Restricted Domains Sharing in Office 365 SharePoint Online and OneDrive for Business

SharePoint Online Business-to-Business (B2B) Collaboration    

Manage external access to your Office 365 tenant for OneDrive for Business and SharePoint Online Extranet B2B (Business-to-Business) sites by using the Allow List or Deny List feature to restrict access to specific email domains.

Using the Restricted Domains sharing feature for SharePoint Online B2B Extranet Sites and OneDrive for Business

The Office 365 tenant administrator now has an additional feature in which to manage the secure sharing experience when collaborating with external partners. This is a complementary feature to the Office 365 Business to Business extranet solutions architecture.

At a tenant level, administrators can configure external sharing by using either the Allow List or Deny List feature. Administrators can limit sharing invitations to a limited number of email domains by listing them in the Allow List or opt to use the Deny List, listing email domains to which users are prohibited to extend invitations.

Note: If you choose to include the AllowList or DenyList feature as part of the complete extranet solution, it must be configured at the Tenant level before you enable sharing at the Site collection level. For additional information, see Create a partner-facing Extranet Site in Office 365 and Manage external sharing for your SharePoint Online environment

To restrict domains in external sharing in Office 365 SharePoint Online and OneDrive for Business

  1. Sign into Office O365 as a Global or SharePoint Online admin.

  2. Go to the SharePoint Admin Center.

  3. Select the Sharing tab.

  4. Under Sharing outside your organization, select Allow users to invite and share with authenticated users.

    Sharing outside your organization with external sharing feature
  5. From the drop-down list, choose either Don’t allow sharing with users from these blocked domains to deny access to targeted domains or “Allow sharing only with users from these domains to limit access to only to the domains you list.

  6. List the domains in the box provided, using the format domain.com. If listing more than one domain, separate each domain with a space or a paragraph return. The following picture shows an example:

    Additional settings for limiting external sharing in Office 365 SPO

    Note: Wildcards are NOT supported for domain entries.

    Note: This restricted domains list is not configurable at the Site Collection level. It is configurable only at the SharePoint Online & OneDrive for Business Tenant level.

  7. Select External users must accept sharing invitations use the same account that the invitations the were sent to. While not required, we strongly recommend checking this box to enhance your security when sending invitations to external partners.

    Important: We recommend that you disable the enabling anonymous links feature. When users share via anonymous links, people who receive the link don’t need to sign in to access the shared content; these additional settings don’t apply to anonymous links. If you allow anonymous links at the tenant level, then at the Site Collection level one could select anonymous links and bypass the control you have put in place through using the allow list and deny list feature.

    Note: External sharing in your OneDrive for Business in the tenant also honors the restricted list of domains configured at the tenant level.

Programmatic way to configure restricted domains sharing

Additional parameters have been added to the PowerShell cmdlet, Set-SPOTenant, to allow configuration of restricted domains using PowerShell. Use these new parameters depending on how you plan to use the feature. They are:

  • SharingDomainRestrictionMode

  • SharingAllowedDomainList

  • SharingBlockedDomainList

Example:    The following example adds the companies adatum.com and fabrikam.com to the allowed domain list and allows the Allow List feature:

Set-SPOTenant -SharingAllowedDomainList "adatum.com fabrikam.com" -SharingDomainRestrictionMode AllowList

Note: The new PowerShell parameters listed above are available as of SharePoint Online Management Shell version 16.0.4915.1200, which can be downloaded here: SharePoint Online Management Shell.

Removing email domains from the Allow List after initial configuration

If you entered a partner’s domain into the Allow List but now have completed that business relationship, it is important to remove their domain name to prevent invitations being sent.

  1. Sign into Office 365 as a Global or SharePoint Online admin.

  2. Go to the SharePoint admin center.

  3. Select the external sharing tab.

  4. Under Sharing outside your organization, select Additional Settings. Remove the partner’s domain(s) entries from the domains list.

  5. Follow steps in Lifecycle management of business partner users.

Adding email domains to the Deny List after initial configuration

If you need to add a partner’s domain name to the Deny List after the initial configuration follow below steps:

  1. Sign into Office 365 as a Global or SharePoint Online admin.

  2. Go to the SharePoint admin center.

  3. Select the external sharing tab.

  4. Under Sharing outside your organization, select Additional Settings. Remove the partner’s domain(s) entries from the domains list.

