Assign per-user Skype for Business Online policies with Office 365 PowerShell


Summary: Use Office 365 PowerShell to assign per-user communication settings with Skype for Business Online policies.

Using Office 365 PowerShell is an efficient way to assign per-user communication settings with Skype for Business Online policies.

Before you begin

Use these instructions to get set up to run the commands (skip the steps you have already completed):

  1. Download and install the Skype for Business Online Connector module.

  2. Open a Windows PowerShell command prompt and run the following commands:

    Import-Module LyncOnlineConnector
    $userCredential = Get-Credential
    $sfbSession = New-CsOnlineSession -Credential $userCredential
    Import-PSSession $sfbSession

    When prompted, enter your Skype for Business Online administrator account name and password.

Updating external communication settings for a user account

Suppose you want to change external communication settings on a user account. For example, you want to allow Alex to communicate with federated users (EnableFederationAccess is equal to True) but not with Windows Live users (EnablePublicCloudAccess equals False). To do that, you need to do two things:

  1. Find an external access policy that meets our criteria.

  2. Assign that external access policy to Alex.


You can’t create a custom policy all our own. That’s because Skype for Business Online does not allow you to create custom policies. Instead, you must assign one of the policies that were created specifically for Office 365. Those pre-created policies include:

  • 4 different client policies

  • 224 different conferencing policies

  • 5 different dial plans

  • 5 different external access policies

  • 1 hosted voicemail policy

  • 4 different voice policies

So how do you determine which external access policy to assign Alex? The following command returns all the external access policies where EnableFederationAccess is set to True and EnablePublicCloudAccess is set to False:

Get-CsExternalAccessPolicy | Where-Object {$_.EnableFederationAccess -eq $True -and $_.EnablePublicCloudAccess -eq $False}

What the command does is return all the policies that meet two criteria: the EnableFederationAccess property is set to True, and the EnablePublicCloudAccess policy is set to False. In turn, that command returns one policy – FederationOnly – that meets our criteria. Here is an example:

Identity                          : Tag:FederationOnly
Description                       :
EnableFederationAccess            : True
EnableXmppAccess                  : False
EnablePublicCloudAccess           : False
EnablePublicCloudAudioVideoAccess : False
EnableOutsideAccess               : True


The policy Identity says Tag:FederationOnly. As it turns out, the Tag: prefix is a carryover from the early pre-release work done on Microsoft Lync 2013. When it comes to assigning policies to users, you should delete the Tag: prefix and use just the policy name: FederationOnly.

Now that you know which policy to assign to Alex, we can assign that policy by using the Grant-CsExternalAccessPolicy cmdlet. Here is an example:

Grant-CsExternalAccessPolicy -Identity "Alex Darrow" -PolicyName "FederationOnly"

Assigning a policy is pretty simple: you simply specify the Identity of the user and the name of the policy to be assigned.

And when it comes to policies and policy assignments, you’re not limited to working with user accounts one a time. For example, suppose you need a list of all the users who are allowed to communicate with federated partners and with Windows Live users. We already know that those users have been assigned the external user access policy FederationAndPICDefault. Because we know that, you can display a list of all those users by running one simple command. Here is the command:

Get-CsOnlineUser -Filter {ExternalAccessPolicy -eq "FederationAndPICDefault"} | Select-Object DisplayName

In other words, show us all the users where the ExternalAccessPolicy property is set to FederationAndPICDefault. (And, in order to limit the amount of information that appears onscreen, use the Select-Object cmdlet to display show us only each user’s display name.)

To configure all our user accounts to use that same policy, use this command:

Get-CsOnlineUser | Grant-CsExternalAccessPolicy "FederationAndPICDefault"

This command uses Get-CsOnlineUser to return a collection of all the users who have been enabled for Lync, then sends all that information to Grant-CsExternalAccessPolicy, which assigns the FederationAndPICDefault policy to each and every user in the collection.

As an additional example, suppose you’ve previously assigned Alex the FederationAndPICDefault policy and now you’ve changed your mind and would like him to be managed by the global external access policy. You can’t explicitly assign the global policy to anyone. It is only used if no other per-user policy is assigned. Therefore, if we want Alex to be managed by the global policy, you need to unassign any per-user policy previously assigned to him. Here is an example command:

Grant-CsExternalAccessPolicy -Identity "Alex Darrow" -PolicyName $Null

This command sets the name of the external access policy assigned to Alex to a null value ($Null). Null means “nothing”. In other words, no external access policy is assigned to Alex. When no external access policy is assigned to a user, that user then gets managed by the global policy.

To disable a user account using Windows PowerShell, use the Azure Active Directory cmdlets to remove Alex’s Skype for Business Online license.

See Also

Manage Skype for Business Online with Office 365 PowerShell
Manage Office 365 with Office 365 PowerShell
Getting started with Office 365 PowerShell