Restricted domains sharing in SharePoint Online and OneDrive for Business
With SharePoint Online you can share a site with users from specific domains by using the restricted domains setting. This is useful for a business-to-business extranet scenario where you want to limit sharing with a particular business partner.
Restricting domains
Administrators can configure external sharing by using either the domain allow list or deny list. This can be done at the tenant level or the site collection level. Administrators can limit sharing invitations to a limited number of email domains by listing them in the allow list or opt to use the deny list, listing email domains to which users are prohibited from sending invitations.
Tenant-level settings affect all SharePoint Online site collections, including the OneDrive for Business site collection.
To restrict domains in external sharing in SharePoint Online and OneDrive for Business at the tenant level
-
Sign in to Office 365 as a global admin or SharePoint admin.
-
Select the app launcher icon in the upper-left and choose Admin to open the Office 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)
-
In the left pane, choose Admin centers > SharePoint.
-
Select the sharing tab.
-
Under Additional settings, select the Limit external sharing using domains check box.
-
From the drop-down list, choose either Don't allow sharing with users from these blocked domains to deny access to targeted domains or Allow sharing only with users from these domains to limit access to only to the domains you list.
-
List the domains (maximum of 120) in the box provided, using the format domain.com.. If listing more than one domain, separate each domain with a space or a carriage return.
Note: Wildcards are not supported for domain entries.
You can also configure the tenant-level setting by using the Set-SPOTenantWindows PowerShell cmdlet.
You can also use restricted domains at the site collection level. Note the following considerations:
-
In the case of conflicts, the tenant-level configuration takes precedence over the site collection configuration.
-
If a tenant-level allow list is configured, then you can only configure an allow list at the site collection level. The site collection allow list must be a subset of the tenant allow list.
-
If a tenant-level deny list is configured, then you can configure either an allow list or a deny list at the site collection level.
-
For individual OneDrive for Business site collections, you can only configure this setting by using the Set-SPOSiteWindows PowerShell cmdlet.
To restrict domains in external sharing in SharePoint Online at the site collection level
-
Sign in to Office 365 as a global admin or SharePoint admin.
-
Select the app launcher icon in the upper-left and choose Admin to open the Office 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)
-
In the left pane, choose Admin centers > SharePoint.
-
Select the site collections tab.
-
Select a site collection, and then click Sharing.
-
Under Site collection additional settings, select the Limit external sharing using domain check box.
-
From the drop-down list, choose either Don't allow sharing with users from these blocked domains to deny access to targeted domains or Allow sharing only with users from these domains to limit access to only to the domains you list.
-
List the domains (maximum of 60) in the box provided, using the format domain.com.. If listing more than one domain, separate each domain with a space or a carriage return.
Note: Wildcards are not supported for domain entries.
You can also configure the site collection setting by using the Set-SPOSiteWindows PowerShell cmdlet.
Sharing experience
After you have configured the restricted domains sharing feature, here's what you'll see when you share a document:
-
Sharing content with email domains that are not allowed. If you attempt to share content with an external user whose email address domain violates your restricted domains settings, an error message will display and sharing will not be allowed:
-
Sharing OneDrive for Business files to email domains that are not allowed. If you try to share a OneDrive for Business file with an external user whose email domain is not allowed as a result of your restricted domains configuration, an error message will display and sharing will not be allowed:
-
Sharing content with email domains that are allowed. If your end user is attempting to share content with an external user who has an email address domain that is allowed, they will be able to successfully share the content with that external user. A tool tip lets you know that the user is outside of their organization.
User auditing and lifecycle management
As with any extranet sharing scenario it's important to consider the lifecycle of your guest users, how to audit their activity, and eventually how to archive the site. See Planning SharePoint Online business-to-business (B2B) extranet sites for more information.
Related Topics
Manage external sharing for your SharePoint Online environment
Extranet for Partners with Office 365
Set-SPOTenant
No comments:
Post a Comment