Share SharePoint sites with specific domains only

Sharing with external users (outside your organisation) has never been easier with SharePoint Online. A good business case could be the use of Extranet sites. You have business partners you wish to collaborate with, securely and quickly, without the hassle of settings up a complex infrastructure.

In this blog post, we’ll look at setting up a SharePoint Online site collection sharing settings for external users but only for specific domain(s).

Preparation

If we want to share externally, then we need to make sure that the tenant sharing settings are not set to “Only people in your organisation“.

Navigate to the SPO Admin Center –> Sharing (left pane under “Policies”) Choose between “New and existing guests” or “Existing guests” depending on your business requirements.

If you expand the menu called “Advanced settings for external sharing” right under the permissions, we have the options to limit external sharing to specific domains.

HOWEVER, this will be for the entire tenant! Remember, we are currently in the Admin Center. Therefore, this is not where we should enable this feature for our extranet sites scenario. We want to drill down a bit more, and enable this only at the sites level.

Now that we have the tenant settings configured, let’s create a site collection, and call it “myExtranet” for simplicity. Observe the sharing settings which allow external access to new & existing guests users.

Where are my Modern Sites?

It should be no surprise to most of the Office 365 / SharePoint admins that we currently have 2x SPO Admin Centers: Classic and “New“. There are some tasks that are (still) only available in the Classic admin center. So let’s go there… And this is when we remember that our modern sites are not showing up in the list! 😲 So how are we going to change to change the settings at the site collection level??

Well, at the time of writing (May 2019), the only way is to use PowerShell with the Set-SPOSite cmdlet.
 

Set external sharing to specific domains with PowerShell

Now that we know we need to use PowerShell, let’s do it. Download the SharePoint Online Management Shell module (also available in the PowerShell Gallery) if you haven’t already, and start whatever editor you prefer.

1
2
3
4
5
6

#Connect to SPO 
$creds = Get-Credential
Connect-SPOService -Url "https://<TENANT_NAME>-admin.sharepoint.com" -Credential $creds

#Set sharing settings to specific domain only
Set-SPOSite -Identity "https://<TENANT_NAME>.sharepoint.com/sites/myExtranet" -SharingAllowedDomainList "<theAllowedDomain.com>" -SharingDomainRestrictionMode AllowList

To make sure it worked, run the following:

1

Get-SPOSite -Identity "https://<TENANT_NAME>.sharepoint.com/sites/myExtranet" | Select-Object SharingAllowedDomainList

Test external sharing with domains allowed

Now’s the time to check it really worked! Let’s connect onto our myExtranet site, and try to share with different domains.

Sharing with an Allowed domain will simply tell me the user is outside my organisation, but will let me continue.

Sharing with a domain not in the Allowed list, will not let me continue, therefore, only Cancel is possible!

Considerations

• Organization-wide settings affect all SharePoint Online site collections, including the OneDrive for Business site collection
• Wildcards are not supported for domain entries
• In the case of conflicts, the organization-wide configuration takes precedence over the site collection configuration
• If an organization-wide allow list is configured, then you can only configure an allow list at the site collection level
• If an organization-wide deny list is configured, then you can configure either an allow list or a deny list at the site collection level
• For OneDrive for Business site collections, you can only configure this setting by using the Set-SPOSite PowerShell cmdlet