AADCrossTenantAccessPolicyConfigurationDefault
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| IsSingleInstance |
Key |
String |
Only valid value is 'Yes'. |
Yes |
| B2BCollaborationInbound |
Write |
MSFT_AADCrossTenantAccessPolicyB2BSetting |
Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. |
|
| B2BCollaborationOutbound |
Write |
MSFT_AADCrossTenantAccessPolicyB2BSetting |
Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. |
|
| B2BDirectConnectInbound |
Write |
MSFT_AADCrossTenantAccessPolicyB2BSetting |
Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. |
|
| B2BDirectConnectOutbound |
Write |
MSFT_AADCrossTenantAccessPolicyB2BSetting |
Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. |
|
| InboundTrust |
Write |
MSFT_AADCrossTenantAccessPolicyInboundTrust |
Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure AD organizations. |
|
| InvitationRedemptionIdentityProviderConfiguration |
Write |
MSFT_AADDefaultInvitationRedemptionIdentityProviderConfiguration |
Defines the priority order based on which an identity provider is selected during invitation redemption for a guest user. |
|
| TenantRestrictions |
Write |
MSFT_AADCrossTenantAccessPolicyTenantRestrictions |
Defines the default tenant restrictions configuration for users in your organization who access an external organization on your network or devices. |
|
| Ensure |
Write |
String |
Specify if the instance should exist or not. |
Present |
| Credential |
Write |
PSCredential |
Credentials of the Admin |
|
| ApplicationId |
Write |
String |
Id of the Azure Active Directory application to authenticate with. |
|
| TenantId |
Write |
String |
Id of the Azure Active Directory tenant used for authentication. |
|
| ApplicationSecret |
Write |
PSCredential |
Secret of the Azure Active Directory tenant used for authentication. |
|
| CertificateThumbprint |
Write |
String |
Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
|
| ManagedIdentity |
Write |
Boolean |
Managed ID being used for authentication. |
|
| AccessTokens |
Write |
StringArray[] |
Access token used for authentication. |
|
Embedded Instances
MSFT_AADCrossTenantAccessPolicyTarget
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| Target |
Write |
String |
The unique identifier of the user, group, or application; one of the following keywords: AllUsers and AllApplications; or for targets that are applications, you may use reserved values. |
|
| TargetType |
Write |
String |
The type of resource that you want to target. The possible values are: user, group, application, unknownFutureValue. |
user, group, application, unknownFutureValue |
MSFT_AADCrossTenantAccessPolicyTargetConfiguration
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| AccessType |
Write |
String |
Defines whether access is allowed or blocked. The possible values are: allowed, blocked, unknownFutureValue. |
allowed, blocked, unknownFutureValue |
| Targets |
Write |
MSFT_AADCrossTenantAccessPolicyTarget[] |
Specifies whether to target users, groups, or applications with this rule. |
|
MSFT_AADCrossTenantAccessPolicyB2BSetting
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| Applications |
Write |
MSFT_AADCrossTenantAccessPolicyTargetConfiguration |
The list of applications targeted with your cross-tenant access policy. |
|
| UsersAndGroups |
Write |
MSFT_AADCrossTenantAccessPolicyTargetConfiguration |
The list of users and groups targeted with your cross-tenant access policy. |
|
MSFT_AADCrossTenantAccessPolicyInboundTrust
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| IsCompliantDeviceAccepted |
Write |
Boolean |
Specifies whether compliant devices from external Azure AD organizations are trusted. |
|
| IsHybridAzureADJoinedDeviceAccepted |
Write |
Boolean |
Specifies whether hybrid Azure AD joined devices from external Azure AD organizations are trusted. |
|
| IsMfaAccepted |
Write |
Boolean |
Specifies whether MFA from external Azure AD organizations is trusted. |
|
MSFT_AADDefaultInvitationRedemptionIdentityProviderConfiguration
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| PrimaryIdentityProviderPrecedenceOrder |
Write |
StringArray[] |
Collection of identity providers in priority order of preference to be used for guest invitation redemption. The possible values are: azureActiveDirectory, externalFederation, or socialIdentityProviders. |
azureActiveDirectory, externalFederation, socialIdentityProviders |
| FallbackIdentityProvider |
Write |
String |
The fallback identity provider to be used in case no primary identity provider can be used for guest invitation redemption. The possible values are: defaultConfiguredIdp, emailOneTimePasscode, or microsoftAccount. |
defaultConfiguredIdp, emailOneTimePasscode, microsoftAccount |
MSFT_AADDevicesFilter
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| Mode |
Write |
String |
Determines whether devices that satisfy the rule should be allowed or blocked. The possible values are: allowed, blocked. |
allowed, blocked |
| Rule |
Write |
String |
Defines the rule to filter the devices. For example, 'device.deviceAttribute2 -eq 'PrivilegedAccessWorkstation'. |
|
MSFT_AADCrossTenantAccessPolicyTenantRestrictions
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| Applications |
Write |
MSFT_AADCrossTenantAccessPolicyTargetConfiguration |
The list of applications targeted with your cross-tenant access policy. |
|
| Devices |
Write |
MSFT_AADDevicesFilter |
Defines the rule for filtering devices and whether devices satisfying the rule should be allowed or blocked. This property isn't supported on the server side yet. |
|
| UsersAndGroups |
Write |
MSFT_AADCrossTenantAccessPolicyTargetConfiguration |
The list of users and groups targeted with your cross-tenant access policy. |
|
Description
This resource manages Azure AD Cross Tenant Access Policies Configuration Default.
Permissions
Microsoft Graph
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions
- Read
-
Policy.Read.All
-
Update
- Policy.ReadWrite.CrossTenantAccess
Application permissions
- Read
-
Policy.Read.All
-
Update
- Policy.ReadWrite.CrossTenantAccess
Examples
Example 1
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
Node localhost
{
AADCrossTenantAccessPolicyConfigurationDefault "AADCrossTenantAccessPolicyConfigurationDefault"
{
B2BCollaborationInbound = MSFT_AADCrossTenantAccessPolicyB2BSetting {
Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'allowed'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllApplications'
TargetType = 'application'
}
)
}
UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'allowed'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllUsers'
TargetType = 'user'
}
)
}
}
B2BCollaborationOutbound = MSFT_AADCrossTenantAccessPolicyB2BSetting {
Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'allowed'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllApplications'
TargetType = 'application'
}
)
}
UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'allowed'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllUsers'
TargetType = 'user'
}
)
}
}
B2BDirectConnectInbound = MSFT_AADCrossTenantAccessPolicyB2BSetting {
Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'blocked'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllApplications'
TargetType = 'application'
}
)
}
UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'blocked'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllUsers'
TargetType = 'user'
}
)
}
}
B2BDirectConnectOutbound = MSFT_AADCrossTenantAccessPolicyB2BSetting {
Applications = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'blocked'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllApplications'
TargetType = 'application'
}
)
}
UsersAndGroups = MSFT_AADCrossTenantAccessPolicyTargetConfiguration{
AccessType = 'blocked'
Targets = @(
MSFT_AADCrossTenantAccessPolicyTarget{
Target = 'AllUsers'
TargetType = 'user'
}
)
}
}
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Ensure = "Present";
InboundTrust = MSFT_AADCrossTenantAccessPolicyInboundTrust {
IsCompliantDeviceAccepted = $False
IsHybridAzureADJoinedDeviceAccepted = $False
IsMfaAccepted = $False
}
IsSingleInstance = "Yes";
}
}
}