzureADPreview模組吗?不會察覺預覽版本為 #1 原因這些步驟未處理的人員。

  2. 移至 [允許/封鎖原則的指令碼底部的本文中,並將其儲存為組 GuestAllowBlockDomainPolicy.ps1

  3. 使用此命令執行指令碼:

    Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com", "fabrikam.com")
    

    其中您取代contoso.comfabrikam.com您想要允許的網域。

    		Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("contoso.com", "fabrikam.com")
    
    

    請記住,您可以建立一個原則。如果您嘗試建立另一個,您將收到的錯誤。

若要以新的網域清單取代現有的原則,執行下列命令:

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com", "fabrikam.com")

其中您取代contoso.comfabrikam.com您想要允許的網域。

Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("contoso.com", "fabrikam.com")

要附加至新的網域在原則中,執行下列命令:

Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @("contoso.com")

其中您取代contoso.comfabrikam.com您想要允許的網域。

Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @("contoso.com")

這份清單的運作方式分別從 SharePoint Online 的允許/封鎖清單。您必須設定允許/封鎖清單中的 SharePoint Online 如果您想要限制個別的檔案共用的群組連線的網站。

不過,如果已經貴組織的 SharePoint Online 允許/封鎖清單,您可將該清單中使用下列命令。

  1. 安裝SharePoint Online 管理工具

  2. 執行此命令︰

    Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint
    

若要從您的原則移除所有網域,請執行下列命令:

Set-GuestAllowBlockDomainPolicy.ps1 -Remove

Set-GuestAllowBlockDomainPolicy.ps1 -help

下面是建立允許/封鎖原則的指令碼。 若要將此指令碼儲存為.ps1 檔案:

  1. 開啟Windows PowerShell ISE

  2. 選擇 [檔案] >

  3. 下列指令碼至窗格的複製和過去。

  4. 將檔案儲存為組 GuestAllowBlockDomainPolicy.ps1

# .SYNOPSIS
#   Helps admin to update the AzureADPolicy for Allow/Block domain list for inviting external Users.
#   Powershell must be connected to Azure AD Preview V2 before running this script.
#
#   Copyright (c) Microsoft Corporation. All rights reserved.
#
#   THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK
#   OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
#
# .PARAMETER Update
#    Parameter to update allow or block domain list.
#
# .PARAMETER Append
#    Parameter to append domains to an existing allow or block domain list.
#
# .PARAMETER AllowList
#    Parameter to specify list of allowed domains.
#
# .PARAMETER BlockList
#    Parameter to specify list of blocked domains.
#
# .PARAMETER MigrateFromSharepoint
#    Switch parameter to migrate AllowBlockDomainList from SPO.
#
# .PARAMETER Remove
#    Switch parameter to delete the existing policy.
#
# .PARAMETER QueryPolicy
#    Switch parameter to query the existing policy.
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com", "fabrikam.com")
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @("contoso.com")
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("fabrikam.com", "contoso.com")
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @("fabrikam.com")
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -Remove
#
# .Example
#	Set-GuestAllowBlockDomainPolicy.ps1 -QueryPolicy
#
Param(
        [Parameter(Mandatory=$true, ParameterSetName="Update+BlockList")]
        [Parameter(Mandatory=$true, ParameterSetName="Update+AllowList")]
        [Switch] $Update,
        [Parameter(Mandatory=$true, ParameterSetName="Append+BlockList")]
        [Parameter(Mandatory=$true, ParameterSetName="Append+AllowList")]
        [Switch] $Append,
        [Parameter(Mandatory=$true, ParameterSetName="Append+BlockList")]
        [Parameter(Mandatory=$true, ParameterSetName="Update+BlockList")]
        [String[]] $BlockList,
        [Parameter(Mandatory=$true, ParameterSetName="Append+AllowList")]
        [Parameter(Mandatory=$true, ParameterSetName="Update+AllowList")]
        [String[]] $AllowList,
        [Parameter(Mandatory=$true, ParameterSetName="MigrateFromSPOSet")]
        [switch] $MigrateFromSharepoint,
        [Parameter(Mandatory=$true, ParameterSetName="ClearPolicySet")]
        [switch] $Remove,
        [Parameter(Mandatory=$true, ParameterSetName="ExistingPolicySet")]
        [switch] $QueryPolicy
)

