Skype Online: Automatically assign federation policy


This week I had a customer that moved from Skype for Business on-premises to Skype Online. He was used to be able to choose default federation policy for his users, and if a user needed federation he added them to an AD group.  The problem in Skype Online is that you cant choose what ExternalAccessPolicy that is default. In my tenant the default one is FederationAndPICDefault. The customer wanted it to be NoFederationAndPIC.

So what could about that? I created an AD group called AllowFederationSkypeOnline. Then I created a script that finds every Skype Online user that is not a member of this group, and give them the ExternalAccessPolicy NoFederationAndPIC if they have not been assigned this one already. Then the script gives every member of the group the policy FederationAndPICDefault policy if they have not been assigned this policy.

Now you just need to set up this as a scheduled task at a suitable interval.

#"password" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\Scripts\password.txt"

$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "[email protected]", (Get-Content "C:\Scripts\password.txt" | ConvertTo-SecureString)
$sfb = New-CsOnlineSession -Credential $Credentials
Import-PSSession $sfb

$results = @()
$users = Get-ADUser  -Properties memberof -SearchBase "OU=Users,DC=Contoso,DC=com" -Filter *
foreach ($user in $users) {
    $groups = $user.memberof -join ';'
    $results += New-Object psObject -Property @{'User'=$;'Groups'= $groups;'UPN'=$user.UserPrincipalName}
$results2 = $results | Where-Object { $_.groups -notmatch 'AllowFederationSkypeOnline' } | Select-Object user,upn

$UsersNoFederation = $results2.UPN | Get-CsOnlineUser | Select-Object UserPrincipalName,ExternalAccessPolicy
foreach($UserNoFederation in $UsersNoFederation){
If($UserNoFederation.ExternalAccessPolicy -notmatch 'NoFederationAndPIC') {
    Grant-CsExternalAccessPolicy -Identity $UserNoFederation.UserPrincipalName -PolicyName 'NoFederationAndPIC'

$FederatedUser = Get-ADGroupMember 'Skype-AllowedFederation' | Get-ADUser | Select-Object userprincipalname
$FederatedUsersSkype = $FederatedUser.UserPrincipalName | Get-CsOnlineUser

foreach($FederatedUserSkype in $FederatedUsersSkype){
If($FederatedUserSkype.ExternalAccessPolicy -notmatch 'FederationAndPICDefault') {

    Grant-CsExternalAccessPolicy -Identity $FederatedUserSkype.userprincipalname -PolicyName 'FederationAndPICDefault'

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s