SharePoint Online: How to Limit External Sharing by Domain?
Requirement: Limit SharePoint Online external sharing using domains.
How to limit external sharing by domain in SharePoint Online?
External Sharing in SharePoint Online allows you to share artifacts such as sites, lists, or libraries, and documents with users outside your organization, such as partners and consultants. How do we restrict external sharing only to specific partner’s known domains? Well, External sharing can be limited to a list of domains in SharePoint Online. We can either allow sharing only to these domains or block sharing only to given domains.
- Login to SharePoint Online Admin Center >> Expand “Policies” and then click on the “Sharing” link in the left navigation.
- In the Sharing page, Under More external sharing settings, enable the “Limit external sharing by domain” checkbox and then click on the “Add domains” button.
- Now, in the Add domains panel, you can either allow specific domains or block specific domains. I’ve selected “Allow only specific domains” and then entered the list of allowed domains.
- Hit the save button once you are done. These settings affect all SharePoint Online and OneDrive for Business site collections.
Please note, You can add up to 3000 domains at the admin center and 500 domains at the site level!
Restrict SharePoint Online External Sharing by Domain using PowerShell:
We can use PowerShell to Allow or Block external sharing per domain. Here is how to whitelist specific domains in external sharing.
#Parameters
$TenantAdminURL = "https://crescent-admin.sharepoint.com"
#Connect to Admin Center
Connect-SPOService -Url $TenantAdminURL -Credential (Get-Credential)
#Space delimited list of allowed Domains
Set-SPOTenant -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "crescent.com crescenttech.com"
Similarly, you can configure an external sharing deny list to block specific domains to prevent sharing with people at particular organizations,
Set-SPOTenant -SharingDomainRestrictionMode "BlockList" -SharingBlockedDomainList "crescentpartner.com crescentextranet.com"
Next time, when a user tries to share content, Sharing with a domain, not in the allowed list won’t let them continue!
Limit External sharing by domains at Site Collection Level:
In addition to the tenant-level external sharing settings configured in the SharePoint Admin center, you can further restrict sharing settings on individual SharePoint sites. External sharing settings configured at site collection settings can override tenant-level settings (However, site collection settings can’t be more permissive than tenant-level settings).
- In the SharePoint Admin center, click on “Active sites” from the left navigation.
- Select your site collection in question >> Click on the “Sharing” button in the toolbar.
- In the Sharing panel, enable “Limit sharing by domain” and then click on “Add Domains”.
PowerShell to Limit External Sharing by Domain in SharePoint Online:
External sharing settings are controlled at both the tenant and site collection levels. We can set allowed domains at the site collection level as well using Set-SPOSite PowerShell cmdlet. In fact, for OneDrive for Business site collections, only PowerShell can be used for these settings. Just specify the domains list space-separated!
#Parameters
$TenantAdminURL = "https://crescent-admin.sharepoint.com"
$SiteURL = "https://crescent.sharepoint.com/sites/hr"
#Connect to Admin Center
Connect-SPOService -Url $TenantAdminURL -Credential (Get-Credential)
#Space delimited list of allowed Domains
Set-SPOSite -Identity $SiteURL -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "crescent.com crescenttech.com"
Similarly, you can block certain domains at specific site collections using the following:
Set-SPOSite -Identity $SiteURL -SharingDomainRestrictionMode "BlockList" -SharingBlockedDomainList "crescentpartner.com crescentextranet.com"
Please note, These settings will not apply when users share files and folders using “Anyone” links (anonymous sharing scenarios). Also, if there is a conflict between tenant and site collection, then tenant settings take precedence. Here is the Microsoft documentation: https://docs.microsoft.com/en-us/sharepoint/restricted-domains-sharing
Wrapping up
In conclusion, limiting external sharing by domain in SharePoint Online can help to protect sensitive information and improve security. By configuring sharing settings in SharePoint Online, you can ensure that external sharing is only allowed for specific domains or blocked. The process of limiting external sharing by domain in SharePoint Online is relatively simple and can be done through the Microsoft 365 admin center or PowerShell. With the right sharing policies in place, you can keep your SharePoint Online data secure while still allowing external collaboration when necessary.
Does the 500 limit at the site level count towards the total 2000 limit at the tenant/admin center level?
For ex: If there are four sites and each site restricts 500 unique domains (for total of 2000 unique domains) and lets assume there are no domains configured in Tenant/Admin Center, will the domains configured at the site level exhaust or count towards the 2000 limit allowed at the Tenant/Admin Center level?
If we uncheck the box ” Limit external sharing by domain”, will the existing users lose access ?
HI is it possible to whitelist specific email from the blocked dumain to access site?
The maximum number of domain that can be added is 500 and not 60 in SharePoint admin Portal.
Its been increased to 3000 at the Admin center level and 500 at the site level.
Great overview… can you share how this interacts with the Azure AD B2B settings for external collaboration. Are these SharePoint settings in addition to those in AAD (ie: AAD takes precedence), or are they two distinct settings?