# Gets Json for the policy with given Allowed and Blocked Domain List
function GetJSONForAllowBlockDomainPolicy([string[]] $AllowDomains = @(), [string[]] $BlockedDomains = @())
{
    # Remove any duplicate domains from Allowed or Blocked domains specified.
    $AllowDomains = $AllowDomains | select -uniq
    $BlockedDomains = $BlockedDomains | select -uniq

    return @{B2BManagementPolicy=@{InvitationsAllowedAndBlockedDomainsPolicy=@{AllowedDomains=@($AllowDomains); BlockedDomains=@($BlockedDomains)}}} | ConvertTo-Json -Depth 3 -Compress
}

# Converts Json to Object since ConvertFrom-Json does not support the depth parameter.
function GetObjectFromJson([string] $JsonString)
{
    ConvertFrom-Json -InputObject $JsonString |
        ForEach-Object {
            foreach ($property in ($_ | Get-Member -MemberType NoteProperty)) 
                {
                    $_.$($property.Name) | Add-Member -MemberType NoteProperty -Name 'Name' -Value $property.Name -PassThru
                }
        }
}

# Gets AllowBlockedList from SPO
function GetSPOPolicy
{
    try
    {
        $SPOTenantSettings = Get-SPOTenant
    }
    catch [System.InvalidOperationException]
    {
        Write-Error "You must call Connect-SPOService cmdlet before using this parameter."
        Exit;
    }

    # Return JSON for Allow\Block domain list in SPO
    switch($SPOTenantSettings.SharingDomainRestrictionMode)
    {
        "AllowList"
        {
            Write-Host "`nSPO Allowed DomainList:" $SPOTenantSettings.SharingAllowedDomainList
            $AllowDomainsList = $SPOTenantSettings.SharingAllowedDomainList.Split(' ')
            return  GetJSONForAllowBlockDomainPolicy -AllowDomains $AllowDomainsList
            break;
        }
        "BlockList"
        {
            Write-Host "`nSPO Blocked DomainList:" $SPOTenantSettings.SharingBlockedDomainList
            $BlockDomainsList = $SPOTenantSettings.SharingBlockedDomainList.Split(' ')
            return GetJSONForAllowBlockDomainPolicy -BlockedDomains $BlockDomainsList
            break;
        }
        "None"
        {
            Write-Error "There is no AllowBlockDomainList policy set for this SPO tenant."
            return $null
        }
    }
}

# Gets the existing AzureAD policy for AllowBlockedList if it exists
function GetExistingPolicy
{
    $currentpolicy = Get-AzureADPolicy | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1

    return $currentpolicy;
}

# Print Allowed and Blocked Domain List for the given policy
function PrintAllowBlockedList([String] $defString)
{
    $policyObj = GetObjectFromJson $defString;

    Write-Host "AllowedDomains: " $policyObj.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains
    Write-Host "BlockedDomains: " $policyObj.InvitationsAllowedAndBlockedDomainsPolicy.BlockedDomains
}

# Gets AllowDomainList from the existing policy
function GetExistingAllowedDomainList()
{
    $policy = GetExistingPolicy

    if($policy -ne $null)
    {
        $policyObject = GetObjectFromJson $policy.Definition[0];

        if($policyObject.InvitationsAllowedAndBlockedDomainsPolicy -ne $null -and $policyObject.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains -ne $null)
        {
            Write-Host "Existing Allowed Domain List: " $policyObject.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains
            return $policyObject.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains;
        }
    }

    return $null
}

# Gets BlockDomainList from the existing policy
function GetExistingBlockedDomainList()
{
    $policy = GetExistingPolicy

    if($policy -ne $null)
    {
        $policyObject = GetObjectFromJson $policy.Definition[0];

        if($policyObject.InvitationsAllowedAndBlockedDomainsPolicy -ne $null -and $policyObject.InvitationsAllowedAndBlockedDomainsPolicy.BlockedDomains -ne $null)
        {
            Write-Host "Existing Blocked Domain List: " $policyObject.InvitationsAllowedAndBlockedDomainsPolicy.BlockedDomains
            return $policyObject.InvitationsAllowedAndBlockedDomainsPolicy.BlockedDomains;
        }
    }

    return $null
}

# Main Script which sets the Allow/Block domain list policy according to the parameters specified by the user.
try
{
    $currentpolicy = GetExistingPolicy;
}
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException]
{
    Write-Error "You must call Connect-AzureAD cmdlet before running this script."
    Exit
}

