Set-CsTenantFederationConfiguration
Manages federation configuration settings for your Skype for Business Online tenants. These settings are used to determine which domains (if any) your users are allowed to communicate with.
Syntax
Set-CsTenantFederationConfiguration
[-Tenant <Guid>]
[-AllowedDomains <IAllowedDomainsChoice>]
[-BlockedDomains <List>]
[-BlockAllSubdomains <Boolean>]
[-AllowFederatedUsers <Boolean>]
[-AllowPublicUsers <Boolean>]
[-AllowTeamsConsumer <Boolean>]
[-AllowTeamsConsumerInbound <Boolean>]
[-TreatDiscoveredPartnersAsUnverified <Boolean>]
[-SharedSipAddressSpace <Boolean>]
[-RestrictTeamsConsumerToExternalUserProfiles <Boolean>]
[-AllowedDomainsAsAList <List>]
[-ExternalAccessWithTrialTenants <ExternalAccessWithTrialTenantsType>]
[-CustomizeFederation <Boolean>]
[-AllowedTrialTenantDomains <List>]
[[-Identity] <XdsIdentity>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Set-CsTenantFederationConfiguration
[-Tenant <Guid>]
[-AllowedDomains <IAllowedDomainsChoice>]
[-BlockedDomains <List>]
[-BlockAllSubdomains <Boolean>]
[-AllowFederatedUsers <Boolean>]
[-AllowPublicUsers <Boolean>]
[-TreatDiscoveredPartnersAsUnverified <Boolean>]
[-SharedSipAddressSpace <Boolean>]
[-RestrictTeamsConsumerToExternalUserProfiles <Boolean>]
[-AllowedDomainsAsAList <List>]
[-CustomizeFederation <Boolean>]
[-Instance <PSObject>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Federation is a service that enables users to exchange IM and presence information with users from other domains. With Skype for Business Online, administrators can use the federation configuration settings to govern:
Whether or not users can communicate with people from other domains and if so, which domains they are allowed to communicate with.
Whether or not users can communicate with people who have accounts on public IM and presence providers such as Windows Live, Skype, or people using Microsoft Teams with an account that's not managed by an organization.
Administrators can use the Set-CsTenantFederationConfiguration
cmdlet to enable and disable federation with other domains and federation with public providers.
In addition, this cmdlet can be used to expressly indicate the domains that users can communicate with and/or the domains that users are not allowed to communicate with.
However, administrators must use the Set-CsTenantPublicProvider
cmdlet in order to indicate the public IM and presence providers that users can and cannot communicate with.
Examples
-------------------------- Example 1 --------------------------
Set-CsTenantFederationConfiguration -AllowPublicUsers $False
The command shown in Example 1 disables communication with public providers for the current tenant.
-------------------------- Example 2 --------------------------
$x = New-CsEdgeDomainPattern -Domain "fabrikam.com"
Set-CsTenantFederationConfiguration -BlockedDomains @{Replace=$x}
In Example 2, the domain fabrikam.com is assigned as the only domain on the blocked domains list for current tenant.
To do this, the first command in the example uses the New-CsEdgeDomainPattern
cmdlet to create a new domain object for fabrikam.com.
This domain object is stored in a variable named $x.
The second command in the example then uses the Set-CsTenantFederationConfiguration
cmdlet to update the blocked domains list.
Using the Replace method ensures that the existing blocked domains list will be replaced by the new list: a list that contains only the domain fabrikam.com.
-------------------------- Example 3 --------------------------
$x = New-CsEdgeDomainPattern -Domain "fabrikam.com"
Set-CsTenantFederationConfiguration -BlockedDomains @{Remove=$x}
The commands shown in Example 3 remove fabrikam.com from the list of domains blocked by the current tenant.
To do this, the first command in the example uses the New-CsEdgeDomainPattern
cmdlet to create a domain object for fabrikam.com.
The resulting domain object is then stored in a variable named $x.
