Skype for Business – Applying connection policies to departments or agencies

In Office 365, the control to federate your tenant with consumer Skype is a simple checkbox. Well, this is fine for a lot of small businesses or anyone where there is agreement on doing this. If a more granular approach is needed, this is both possible and fairly easy to do. What is the magic to make this happen? Skype for Business Online connection policies.

Basically, what’s needed is to apply a policy to all users (or at least, all users who will have some restrictions on them). This is done with a PowerShell script that you’ll run periodically. Fortunately, the queries for this script are all indexed attributes, so we can do all the filtering server-side. This makes the script very fast and scalable.

The first step is defining policies. In this example, we have a policy which is blocking all access to consumer Skype, very much like it would be in the tenant if you didn’t have the Skype connectivity box checked.

 New-CsExternalAccessPolicy -Identity BlockSkype `
    -EnablePublicCloudAccess $False `
    -EnablePublicCloudAudioVideoAccess $False `
    -EnableFederationAccess $True `
    -EnableOutsideAccess $True

This only needs to be done once to create the “BlockSkype” policy in the tenant.

But creating this policy isn’t necessary most of the time. There are already three pre-defined policies in Skype for Business Online. These should cover most scenarios:

  • No Federated or Skype Consumer Access (Tag:NoFederationAndPIC )
  • Federated Access Only (Tag:FederationOnly )
  • Federated and Consumer Access (FederationAndPICDefault)

For this example, we have Contoso and Fabrikam sharing a tenant. The Contoso accounting department isn’t permitted access to Skype. (You could use a custom policy, or the pre-built “FederationOnly” one. So how do we block this while allowing everyone else access? Just a one-line PowerShell script does it.

 Get-CsOnlineUser -Filter {
    (SipProxyAddress -like '*') -and `
    (ExternalAccessPolicy -ne 'BlockSkype') -and `
    (Department -like 'Accounting*')
    } | Grant-CsExternalAccessPolicy -PolicyName 'BlockSkype'

Yes, that really is one line. I’ve just added line breaks for readability. But it really would fit in just one line if you wanted it to. If you have many domains or departments which need to be blocked, you could keep a CSV file of these, import them, and have this one line use variables which loop though all the policies which need to be set.

Also as a by-product of this, it’s possible to have more restrictive policies around federated communications as well. All that’s needed for this is to create a separate policy similar to above (with a different name, of course, and setting the EnableFederationAccess switch to $False.

All-in-all, this is a much better solution than just blocking Skype access for everybody.

More documentation on the different options for the policies is located here:

All this code comes with the normal disclaimers, of course. You’re on your own here - there’s no warranty on this. I always recommend testing everything in a lab, of course. If you use it, please leave a comment.