Controlling External Communications per user in Skype for Business Online with PowerShell

Controlling the external communications feature for Skype for Business Online (SfB) is hardly something new, the option has been available for years now. Recently, a question popped up on the Yammer Office 365 Network as to how can one bulk control these settings per-user, which prompted me to write this article.

Now, the SfB Online admin portal does offer you the option to multi-select users and bulk-edit their External communications settings. Selecting just the right set of users however can be a problem as the list is limited to 250 results per page and the filtering options are not that great. And it will probably involve a lot of clicking 🙂

As usual in such situations, PowerShell comes to the rescue. In particular, you will need to have the SfB Online PowerShell module installed, which you can obtain here. After connecting, you can get a list of the relevant cmdlets via:

PS C:\> Get-Command *-CsExternal*

CommandType Name Version Source
----------- ---- ------- ------
Function Get-CsExternalAccessPolicy 1.0 tmp_3t3bzzpc.zli
Function Grant-CsExternalAccessPolicy 1.0 tmp_3t3bzzpc.zli

Compared to on-prem SfB, we don’t have the ability to create new External policy or modify an existing one (so the New- and Set-CsExternalAccessPolicy cmdlets are missing), but that’s expected. Instead, we can only choose from one of the available policies (some restrictions apply here as well, so make sure to use the –ApplicableTo parameter):

PS C:\> Get-CsExternalAccessPolicy -ApplicableTo | ft Identity, Enable*

Identity EnableFederationAccess EnableXmppAccess EnablePublicCloudAccess EnablePublicCloudAudioVideoAccess EnableOutsideAccess
--------      ---------------------- ---------------- ----------------------- --------------------------------- -------------------
Tag:FederationAndPICDefault     True     False     True     True     True
Tag:FederationOnly          True     False         False     False     True
Tag:NoFederationAndPIC         False     False         False     False     True

The default policy is FederationAndPICDefault and as you can see from the above output, all settings are enabled for it (apart from Xmpp, which is simply not available for SfB Online). So basically you have three options, similar to the ones in the UI: enable federation with other organizations and Skype consumer, enable federation with other organizations only, and disable all federation features.

Once you have selected the policy to apply, all you need to do is run the Grant-CsExternalAccessPolicy cmdlet. You need to provide the identity of the user and the identity of the policy, simple as that. But of course we would like to bulk-edit this for a set of users, so here are few examples. First, let’s disable public IM connectivity to all members of a particular department, say the “Service desk” one:

PS C:\> Get-CsOnlineUser -Filter {Department -eq " Service desk " -and Enabled -eq $true} | Grant-CsExternalAccessPolicy -PolicyName FederationOnly

Simple stuff, right? It gets a bit trickier if the attribute on which you want to filter the users is not exposed via the Get-CsOnlineUser cmdlet. For example, we might be using one of the customAttributeXX to designate such users. In order to filter them out, we can use one of the Exchange related cmdlets, such as Get-Mailbox, then feed the output to the SfB cmdlets. Here’s how:

PS C:\> Get-Mailbox -Filter {customattribute1 -eq "NoIM"} | select UserPrincipalName | % { Get-CsOnlineUser -Filter ([scriptblock]::create("UserPrincipalName -eq '$($_.UserPrincipalName)' -and Enabled -eq '$true'")) | Grant-CsExternalAccessPolicy -PolicyName FederationOnly }

OK, it’s a bit complicated, I know. So we use Get-Mailbox to list all users with customattribute1 set to “NoIM”, then get their UserPrincipalName. We then pass the UserPrincipalName as part of the Filter for Get-CsOnlineUser and make sure that only SfB-enabled users are returned. Lastly, we run the Grant-CsExternalAccessPolicy and specify the policy we need. It will probably be much easier to just store the result in a temporary variable or a CSV file instead 🙂

After he have played with the external communication settings for a group of users, we might want to reset them to the default value. This can easily be done with the below cmdlet:

PS C:\> Get-CsOnlineUser -Filter {Enabled -eq $true -and ExternalAccessPolicy -ne "FederationAndPICDefault"} | Grant-CsExternalAccessPolicy -PolicyName FederationAndPICDefault

PowerShell rocks!

8 thoughts on “Controlling External Communications per user in Skype for Business Online with PowerShell

  1. claudio says:


    I have this question.
    Your company has an Office 365 subscription.Users at the company use Microsoft Skype for Business to send instant messages to internal users, external partners, and users on the consumer version of Skype.
    You discover that the Skype for Business users fail to communicate with users on Google Hangout.
    You need to ensure that the Skype for Business users can send instant messages to the Google Hangout users.
    Solution: You run the New-CSExternalAccessPolicy –identity New_Policy -EnableXmppAccess $true |Grant- CSExternalAccessPolicy command.
    Does this meet the goal?
    A. Yes
    B. NO

    I think that is NO. Can you tell me if that is correct

    1. Vasil Michev says:

      XMPP is NOT supported in O365/Skype for Business Online.

  2. Piyush says:

    Is it possible, to enable the communication of SFB account with certain users in an organisation, additionally some users outside the network? I want an SFB account will only be visible to certain employees of a company also is able to send communication via IM to external networks as well.

    1. Vasil Michev says:

      Ethical firewalls are not yet supported for SfB Online.

  3. Linh NN says:

    I tried to run Grant-CsExternalAccessPolicy -PolicyName FederationOnly for a user. But i think it make user cannot connect to Skype consumer, but that user is still connect to another Skype for business user. Is there anyway to turn off completely external communication of a user?

    1. Vasil Michev says:

      That’s the expected behavior for FederationOnly, it means the user will only be allowed to communicate with federated domains. You can control the list of domains to only allow specific ones.

      To completely disable external communications, use the “NoFederationAndPIC” policy.

  4. Michael says:

    Is there any way possible that you know of that we can toggle off or on the capability of using the mobile Skype for business app? In Skype online, there is just about no flexibility here and seems that we cannot control this. Any guidance would be super helpful


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.