The second command in the example then uses the Set-CsTenantFederationConfiguration
cmdlet and the Remove method to remove fabrikam.com from the blocked domains list for the specified tenant.
-------------------------- Example 4 --------------------------
$x = New-CsEdgeDomainPattern -Domain "fabrikam.com"
Set-CsTenantFederationConfiguration -BlockedDomains @{Add=$x}
The commands shown in Example 4 add the domain fabrikam.com to the list of domains blocked by the current tenant.
To add a new blocked domain, the first command in the example uses the New-CsEdgeDomainPattern
cmdlet to create a domain object for fabrikam.com.
This object is stored in a variable named $x.
After the domain object has been created, the second command then uses the Set-CsTenantFederationConfiguration
cmdlet and the Add method to add fabrikam.com to any domains already on the blocked domains list.
-------------------------- Example 5 --------------------------
Set-CsTenantFederationConfiguration -BlockedDomains $Null
Example 5 shows how you can remove all the domains assigned to the blocked domains list for the current tenant. To do this, simply include the BlockedDomains parameter and set the parameter value to null ($Null). When this command completes, the blocked domain list will be cleared.
-------------------------- Example 6 --------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list
Example 6 shows how you can replace domains in the Allowed Domains using a List collection object. First, a List collection is created and domains are added to it, then, simply include the AllowedDomainsAsAList parameter and set the parameter value to the List object. When this command completes, the allowed domains list will be replaced with those domains.
-------------------------- Example 7 --------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$list}
Example 7 shows how you can add domains to the existing Allowed Domains using a List object. First, a List is created and domains are added to it, then use the Add method in the AllowedDomainsAsAList parameter to add the domains to the existing allowed domains list. When this command completes, the domains in the list will be added to any domains already on the AllowedDomains list.
-------------------------- Example 8 --------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Remove=$list}
Example 8 shows how you can remove domains from the existing Allowed Domains using a List object. First, a List is created and domains are added to it, then use the Remove method in the AllowedDomainsAsAList parameter to remove the domains from the existing allowed domains list. When this command completes, the domains in the list will be removed from the AllowedDomains list.
-------------------------- Example 9 --------------------------
Set-CsTenantFederationConfiguration -AllowTeamsConsumer $True -AllowTeamsConsumerInbound $False
The command shown in Example 9 enables communication with people using Teams with an account that's not managed by an organization, to only be initiated by people in your organization. This means that people using Teams with an account that's not managed by an organization will not be able to discover or start a conversation with people in your organization.
-------------------------- Example 10 -------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -BlockedDomains $list
Set-CsTenantFederationConfiguration -BlockAllSubdomains $True
Example 10 shows how you can block all subdomains of domains in BlockedDomains list. In this example, all users from contoso.com and fabrikam.com will be blocked. When the BlockAllSubdomains is enabled, all users from all subdomains of all domains in BlockedDomains list will also be blocked. So, users from subdomain.contoso.com and subdomain.fabrikam.com will be blocked. Note: Users from subcontoso.com will not be blocked because it's a completely different domain rather than a subdomain of contoso.com.
-------------------------- Example 11 -------------------------
Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed"
Example 11 shows how you can allow users to communicate with users in tenants that contain only trial licenses (default value is Blocked).
-------------------------- Example 12 --------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains $list
Using the AllowedTrialTenantDomains
parameter, you can whitelist specific "trial-only" tenant domains, while keeping the ExternalAccessWithTrialTenants
set to Blocked
. Example 12 shows how you can set or replace domains in the Allowed Trial Tenant Domains using a List collection object.
First, a List collection is created and domains are added to it, then, simply include the AllowedTrialTenantDomains
parameter and set the parameter value to the List object.
When this command completes, the Allowed Trial Tenant Domains list will be replaced with those domains.
-------------------------- Example 13 --------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains @{Add=$list}
Example 13 shows how you can add domains to the existing Allowed Trial Tenant Domains using a List collection object.
