Restrict sharing of SharePoint and OneDrive content by domain

To restrict sharing with other organizations, either at the organization level or site level, limit sharing by domain.

Note

If you enroll in the SharePoint and OneDrive integration with Microsoft Entra B2B, SharePoint invitations also follow any domain restrictions configured in Microsoft Entra ID.

Limiting domains

You can limit domains by allowing only the domains you specify or by allowing all domains except those you block.

Limit domains at the organization level

  1. Go to Sharing in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.

    If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Sharing page.

  2. Under More external sharing settings, select the Limit external sharing by domain check box, and then select Add domains.

  3. To create an allow list (most restrictive), select Allow only specific domains; to block only the domains you specify, select Block specific domains.

  4. List the domains (maximum of 5,000) in the box provided, using the format domain.com. If you list more than one domain, enter each domain on a new line.

    Wildcards aren't supported for domain entries.

  5. Select Save.

You can also configure the organization-wide setting by using the Set-SPOTenant PowerShell cmdlet.

Limit domains at the site level

You can also limit domains at the site level. Keep the following considerations in mind:

  • In there are conflicts, the organization-wide configuration takes precedence over the site configuration.
  • If you set up an organization-wide allow list and you want to set up a site-level allow list, the site-level allow list must be a subset of the organization's allow list.
  • If you set up an organization-wide block list, you can set up either an allow list or a block list at the site collection level.
  • For individual OneDrive site collections, you can only set up limit domains by using the Set-SPOSite Windows PowerShell cmdlet.

Limit the domains for a site

  1. Go to Active sites in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.

    If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the More features page.

  2. Select the site name that you want to restrict domains to open the details panel.

  3. On the panel, select the Settings tab and select More sharing settings under External sharing.

  4. Under Advanced settings for external sharing, select the Limit external sharing by domain check box, and then select Add domains.

  5. Select Allow only specific domains to create an allow list (must be a subset of the organization's allow list), or to block only the domains you specify, select Block specific domains. You can't use the Block specific domains feature if your organization already set up an allow list.

  6. List the domains (maximum of 500) in the box provided, using the format domain.com. If listing more than one domain, enter each domain on a new line.

    Wildcards aren't supported for domain entries.

  7. Select Save, and then select Save again.

Note

To configure the site collection setting for site collections that don't appear in this list (such as Group-connected sites or individual OneDrive site collections), you must use the Set-SPOSite PowerShell cmdlet.

Sharing experience

After you limit sharing by domain, here's what you see when you share a document:

  • Sharing content with email domains that aren't allowed. If you attempt to share content with a guest whose email address domain isn't allowed, an error message displays, and sharing isn't allowed.

    (If the user is already in your directory, you don't see the error, but they're blocked if they attempt to access the site.)

    Screenshot of sharing error message when sharing with blocked user.

  • Sharing OneDrive files with guests on domains that aren't allowed. If a user tries to share a OneDrive file with a guest whose email domain isn't allowed, an error message displays, and sharing isn't allowed.

    Screenshot of error message when sharing OneDrive files with blocked users.

  • Sharing content with email domains that are allowed. Users can successfully share the content with the guest. A tooltip appears to let them know that the guest is outside of their organization.

    Screenshot of successfully sharing content with restricted users.

User auditing and lifecycle management

As with any extranet sharing scenario, it's important to consider the lifecycle of your guests, how to audit their activity, and eventually how to archive the site. As a site owner or admistrator, you can create a CSV file of every unique file, user, permission, and link on a given SharePoint site or OneDrive. As a SharePoint admin or other administrator, with SharePoint advanced management, you can run Data access governance reports to audit shared links. See Planning SharePoint business-to-business (B2B) extranet sites for more information.

See also

External sharing overview

Extranet for Partners with Microsoft 365

Set-SPOTenant

  • Last updated on