Edit

Share via

Restrict sharing of SharePoint and OneDrive content by domain

  • Article

If you want to restrict sharing with other organizations (either at the organization level or site level), you can limit sharing by domain.

Note

If you have enrolled in the SharePoint and OneDrive integration with Microsoft Entra B2B, invitations in SharePoint are also subject to any domain restrictions configured in Microsoft Entra ID.

Limiting domains

You can limit domains by allowing only the domains you specify or by allowing all domains except those you block.

Limit domains at the organization level

  1. Go to Sharing in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.

    Note

    If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Sharing page.

  2. Under More external sharing settings, select the Limit external sharing by domain check box, and then select Add domains.

  3. To create an allowlist (most restrictive), select Allow only specific domains; to block only the domains you specify, select Block specific domains.

  4. List the domains (maximum of 5000) in the box provided, using the format domain.com. If listing more than one domain, enter each domain on a new line.

    Note

    Wildcards are not supported for domain entries.

  5. Select Save.

You can also configure the organization-wide setting by using the Set-SPOTenant PowerShell cmdlet.

Limit domains at the site level

You can also limit domains at the site level. Note the following considerations:

  • In the case of conflicts, the organization-wide configuration takes precedence over the site configuration.

  • If an organization-wide allowlist is already set up and you want to set up a site-level allowlist, then the site-level allowlist must be a subset of the organization's allowlist.

  • If an organization-wide blocklist is already set up, then you can set up either an allowlist or a blocklist at the site collection level.

  • For individual OneDrive site collections, you can only set up limit domains by using the Set-SPOSite Windows PowerShell cmdlet.

To limit domains for a site

  1. Go to Active sites in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.

    Note

    If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the More features page.

  2. Select the site name that you want to restrict domains to open the details panel.

  3. On the panel, select the Settings tab and select More sharing settings under External sharing.

  4. Under Advanced settings for external sharing, select the Limit external sharing by domain check box, and then select Add domains.

  5. Select Allow only specific domains to create an allowlist (must be a subset of the organization's allowlist), or to block only the domains you specify, select Block specific domains. You won't be able to use the Block specific domains feature if your organization already set up an allowlist.

  6. List the domains (maximum of 500) in the box provided, using the format domain.com. If listing more than one domain, enter each domain on a new line.

    Note

    Wildcards are not supported for domain entries.

  7. Select Save, and then select Save again.

    Note

    To configure the site collection setting for site collections that do not appear in this list (such as Group-connected sites or individual OneDrive site collections), you must use the Set-SPOSite PowerShell cmdlet.

Sharing experience

After you limit sharing by domain, here's what you'll see when you share a document:

  • Sharing content with email domains that are not allowed. If you attempt to share content with a guest whose email address domain isn't allowed, an error message displays and sharing isn't allowed.

    (If the user is already in your directory, you won't see the error, but they will be blocked if they attempt to access the site.)

    Screenshot of sharing error message when sharing with blocked user.

  • Sharing OneDrive files with guests on domains that aren't allowed. If a user tries to share a OneDrive file with a guest whose email domain isn't allowed, an error message displays and sharing isn't allowed.

    Screenshot of error message when sharing OneDrive files with blocked users.

  • Sharing content with email domains that are allowed. Users are able to successfully share the content with the guest. A tooltip appears to let them know that the guest is outside of their organization.

    Screenshot of successfully sharing content with restricted users.

User auditing and lifecycle management

As with any extranet sharing scenario it's important to consider the lifecycle of your guests, how to audit their activity, and eventually how to archive the site. As a site owner or above, you can create a CSV file of every unique file, user, permission and link on a given SharePoint site or OneDrive. As a SharePoint admin or above, with SharePoint advanced management, you can run Data access governance reports to audit shared links. See Planning SharePoint business-to-business (B2B) extranet sites for more information.

See also

External sharing overview

Extranet for Partners with Microsoft 365

Set-SPOTenant