Requirement: Limit SharePoint Online external sharing using domains
How to limit external sharing by domain in SharePoint Online?
External Sharing in SharePoint Online allows you to share artifacts such as site, list or library, document with users outside your organization such as partners and consultants. How do we restrict external sharing only to specific partner’s known domains? Well, External sharing can be limited with a list of domains in SharePoint Online. We can either allow sharing only to these domains or block sharing only to given domains.
- Login to SharePoint Online Admin Center >> Expand “Policies” and then click on the “Sharing” link in the left navigation.
- In the Sharing page, Under More external sharing settings, enable the “Limit external sharing by domain” checkbox and then click on the “Add domains” button.
- Now, in the Add domains panel, you can either allow specific domains or block specific domains. I’ve selected “Allow only specific domains” and then entered the list of allowed domains.
- Hit the save button once you are done. These settings affect all SharePoint Online and OneDrive for Business site collections.
Please note, You can add up to 3000 domains at the admin center and 500 domains at the site level!
Restrict SharePoint Online External Sharing by Domain using PowerShell:
We can use PowerShell to Allow or Block external sharing per domain. Here is how to whitelist specific domains in external sharing.
#Parameters $TenantAdminURL = "https://crescent-admin.sharepoint.com" #Connect to Admin Center Connect-SPOService -Url $TenantAdminURL -Credential (Get-Credential) #Space delimited list of allowed Domains Set-SPOTenant -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "crescent.com crescenttech.com"
Similarly, you can configure an external sharing deny list to block specific domains to prevent sharing with people at particular organizations,
Set-SPOTenant -SharingDomainRestrictionMode "BlockList" -SharingBlockedDomainList "crescentpartner.com crescentextranet.com"
Next time, when a user tries to share content, Sharing with a domain, not in the allowed list won’t let them continue!
Limit External sharing by domains at Site Collection Level:
In addition to the tenant-level external sharing settings configured in the SharePoint Admin center, you can also further restrict sharing settings on individual SharePoint sites. External sharing settings configured at site collection settings can override tenant-level settings (However, site collection settings can’t be more permissive than tenant-level settings).
- In the SharePoint Admin center, Click on “Active sites” from the left navigation
- Select your site collection in question >> Click on the “Sharing” button in the toolbar
- In the Sharing panel, Enable “Limit sharing by domain” and then click on “Add Domains”
PowerShell to Limit External Sharing by Domain in SharePoint Online:
External sharing settings are controlled at both the tenant and site collection levels. We can set allowed domains at the site collection level as well using Set-SPOSite PowerShell cmdlet. In fact, for OneDrive for Business site collections, only PowerShell can be used for these settings. Just specify the domains list space-separated!
#Parameters $TenantAdminURL = "https://crescent-admin.sharepoint.com" $SiteURL = "https://crescent.sharepoint.com/sites/hr" #Connect to Admin Center Connect-SPOService -Url $TenantAdminURL -Credential (Get-Credential) #Space delimited list of allowed Domains Set-SPOSite -Identity $SiteURL -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "crescent.com crescenttech.com"
Similarly, you can block certain domains at specific site collection using:
Set-SPOSite -Identity $SiteURL -SharingDomainRestrictionMode "BlockList" -SharingBlockedDomainList "crescentpartner.com crescentextranet.com"
Please note, These settings will not apply when users share files and folders using “Anyone” links (anonymous sharing scenarios). Also, if there is a conflict between tenant and site collection, then tenant settings take precedence. Here is the Microsoft documentation: https://docs.microsoft.com/en-us/sharepoint/restricted-domains-sharing