Assigning Per-User Lync Online Policies


Summary: Use Windows PowerShell to Manage Office 365 using Windows PowerShell cmdlets, scripts, and batch processes.

Suppose we decide we want to change Alex’s external communication setting. For example, say we want to allow Alex to communicate with federated users (EnableFederationAccess is equal to True) but not with Windows Live users (EnablePublicCloudAccess equals False). To do that, we can’t use the Set-CsUser cmdlet to change Alex’s user account; as we know, those properties don’t even exist on Alex’s user account. Instead, we need to do two things:

  1. Find an external access policy that meets our criteria.

  2. Assign that external access policy to Alex.


Before you ask, no, we can’t create a custom policy all our own. That’s because Lync Online does not allow you to create custom policies. Instead, you must assign one of the policies that were created specifically for Office 365. Those pre-created policies include:

  • 4 different client policies

  • 224 different conferencing policies

  • 5 different dial plans

  • 5 different external access policies

  • 1 hosted voicemail policy

  • 4 different voice policies

So how do we know which external access policy to assign Alex? The following command returns all the external access policies where EnableFederationAccess is set to True and EnablePublicCloudAccess is set to False:

Get-CsExternalAccessPolicy | Where-Object {$_.EnableFederationAccess -eq $True -and $_.EnablePublicCloudAccess -eq $False}

What the command does is ask Get-CsExternalAccessPolicy to return all the policies that meet two criteria: the EnableFederationAccess property is set to True, and the EnablePublicCloudAccess policy is set to False. In turn, that command returns one policy --- FederationOnly – that meets our criteria:

Identity                          : Tag:FederationOnly
Description                       :
EnableFederationAccess            : True
EnableXmppAccess                  : False
EnablePublicCloudAccess           : False
EnablePublicCloudAudioVideoAccess : False
EnableOutsideAccess               : True


Yes, we know: technically the policy Identity says Tag:FederationOnly. As it turns out, the Tag: prefix is a carryover from the early pre-release work done on Microsoft Lync 2013. When it comes to assigning policies to users, you should delete the Tag: prefix and use just the policy name: FederationOnly.

Now that we know which policy to assign to Alex, we can assign that policy by using the Grant-CsExternalAccessPolicy cmdlet:

Grant-CsExternalAccessPolicy -Identity "Alex Darrow" -PolicyName "FederationOnly"

As you can see, assigning a policy is pretty simple: you simply specify the Identity of the user and the name of the policy to be assigned. Again, it’s a little different than how you might change something like a user’s address or phone number, but it’s still pretty easy.

And when it comes to policies and policy assignments we’re not limited to working with user accounts one a time. For example, suppose you need a list of all the users who are allowed to communicate with federated partners and with Windows Live users. We already know that those users have been assigned the external user access policy FederationAndPICDefault. And because we know that, we can return a list of all those users by running one simple command:

Get-CsOnlineUser -Filter {ExternalAccessPolicy -eq "FederationAndPICDefault"} | Select-Object DisplayName

In other words, show us all the users where the ExternalAccessPolicy property is set to FederationAndPICDefault. (And, in order to limit the amount of information that appears onscreen, use the Select-Object cmdlet to display show us only each user’s display name.)

And what if we want to configure all our user accounts to use that same policy? That might be even easier:

Get-CsOnlineUser | Grant-CsExternalAccessPolicy "FederationAndPICDefault"

See how that works? We use Get-CsOnlineUser to return a collection of all the users who have been enabled for Lync. And then we just pipe all that information to Grant-CsExternalAccessPolicy, and let that cmdlet assign the FederationAndPICDefault policy to each and every user in the collection.

Now here’s a tricky one, but an important one to know about. Suppose you’ve previously assigned Alex the FederationAndPICDefault policy and now you’ve changed your mind and would like him to be managed by the global external access policy. Can you just run a command like this one, and assign him the global policy:

Grant-CsExternalAccessPolicy -Identity "Alex Darrow" -PolicyName "Global"

Well, you can run that command, but you’re just going to get an error message: that’s because you can’t explicitly assign the global policy to anyone. Like we said, the global policy is used whenever someone doesn’t have a per-user policy assigned. You don’t assign the global policy: it just gets used if nothing else has been assigned to the user.

That means that, if we want Alex to be managed by the global policy, we need to unassign any per-user policy previously assigned to him. That’s what this command does:

Grant-CsExternalAccessPolicy -Identity "Alex Darrow" -PolicyName $Null

It’s a little quirky, but all we’re doing here is setting the name of the external access policy assigned to Alex to a null value ($Null). Null, as you already know, means “nothing”. In other words, we’re saying that no external access policy is assigned to Alex. And when no external access policy is assigned to a user – that’s right: that user then gets managed by the global policy.

Like we said, it’s a little quirky. But it also works.

A Note Regarding Set-CsUser

So should you ever use the Set-CsUser cmdlet when working with Lync Online? At this point in time, no: right now Lync Online limits you to using policies when setting user properties. For example, suppose you try using this command to disable Alex Darrow’s Lync account:

Set-CsUser -Identity "Alex Darrow" -Enabled $False

That’s going to result in the following error message:

Unable to set "Enabled". This parameter is restricted within Remote Tenant PowerShell.

To disable a user account using Windows PowerShell, use the Azure Active Directory cmdlets to remove Alex’s Lync Online license.

Next: Using Windows PowerShell to Manage Exchange Online

See Also

Using Windows PowerShell to Manage Lync Online