  5. Follow steps in Lifecycle management of business partner users.

Lifecycle management of business partner users

When a contract with a business partner ends, it is important that you remove any access that the external business partner has to SharePoint Online. Here is the checklist of administrative actions you need to take:

  • Archive.    Archive the SharePoint Online B2B site that you created for your partner in the O365 tenant.

  • Remove Permissions.    Remove permissions from the partner users accounts that allowed access to the site(s). This can be done by either removing the security group of which they were a member, or by removing their user identity from the Site Settings > Site Permissions > Members page. See Plan your permissions strategy for detail.

  • Delete Partner User Accounts.   

    • Delete the partner user(s) from the SharePoint Online B2B Site. Browse to Site Settings\Site Permissions to delete the user(s) from any corresponding Groups to which they belong.

    • Delete the partner user(s) from the Azure Active Directory provided they no longer need access to any of the other tenant resources besides SharePoint Online and OneDrive for Business. SeeDelete or restore users on how to delete users from Office 365.

      • Alternatively, browse to the O365 Admin Center and navigate to External Sharing and then to External Users. Delete all external users who belong to the partner's email domain.

Auditing and Reporting of Guest Users

The Office 365 activity report in the Office 365 Compliance Center is used to view Office 365 user and admin activity within your company. The report can be filtered by date and user activity events to monitor SharePoint Online Extranet invitation status, who has sent invitations and who has accepted.

For details on how to monitor the status of your extranet account invitations, including who sent the invitation, requested it, and if it was accepted, revoked or expired, see Search the audit log in the Office 365 Protection Center. .

Example 1:    

To create a report that shows who has been sent invitations to your Extranet site and who issued the invitation, set your report filters this way:

Office 365 Activity Report filtered for invitation creation

Example 2:   

To create a report showing all file access activities for a external partner, set your event filters as follows:

Office 365 Activity report showing all activity for an Extranet Partner

Scenarios where Restrict Domains sharing is not supported

The ability to restrict domain sharing on Sharepoint Online B2B Extranet sites using the Allow List /Deny list feature is not supported for:

  • Server-to-Server (S2S) based scenarios. These are scenarios that span across Office 365 resources. An example is eDiscovery in Office 365, where the user is authenticating and accessing resources across the workloads.

Configure SharePoint Hybrid Sites Follow feature to connect your SharePoint (optional)

If you are a SharePoint 2013 or SharePoint 2016 on-premises customer, you can choose to connect your on-premises SharePoint installation to Office 365 to offer a seamless navigation experience to your corporate users while at the same time keeping the B2B Extranet Sites isolated from on-premises in the Office 365. See SharePoint hybrid sites and search for more details.

End User Sharing Experience

After you have configured the Restricted Domains sharing feature, your end users will experience the following scenarios in the site collections in which external sharing is turned on.

  • Sharing content with email domains that are not allowed.     If your end user attempts to share content with an external user whose email address domain violates your restricted domains settings, an error message will display and sharing will not be allowed:

    If a user attempts to share a document to an email address that is retricted, they willl receive this error.
  • Sharing OneDrive for Business files to email domains that are not allowed.     If your end user is attempting to share their OneDrive for Business file with an external user whose email domain is not allowed as a result of your restricted domains configuration:

    Users receive this error when attempting to share a OneDrive document to a restricted domain address.
  • Sharing content with email domains that are allowed.     If your end user is attempting to share content with an external user who has an email address domain that is allowed, they will be able to successfully share the content with that external user. A tool tip lets you know that the user is outside of their organization.

    Sucessfully sharing content with restricted users.

  • Sharing OneDrive for Business files to email domains that are allowed.    If your end user is attempting to share their OneDrive for Business file with an external user whose email domain is allowed it will successfully share the content. If you are also including internal users when you share the content, you will be informed of those on the list who are external to your organization.

    Sucessfully sharing content with internal and external users.

See Also

Manage external sharing for your SharePoint Online environment

Extranet for Partners with Office 365

Create a partner-facing Extranet Site in Office 365

Buy licenses for your Office 365 for business subscription

SharePoint hybrid sites and search

Organizational relationships in Exchange Server

Let your Skype for Business users communicate with external Skype for Business users

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×