On Day 20 of the cybersecurity awareness month, learn how to configure restricted domain sharing in SharePoint Online and OneDrive for improved security. Stay tuned for more blog posts in our M365 Cybersecurity blog series.
Recent enhancements in SharePoint and OneDrive have made it remarkably easy for users to share content externally with just a single click. However, what if you need to enforce more control over to whom your users can share information? In order to fulfill this, Microsoft offers several features to limit external sharing in SharePoint Online. One of the effective methods among them is to restrict external sharing to specific domains.
The process is simple: you identify the domains you trust and add them to your SharePoint domain whitelist. Domains not on the whitelist will be restricted from external sharing. For instance, if you add gmail.com to the list of blocked domains, any attempts to share externally with a gmail.com account will result in an error message.
To increase security, we must reduce access.
As the quote goes, let’s learn to restrict the sharing of SharePoint and OneDrive content by domain through this blog.
Limit Domain Sharing in SharePoint Online
Let’s say you are the IT administrator for a company that uses SharePoint Online for document management and collaboration. Your company has strict security policies and wants to change sharing permissions in SharePoint to limit domain sharing only to trusted partners. By specifying the domains that you want to allow users to share, you can help protect your organization’s data from unauthorized access.
SharePoint allows you to restrict external sharing by domain at both the organization level and the site level. Let’s check them in detail.
How to Block Domains at the Organization Level in SharePoint Online?
To limit external sharing to specific domains in SharePoint Online, follow the steps given below.
Step 1: Visit the SharePoint admin center.
Step 2: Under ‘Policies’, select Sharing.
Step 3: Reach out to Limit external sharing by domain check box under More external sharing settings.
Step 4: Select Add domains. Here, you will see two options – ‘Allow only specific domains (most restrictive)’ and ‘Block specific domains’.
Step 5: Select any option and start adding your domains in the format (domain.com). If you are adding multiple domains, make sure to enter each domain on a new line.
Step 6: Select Save.
Step 7: Hit the Save button again on the Sharing page without fail. Otherwise, your domain configuration won’t get applied.
Additionally, you can use PowerShell to configure these settings at the organization level.
Limit Domains at the Organization Level using PowerShell
Before proceeding, ensure that you’ve connected to Microsoft SharePoint Online PowerShell using the “Connect-SPOService” cmdlet. Once connected, you can use the following cmdlet to enable sharing only to the specified domains at the organization level.
Set-SPOTenant -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "contoso.com"
Use the following cmdlet to share content with everyone except the users in the blocked list at the org level.
Set-SPOTenant -SharingDomainRestrictionMode "BlockList" -SharingBlockedDomainList "gmail.com"
Here, the SharingDomainRestrictionMode parameter specifies the sharing mode for external domains such as allowlist or blocklist.
Limit Domains at the Site Level in SharePoint Online
The SharePoint site collection allowlist is the subset of the organization-level allowlist. Therefore, if you are configuring an org-wide allowlist, you can only configure the allowlist at the site level. But, if you are configuring an org-wide blocklist, you can configure either an allowlist or a blocklist at the site collection level.
Now, to restrict domains at the SharePoint site level, follow the given steps.
Step 1: Sign into the SharePoint admin center and go to Active Sites.
Step 2: Select the site where you need to configure domain restriction settings. This will open a flyout page for you.
Step 3: Select Settings tab -> More sharing settings.
Step 4: Under Advanced settings for external sharing dropdown, select Limit sharing by domain.
Step 5: Add domains and configure either allowlist or blocklist.
Step 6: Select Save.
Step 7: Hit the Save button again on the Sharing page.
Limit Sharing by Domain in OneDrive
Tenant-level settings affect all SharePoint Online site collections, including the OneDrive for Business site collection. However, limiting sharing by domain for individual OneDrive site collections can be done only through Windows PowerShell. Use the following cmdlets to configure the blocklist and allowlist to restrict sharing to specific domains in OneDrive.
The following cmdlet enables sharing only to the specified domains at the site level.
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/site1 -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList "contoso.com"
Use the following cmdlet to share content with everyone except the users in the blocked list at the site level.
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/site1 -SharingDomainRestrictionMode Blocklist -SharingBlockedDomainList "gmail.com"
IMPORTANT: If you’ve integrated Microsoft Entra B2B with SharePoint and OneDrive, invitations sent are also governed by domain restrictions set up in Microsoft Entra ID.
User Sharing Experience
- If you try to share content from SharePoint or OneDrive with blocked domains, the following error is displayed, and the sharing is blocked.
“Your org doesn’t allow sharing with people who use this email domain. To continue sharing, remove the highlighted recipients”.
- If you share with users who are already in your directory, you won’t see any error while sharing with the domain. But, when they try to access it, the following error is displayed, and they are refrained from accessing the content.
“The organization that owns this resource has a policy that prevents access from people in the domain you’re currently signed in to. If you think you should have access, please contact the person who sent you the link to this resource.”
- If you are sharing content with the domains in your allowlist, users will be able to share the content with the guest users successfully.
- These limitations will not apply when users share files and folders using Anyone links. Note that the default sharing settings for SharePoint & OneDrive is ‘Anyone’
- You can only list a maximum of 5000 domains in the block and allow lists.
- If you have both organization-wide and site collection domain-sharing configurations, the organization-wide configuration will take precedence.
- To configure block and allow lists for domain sharing on group-connected sites, you must use the Set-SPOSite PowerShell cmdlet.
In a nutshell, restricting access to SharePoint and OneDrive by domain is a smart move to safeguard your sensitive data and enhance security. By adjusting SharePoint external sharing settings, you can make sure that sharing is limited to specific domains or completely prohibited. Achieving this is straightforward, whether you use the Microsoft 365 admin center or PowerShell. By implementing the right sharing rules, you can maintain the security of your SharePoint and OneDrive content while enabling external collaboration when it’s needed.
Thanks for reading! Feel free to reach us in the comment section for any queries.