Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
☁️ M365 Admin

How to Restrict Microsoft Teams External Access to Approved Domains

Published 15 March 2024 · Updated March 2025
Jack Davies
jackdjd.com
4 min read

If your organisation works with specific external partners, suppliers, or clients, you'll want to lock down Microsoft Teams External Access to only those trusted domains rather than leaving it open to everyone. The Teams Admin Centre lets you do this manually, but if you've got a long list of approved domains, clicking through one by one quickly becomes tedious.

This guide covers both methods, the manual UI approach for small lists, and a PowerShell script with CSV import and domain validation for bulk updates.

What is Teams External Access?

External Access (formerly known as federation) lets users in your Teams tenant find, call, and chat with users at other organisations, without those people needing to be added as guests in your tenant. They use their own organisation's credentials and Teams client.

ℹ️
External Access vs Guest Access
External Access is federated communication, users stay in their own tenant and can message/call yours. Guest Access invites someone into your tenant with access to specific Teams and channels. They're different features and both can be configured independently.

By default, Teams External Access is set to allow communication with all external domains. Locking it down to an approved list means only users from those specific domains can reach your team, useful for regulated industries or organisations with strict security requirements.

Method 1, Teams Admin Centre (Manual)

🖱️ Best for small domain lists

Straightforward for adding a handful of domains. No PowerShell required.

  1. 1Go to the Microsoft Teams Admin Centre and sign in as an admin.
  2. 2In the left nav, go to UsersExternal Access.
  3. 3Under Choose which external domains your users have access to, select Allow only specific external domains.
  4. 4Click Add a domain, enter the domain (e.g. contoso.com), and click Done.
  5. 5Repeat for each domain, then click Save.
⚠️
Changes can take time
External Access policy changes can take up to 24 hours to propagate across all Teams clients. Don't panic if external users can't connect immediately after saving.

Method 2, PowerShell with CSV Import

⚡ Best for bulk domain lists

If you need to add 10, 50, or 100+ domains, do it properly with PowerShell. This script reads a CSV file, validates every domain against an FQDN regex pattern, and applies the full list in one command.

Step 1, Install the MicrosoftTeams module

If you haven't already got the Teams PowerShell module, install it first:

PowerShell 
Install-Module -Name MicrosoftTeams -Force -AllowClobber

Step 2, Create your CSV file

Create a .csv file with a single column headed Domain, with one domain per row. Save it somewhere accessible, e.g. C:\Temp\domains.csv.

Domain contoso.com fabrikam.co.uk partner-company.com supplier.net clientdomain.org

Step 3, Run the bulk import script

This script imports the CSV, validates every entry against a proper FQDN regex, skips any invalid entries with a warning, and then applies the approved list to your Teams tenant.

PowerShell 
# ── Teams External Access, Bulk Domain Import ──────────────────
# Reads a CSV with a 'Domain' column, validates each entry,
# and applies the list to Teams federation settings.

# Set path to your CSV file
$CsvPath = "C:\Temp\domains.csv"

# Check the file exists
if (-not (Test-Path $CsvPath)) {
    Write-Error "CSV file not found at: $CsvPath"
    exit
}

# Import the CSV
try {
    $CsvData = Import-Csv -Path $CsvPath
} catch {
    Write-Error "Failed to import CSV: $_"
    exit
}

# Validate the CSV has a 'Domain' column and contains data
if (-not $CsvData -or -not ($CsvData[0].PSObject.Properties.Name -contains 'Domain')) {
    Write-Error "CSV is empty or missing the 'Domain' column header."
    exit
}

# FQDN validation regex, matches valid domain names
$FqdnRegex = '^(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'

# Build list of valid domains
$ValidDomains = New-Object System.Collections.Generic.List[string]

foreach ($Row in $CsvData) {
    $Domain = $Row.Domain.Trim()
    if ($Domain -match $FqdnRegex) {
        $ValidDomains.Add($Domain)
    } else {
        Write-Warning "Skipping invalid domain: '$Domain'"
    }
}

# Bail out if no valid domains were found
if ($ValidDomains.Count -eq 0) {
    Write-Error "No valid domains found in the CSV. Exiting."
    exit
}

Write-Host "Found $($ValidDomains.Count) valid domain(s). Connecting to Teams..." -ForegroundColor Cyan

# Connect to Microsoft Teams
Connect-MicrosoftTeams

# Build the AllowedDomain objects required by the cmdlet
$AllowedDomainList = $ValidDomains | ForEach-Object {
    New-CsEdgeDomainPattern -Domain $_
}

# Apply the approved domain list to Teams federation config
Set-CsTenantFederationConfiguration -AllowedDomains (New-CsEdgeAllowList -AllowedDomain $AllowedDomainList)

Write-Host "Done! $($ValidDomains.Count) domain(s) added to Teams External Access." -ForegroundColor Green
Write-Host "Note: Changes can take up to 24 hours to propagate." -ForegroundColor Yellow
Tip, View existing domains first
Before running the script, check what's already configured by running Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowedDomains. This prevents accidentally overwriting existing approved domains.

Verifying the Configuration

Once the script has run, confirm the domains have been applied correctly:

PowerShell 
# Check current federation configuration
Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowedDomains

You can also verify in the Teams Admin Centre under Users → External Access where the domains should now appear in the allowed list.

Which Method Should You Use?

🖱️ Teams Admin Centre
Adding fewer than 10 domains
No PowerShell experience needed
One-off configuration
Quick visual confirmation
⚡ PowerShell + CSV
10+ domains to add at once
Repeatable and auditable process
Built-in domain validation
Easy to update, just edit the CSV
ℹ️
Important, this replaces the existing list
The Set-CsTenantFederationConfiguration command replaces the entire AllowedDomains list, not appends to it. If you have existing approved domains, make sure to include them in your CSV before running the script or they will be removed.
Microsoft Teams External Access PowerShell O365 Admin Federation Scripts
J
Jack Davies
IT Engineer · M365 & Intune Specialist

Jack is an IT Technical Engineer based in the UK, working day-to-day with Microsoft 365, Intune, and Entra ID across a range of businesses. He holds the MS-900 certification and is studying for a BSc in Cyber Security through the Open University. Outside of work he builds and documents home lab projects, writes guides on this site, and takes on M365 consulting work for small businesses.

About Jack → LinkedIn →
// monthly tips

Get M365 tips in your inbox

Practical Intune and Microsoft 365 tips, once a month. No spam, no fluff.