Domain restrictions when sharing SharePoint & OneDrive content

Article
03/01/2023

If you want to restrict sharing with other organizations (either at the organization level or site level), you can limit sharing by domain.

Note

If you have enrolled in the SharePoint and OneDrive integration with Microsoft Entra B2B, invitations in SharePoint are also subject to any domain restrictions configured in Microsoft Entra ID.

Limiting domains

You can limit domains by allowing only the domains you specify or by allowing all domains except those you block.

To limit domains at the organization level

Go to Sharing in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.
Note
If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Sharing page.
Under Advanced settings for external sharing, select the Limit external sharing by domain check box, and then select Add domains.
See Also
Customize permissions for a SharePoint list or library Change the sharing settings for a site - SharePoint in Microsoft 365 Allow only members in specific security groups to share SharePoint and OneDrive files and folders externally - SharePoint in Microsoft 365 Unable to share OneDrive files
To create an allowlist (most restrictive), select Allow only specific domains; to block only the domains you specify, select Block specific domains.
List the domains (maximum of 5000) in the box provided, using the format domain.com. If listing more than one domain, enter each domain on a new line.
Note
Wildcards are not supported for domain entries.
Select Save.

You can also configure the organization-wide setting by using the Set-SPOTenant PowerShell cmdlet.

You can also limit domains at the site collection level. Note the following considerations:

In the case of conflicts, the organization-wide configuration takes precedence over the site collection configuration.
If an organization-wide allowlist is configured, then you can only configure an allowlist at the site collection level. The site collection allowlist must be a subset of the organization's allowlist.
If an organization-wide blocklist is configured, then you can configure either an allowlist or a blocklist at the site collection level.
For individual OneDrive site collections, you can only configure this setting by using the Set-SPOSite Windows PowerShell cmdlet.

To limit domains for a site

Sharing experience

After you limit sharing by domain, here's what you'll see when you share a document:

Sharing content with email domains that are not allowed. If you attempt to share content with a guest whose email address domain isn't allowed, an error message will display and sharing will not be allowed.
(If the user is already in your directory, you won't see the error, but they will be blocked if they attempt to access the site.)
Sharing OneDrive files with guests on domains that aren't allowed. If a user tries to share a OneDrive file with a guest whose email domain isn't allowed, an error message will display and sharing will not be allowed.
Sharing content with email domains that are allowed. Users will be able to successfully share the content with the guest. A tooltip will appear to let them know that the guest is outside of their organization.

User auditing and lifecycle management

As with any extranet sharing scenario it's important to consider the lifecycle of your guests, how to audit their activity, and eventually how to archive the site. See Planning SharePoint business-to-business (B2B) extranet sites for more information.

Domain restrictions when sharing SharePoint & OneDrive content - SharePoint in Microsoft 365 (2024)

Limiting domains

Sharing experience

User auditing and lifecycle management

See also