First, a List is created and domains are added to it, then, use the Add method in the AllowedTrialTenantDomains
parameter to add the domains to the existing allowed domains list.
When this command completes, the domains in the list will be added to any domains already on the Allowed Trial Tenant Domains list.
-------------------------- Example 14 --------------------------
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
Set-CsTenantFederationConfiguration -AllowedTrialTenantDomains @{Remove=$list}
Example 14 shows how you can remove domains from the existing Allowed Trial Tenant Domains using a List collection object.
First, a List is created and domains are added to it, then use the Remove method in the AllowedTrialTenantDomains
parameter to remove the domains from the existing allowed domains list.
When this command completes, the domains in the list will be removed from the Allowed Trial Tenant Domains list.
-------------------------- Example 15 -------------------------
Set-CsTenantFederationConfiguration -CustomizeFederation $True
Example 15 shows how you can enable the feature where you can customize your federation in ExternalAccessPolicy.
Parameters
-AllowedDomains
Domain objects (created by using the New-CsEdgeAllowList
cmdlet or the New-CsEdgeAllowAllKnownDomains
cmdlet) that represent the domains that users are allowed to communicate with.
If the New-CsEdgeAllowAllKnownDomains
cmdlet is used then users can communicate with any domain that does not appear on the blocked domains list.
If the New-CsEdgeAllowList
cmdlet is used then users can only communicate with domains that have been added to the allowed domains list.
Note that string values cannot be passed directly to the AllowedDomains parameter.
Instead, you must create an object reference using the New-CsEdgeAllowList
cmdlet or the New-CsEdgeAllowAllKnownDomains
cmdlet and then use the object reference variable as the parameter value.
The AllowedDomains parameter can support up to 4,000 domains.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-AllowedDomainsAsAList
You can specify allowed domains using a List object that contains the domains that users are allowed to communicate with. See Examples section.
Type: | List |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-AllowedTrialTenantDomains
You can whitelist specific "trial-only" tenant domains, while keeping the ExternalAccessWithTrialTenants
set to Blocked
. This will allow you to protect your organization against majority of tenants that don't have any paid subscriptions, while still being able to collaborate externally with those trusted trial-tenants in the list.
Note:
- The list supports up to maximum 4k domains.
- If
ExternalAccessWithTrialTenants
is set toAllowed
, then theAllowedTrialTenantDomains
list will not be checked. - Any domain in this list that belongs to a tenant with paid subscriptions will be ignored.
Type: | List |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-AllowFederatedUsers
When set to True (the default value) users will be potentially allowed to communicate with users from other domains. If this property is set to False then users cannot communicate with users from other domains regardless of the values assigned to the AllowedDomains and BlockedDomains properties.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-AllowPublicUsers
When set to True (the default value) users will be potentially allowed to communicate with users who have accounts on public IM and presence providers such as Windows Live, Yahoo, and AOL.
The collection of public providers that users can actually communicate with is managed by using the Set-CsTenantPublicProvider
cmdlet.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-AllowTeamsConsumer
Allows federation with people using Teams with an account that's not managed by an organization.
Type: | Boolean |
Position: | Named |
Default value: | True |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AllowTeamsConsumerInbound
Allows people using Teams with an account that's not managed by an organization, to discover and start communication with users in your organization. When -AllowTeamsConsumer is enabled and this parameter is disabled, only the users in your organization will be able to discover and start communication with people using Teams with an account that's not managed by an organization, but they will not discover and start communications with users in your organization.