$policyExist = ($currentpolicy -ne $null)

switch ($PSCmdlet.ParameterSetName)
{
    "Update+BlockList"
    {
        Write-Host "Setting BlockDomainsList for B2BManagementPolicy";
        $policyValue = GetJSONForAllowBlockDomainPolicy -BlockedDomains $BlockList

        break;
    }
    "Update+AllowList"
    {
        Write-Host "Setting AllowedDomainList for B2BManagementPolicy";
        $policyValue = GetJSONForAllowBlockDomainPolicy -AllowDomains $AllowList

        break;
    }
    "Append+BlockList"
    {
        $ExistingBlockList = GetExistingBlockedDomainList

        if($ExistingBlockList -ne $null)
        {
            Write-Host "Appending Block Domain List to the current BlockDomainPolicy."
            $BlockList = $BlockList + $ExistingBlockList
        }
        else
        {
            Write-Host "Existing Block List is empty. Adding the domain list specified."
        }

        $policyValue = GetJSONForAllowBlockDomainPolicy -BlockedDomains $BlockList

        break;
    }
    "Append+AllowList"
    {
        $ExistingAllowList = GetExistingAllowedDomainList

        if($ExistingAllowList -ne $null)
        {
            Write-Host "Appending Allow Domain List to the current AllowDomainPolicy."
            $AllowList = $AllowList + $ExistingAllowList
            Write-Host $AllowList
        }
        else
        {
            Write-Host "Existing Allow List is empty. Adding the domain list specified."
        }

        $policyValue = GetJSONForAllowBlockDomainPolicy -AllowDomains $AllowList

        break;
    }
    "MigrateFromSPOSet"
    {
        $policyValue = GetSPOPolicy

        break;
    }
    "ClearPolicySet"
    {
        if($policyExist -eq $true)
        {
            Write-Host "Removing AzureAd Policy.";
            Remove-AzureADPolicy -Id $currentpolicy.Id | Out-Null
        }
        else
        {
            Write-Host "No policy to Remove."
        }

        Exit
    }
    "ExistingPolicySet"
    {
        if($currentpolicy -ne $null)
        {
            Write-Information "`nCurrent Allow/Block domain list policy:`n"
            PrintAllowBlockedList $currentpolicy.Definition[0];
        }
        else
        {
            Write-Host "No policy found for Allow/Block domain list in AzureAD."
        }

        Exit
    }
    "None"
    {
        Write-Error "`n`tPlease specify valid Parameters!`n`tExecute 'help GuestAllowBlockDomainPolicy.ps1 -examples' for examples."
        Exit
    }
}

if($policyExist -and $policyValue -ne $null)
{
    Write-Host "There is already an existing Policy for Allow/Block domain list."
    Write-Output "`nDetails for the Existing Policy in Azure AD: "
    PrintAllowBlockedList $currentpolicy.Definition[0];

    Write-Host "`nNew Policy Changes:"
    PrintAllowBlockedList $policyValue;

    $title = "Policy Change";
    $message = "Do you want to continue changing existing policy?";
    $yes = New-Object System.Management.Automation.Host.ChoiceDescription "Y"
    $no = New-Object System.Management.Automation.Host.ChoiceDescription "N"

    [System.Management.Automation.Host.ChoiceDescription[]]$options = $no,$yes;
    $confirmation = $host.ui.PromptForChoice($title, $message, $options, 0);

    if ($confirmation -eq 0)
    {
        Exit
    }
    else
    {
        Write-Host "Executing User command."
    }

    Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null
}
else
{
    New-AzureADPolicy -Definition $policyValue -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true -InformationAction Ignore | Out-Null
}

Write-Output "`nNew AzureAD Policy: "
$currentPolicy = GetExistingPolicy;
PrintAllowBlockedList $currentpolicy.Definition[0];

Exit
 
顯示: