External Sharing exclusion on top of Allowed Domains

Question

External Sharing exclusion on top of Allowed Domains

Ankit Pandey 0

I have a scenario where I would like to enable external sharing for some users (via security group) on top of already existing Domain Whitelist setting on. Is it possible to allow only some users to be able to share externally to anyone outside the already allowed domains ?

The permission sliders for both Sharepoint and OneDrive is set to New & Existing Guests right now.

2 answers

Your answer

Answer 1

Xyza Xue_MSFT 30,176 Microsoft External Staff

Hi @Ankit Pandey ,

External sharing restrictions

You can restrict external sharing with these options:

Restrict which domains users can share with.
Limit external sharing to people in a specific security group.
Expire guest access after a specified period.
Require reauthentication after a specified period for users using a verification code.

Yes, it is possible to allow only some users to be able to share externally to anyone outside the already allowed domains. For detail steps, Please refer to this article: https://learn.microsoft.com/en-us/sharepoint/manage-security-groups#allow-only-members-in-specific-security-groups-to-share-sharepoint-and-onedrive-files-and-folders-externally

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Ankit Pandey 0 Reputation points

2024-08-13T09:05:33.33+00:00

Appreciate the response however, I just wish to make sure does the organizaton wide setting (the sliders for SP and OneDrive) which is curretly set to 'New and Exisiting Users' create a conflict ? Do I need to change that as well to 'Most Permissive' ?
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2024-08-13T09:24:34.8833333+00:00

Hi,

There will be no conflict. “Anyone”and “New and Existing Guests” both can be set to allow sharing only to members of a specific security group.

“Anyone”: Allow users to share files and folders by using links that let anyone who has the link access the files or folders without authenticating.

“New and Existing Guests” : Require people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity.
Ankit Pandey 0 Reputation points

2024-08-13T09:54:25.94+00:00

Thank you so much Haoyan. I'll apply these settings to verify. I'll accept the answer right after.
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2024-08-14T06:30:39.2733333+00:00

Hi @Ankit Pandey ,

How's going today? Do you have further concerns regarding this issue? Please feel free to talk with us if you have other questions. If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!
Ankit Pandey 0 Reputation points

2024-08-16T10:36:09.02+00:00

Hi Haoyan, I am still not able to test this completely however, I shall update at the earliest. Thank You.
Ankit Pandey 0 Reputation points

2024-08-16T11:27:41.4766667+00:00

While trying to add the newly created MESG in the External Sharing --> Manage security group, it keep giving me the error as "The specified user or domain group was not found". We have an on Prem Exchange environment.
Ankit Pandey 0 Reputation points

2024-08-19T12:27:21.85+00:00

I was able to test it today however, after adding this group in 'Manage security group' and setting permission to 'Authenticated guests only', I am still not able to send it outside allowed domain list. The error when I try to share some file or folder from SP is also in screenshot. Can you suggest what's wrong ? Do I have to also change organizational setting to most permissive (set to Anyone) ?
Ankit Pandey 0 Reputation points

2024-08-19T12:39:01.0366667+00:00

Also I don't have a drop down to change the setting for 'can share with' to anyone. Default is getting picked up for 'Authenticated Users' only.
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2024-08-20T09:22:49.3+00:00

Hi,

Have you also set up to limit external sharing by allowed domains？

For example, if you set up allow lazyxxxing.com, if you share to a user in the qq domain, it will report the error in your picture.

If you share to a user in the lazyxxxing domain, Everything's working fine.
Ankit Pandey 0 Reputation points

2024-08-21T07:26:08.7566667+00:00

Hello,Yes I have the domain allowlist configured and looking to create exclsuion for some people in organization to be able to send outside those allowed domains via 'Manage security group'. Is this not possible as when I had tried to do it, it stopped sharing for other users as well (Also for allowed domains). Seems like the allowed domains settings supersedes security group setting. I see the same error as shown in your second screenshot.

Is there any way to be able to achieve that ? Does changing the organization wide setting for SP and OD to 'Most Permissive' change anything ?

I would appreciate any support to be able to get this through.

Answer 2

Xyza Xue_MSFT 30,176 Microsoft External Staff

Hi @Ankit Pandey ,

This time, you have to fulfill both allow domain settings and security group settings , they need to be satisfied at the same time. (Only people in the security group can share to users in the allowed domain, all other cases will report this error). The setup condition for organizations in sharepoint is an “AND” relationship.

After you have created the domain allowlist，there is no way to get around this restriction, or create exceptions. This is the expected behavior by microsoft.

Sorry, I apologize for misunderstanding you at first. In a word, allowing some users to share externally with anyone outside of the allowed domain is not possible to accomplish. I deeply regret this.

Hope the information can help you. Your understanding and patience will be highly appreciated! Hope you have a good day and keep safe!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Ankit Pandey 0 Reputation points

2024-08-21T11:18:33.5466667+00:00
Thank you for the detailed response. So as a workaround to get by this requirement is to go with blacklisting domain rather than allowlist and let the slider for permissions be set to New & Existing guests ? The blacklist would only be restricted with 5000 domains then.

Organization permissions set to New & existing guests

Blacklist domains (5k max)

No limit by external sharing by domain
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2024-08-22T07:03:49.3633333+00:00

Hello, I didn't get your point. What is the ultimate goal you want to achieve? Is it about allowing or blocking which domains are shared?
Ankit Pandey 0 Reputation points

2024-08-22T08:10:51.9966667+00:00
Hi,

The ultimate goal is:

To limit restriction by allowed domains

Create exclusion for some members (in security group) to be able to send outside these allowed domains

The mention of blacklist is because as per documentation, we can either utilize allowed domains or blacklist domains for restriction (either way) https://learn.microsoft.com/en-us/sharepoint/restricted-domains-sharing?source=recommendations#limiting-domains.

So when I mention in previous comment that a workaround to achieve this goal (in above bullet points), we have to go with blocklisting domains which would again keep external sharing open for all to every domain apart from ones in blocklist. Only restriction that can be set is with authenticated guests which doesn't seem the best way.

Kindly suggest if there is something else that can be done here to restrict sharing but allow only some users in a group to be able to shre freely to all external domains without restriction.
Ankit Pandey 0 Reputation points

2024-08-22T08:20:29.88+00:00
Hi,

The utlimate goal is:

To restrict sharing to only allowed domains

Exclude some users to be able to share freely also outside allowed domains

The mention of blocklist is beacuse as per documentation it suggests we can either utilise allowed domains list or blocklist. https://learn.microsoft.com/en-us/sharepoint/restricted-domains-sharing?source=recommendations#limiting-domains

I bring the workaround to understand in order to achieve the utlimate goal, do we have to blocklist domains and then allow all users to be able to share outside that list ? This doesn't sound the best which is why I seek suggestion if there is something else that can be done to achieve the ultimate goal to not allow all users to share freely but only few selective users.
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2024-08-22T08:41:19.02+00:00

Hello Ankit Pandey ,

Thanks for the detailed explanation. I see what you're saying, but I'm afraid we don't have a better solution. The design really didn't set up a solution for this situation.

I recommend you give suggestion in the feedback portal and help to make improvements. Many features of current products are designed and upgraded based on customers’ feedback. With requirements like this increase, the problem may well be released in the future.
Ankit Pandey 0 Reputation points

2024-08-22T14:59:50.3766667+00:00

Thank you. In the first response to this question, it mentions that it is allowed to share outside already allowed domains when some users are out in a security group. Does this mean something else ?
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2024-08-23T06:02:17.9866667+00:00

Hello, No, it doesn't mean anything else, it's a misunderstanding, at first I didn't know you configured allowed domains, simply allow only some users to be able to share externally. Once again, I apologize for this.
Ankit Pandey 0 Reputation points

2024-09-13T12:36:57.6566667+00:00

Thank you for the responses team. Couldn't revisit this for a while but appreciate the clarity here.

Share via

External Sharing exclusion on top of Allowed Domains

2 answers

Your answer