Type: | Boolean |
Position: | Named |
Default value: | True |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BlockAllSubdomains
If the BlockedDomains parameter is used, then BlockAllSubdomains can be used to activate all subdomains blocking. If the BlockedDomains parameter is ignored, then BlockAllSubdomains is also ignored. Just like for BlockedDomains, users will be disallowed from communicating with users from blocked domains. But all subdomains for domains in this list will also be blocked.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Skype for Business Online |
-BlockedDomains
If the AllowedDomains property has been set to AllowAllKnownDomains, then users will be allowed to communicate with users from any domain except domains that appear in the blocked domains list. If the AllowedDomains property has not been set to AllowAllKnownDomains, then the blocked list is ignored, and users can only communicate with domains that have been expressly added to the allowed domains list. The BlockedDomains parameter can support up to 4,000 domains.
Type: | List |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-Confirm
Prompts you for confirmation before executing the command.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-CustomizeFederation
Defines if we enable more customized federation settings in ExternalAccessPolicy or not. For example, when this is true, if the AllowedDomains
includes [a.com, b.com], but the AllowedExternalDomains
of the ExternalAccessPolicy includes [c.com], then users assigned by the ExternalAccessPolicy will only be allowed to access c.com, all other users will have access to a.com and b.com as defined in AllowedDomains
.
Possible values: True, False
Type: | Boolean |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExternalAccessWithTrialTenants
When set to 'Blocked', all external access with users from Teams subscriptions that contain only trial licenses will be blocked. This means users from these trial-only tenants will not be able to reach to your users via chats, Teams calls, and meetings (using the users authenticated identity) and your users will not be able to reach users in these trial-only tenants. If this setting is set to "Blocked", users from the trial-only tenant will also be removed from existing chats.
Allowed - Communication with other tenants is allowed based on other settings.
Blocked - Communication with users in tenants that contain only trial licenses will be blocked.
Type: | ExternalAccessWithTrialTenantsType |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-Force
Suppresses the display of any non-fatal error message that might arise when running the command.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-Identity
Specifies the collection of tenant federation configuration settings to be modified.
Because each tenant is limited to a single, global collection of federation settings there is no need include this parameter when calling the Set-CsTenantFederationConfiguration
cmdlet.
If you do choose to use the Identity parameter you must also include the Tenant parameter.
For example:
Set-CsTenantFederationConfiguration -Tenant "bf19b7db-6960-41e5-a139-2aa373474354" -Identity "global"
Type: | XdsIdentity |
Position: | 2 |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-Instance
Allows you to pass a reference to an object to the cmdlet rather than set individual parameter values.
Type: | PSObject |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-RestrictTeamsConsumerToExternalUserProfiles
Defines if a user is restriced to collaboration with Teams Consumer (TFL) user only in Extended Directory. Possible values: True, False
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SharedSipAddressSpace
When set to True, indicates that the users homed on Skype for Business Online use the same SIP domain as users homed on the on-premises version of Skype for Business Server. The default value is False, meaning that the two sets of users have different SIP domains.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-Tenant
Globally unique identifier (GUID) of the tenant account whose federation settings are being modified. For example:
-Tenant "38aad667-af54-4397-aaa7-e94c79ec2308"
You can return your tenant ID by running this command:
Get-CsTenant | Select-Object DisplayName, TenantID
If you are using a remote session of Windows PowerShell and are connected only to Skype for Business Online you do not have to include the Tenant parameter. Instead, the tenant ID will automatically be filled in for you based on your connection information. The Tenant parameter is primarily for use in a hybrid deployment.
Type: | Guid |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-TreatDiscoveredPartnersAsUnverified
When set to True, messages sent from discovered partners are considered unverified. That means that those messages will be delivered only if they were sent from a person who is on the recipient's Contacts list. The default value is False ($False).
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
-WhatIf
Describes what would happen if you executed the command without actually executing the command.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Microsoft Teams |
Inputs
The Set-CsTenantFederationConfiguration
cmdlet accepts pipelined instances of the Microsoft.Rtc.Management.WritableConfig.Settings.Edge.TenantFederationSettings object.
Outputs
None.
Instead, the Set-CsTenantFederationConfiguration
cmdlet modifies existing instances of the Microsoft.Rtc.Management.WritableConfig.Settings.Edge.TenantFederationSettings object.