AADExternalIdentityPolicy

Parameters

Parameter Attribute DataType Description Allowed Values
IsSingleInstance Key String Only valid value is 'Yes'. Yes
AllowDeletedIdentitiesDataRemoval Write Boolean Reserved for future use.
allowExternalIdentitiesToLeave Required Boolean Defines whether external users can leave the guest tenant. If set to false, self-service controls are disabled, and the admin of the guest tenant must manually remove the external user from the guest tenant. When the external user leaves the tenant, their data in the guest tenant is first soft-deleted then permanently deleted in 30 days.
Credential Write PSCredential Credentials for the Microsoft Graph delegated permissions.
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory application to authenticate with.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

Description

Represents the tenant-wide policy that controls whether external users can leave the guest Microsoft Entra tenant via self-service controls.

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • None
  • Update

    • None

Application permissions

  • Read

    • Policy.Read.All
  • Update

    • Policy.ReadWrite.ExternalIdentities

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )

    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADExternalIdentityPolicy "AADExternalIdentityPolicy"
        {
            AllowDeletedIdentitiesDataRemoval = $False;
            AllowExternalIdentitiesToLeave    = $True;
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
            IsSingleInstance                  = "Yes";
        }
    }
}