You blocked a domain in the SharePoint admin center, yet users still see that domain in the sharing dialog when they invite guests. The blocked domain list in SharePoint and OneDrive controls who can receive sharing invitations, but it does not filter the domain suggestions that appear in the people picker. This article explains why blocked domains remain visible and provides a step-by-step admin checklist to enforce the block and prevent accidental sharing to those domains.
Key Takeaways: Enforce Domain Blocks in SharePoint and OneDrive
- SharePoint admin center > Policies > Sharing > Blocked domains: Prevents users from sending sharing invitations to specified domains but does not hide those domains from the people picker.
- Azure AD External Identities > Cross-tenant access settings: Blocks inbound collaboration from entire domains at the tenant level, which also hides those domains from the sharing dialog.
- SharePoint Online PowerShell cmdlet Set-SPOTenant -ShowPeoplePickerSuggestionsForBlockedDomains: Set this parameter to $false to remove blocked domains from the people picker suggestions.
Why Blocked Domains Still Appear in the Sharing Dialog
The SharePoint and OneDrive sharing dialog includes a people picker that shows domain suggestions as the user types an email address. This people picker pulls suggestions from the user's recent contacts, the organization's directory, and Azure Active Directory. The blocked domain list in the SharePoint admin center only blocks the completion of a sharing invitation to that domain. It does not block the domain from appearing in the suggestions list.
When a user types an email address that ends with a blocked domain, the people picker still shows that domain in the dropdown. If the user selects it and clicks Send, SharePoint blocks the invitation and returns an error. However, the visibility of the blocked domain in the dialog causes confusion and creates a risk that users might attempt to share to that domain and then bypass the block by using a different method.
The root cause is a design separation between the people picker suggestion system and the sharing enforcement system. The people picker is managed by Azure Active Directory and Exchange Online contact lists. The sharing block is enforced by SharePoint Online at the moment the invitation is sent. To remove blocked domains from the suggestions, you must configure additional settings.
Admin Checklist to Remove Blocked Domains from the Sharing Dialog
Follow these steps in order. Each step addresses a different layer of the problem. Completing all steps ensures that blocked domains are both hidden from the people picker and blocked from receiving invitations.
- Verify the blocked domain list in the SharePoint admin center
Go to SharePoint admin center > Policies > Sharing. Under External sharing, find Blocked domains. Make sure the domain you want to block is listed exactly as it appears in email addresses, for example example.com not www.example.com. Click Save if you made any changes. - Block the domain at the Azure AD cross-tenant access level
Open the Azure AD admin center and go to External Identities > Cross-tenant access settings. Under Default settings, click Inbound access settings. Under B2B collaboration, select Block all for the domain. This prevents users from that domain from being added to your tenant through any B2B invitation method. Click Save. - Remove the domain from the people picker suggestions using PowerShell
Connect to SharePoint Online PowerShell with the command Connect-SPOService -Url https://yourtenant-admin.sharepoint.com. Run the command Set-SPOTenant -ShowPeoplePickerSuggestionsForBlockedDomains $false. This setting removes all blocked domains from the people picker suggestions in SharePoint and OneDrive. The change takes effect within 30 minutes. - Clear cached contacts from the users' people picker
Users may have previously shared files with someone at the blocked domain. Those contacts are cached in the user's Exchange Online contact list. Instruct users to open Outlook on the web, go to People, search for the domain, and delete the contacts from that domain. Alternatively, you can use the Exchange Online PowerShell cmdlet Remove-MailboxFolder -Identity user@domain:\Contacts to remove all contacts for a user, but this is a broad action. - Test the configuration
Sign in as a regular user who does not have admin permissions. Open a SharePoint site or OneDrive folder, click Share, and type an email address from the blocked domain. The domain should not appear in the dropdown. If you select Enter anyway, the system should return an error message stating that sharing is not allowed with that domain.
If Blocked Domains Still Appear After the Main Fix
Blocked domain still shows in the people picker after running PowerShell
The PowerShell setting ShowPeoplePickerSuggestionsForBlockedDomains only affects domains that are already in the blocked list. If you added the domain to the blocked list after running the PowerShell command, you must run the command again. Run Set-SPOTenant -ShowPeoplePickerSuggestionsForBlockedDomains $false again to refresh the setting. Also verify that the domain is spelled exactly the same in the blocked list as it appears in the people picker. For example, if the blocked list has contoso.co.uk but users are typing contoso.com, the domain is not actually blocked.
Users can still share to the blocked domain through other methods
The SharePoint blocked domain list only blocks sharing through the SharePoint and OneDrive sharing dialog. Users can still share files by sending a direct link through email or by adding the external user to a Microsoft 365 group that contains the site. To block these methods, use the Azure AD cross-tenant access settings as described in step 2 of the checklist. Additionally, disable external sharing for sensitive sites by setting the sharing level to Only people in your organization in the site's sharing settings.
Blocked domain still appears in the sharing dialog on mobile devices
The SharePoint and OneDrive mobile apps use the same people picker as the web version. The PowerShell setting ShowPeoplePickerSuggestionsForBlockedDomains applies to all platforms. If the domain still appears in the mobile app, clear the app cache. On iOS, go to Settings > SharePoint > Clear Cache. On Android, go to Settings > Apps > SharePoint > Storage > Clear Cache. Then sign out and sign back in.
SharePoint Blocked Domains vs Azure AD Cross-Tenant Block: Key Differences
| Item | SharePoint Blocked Domains | Azure AD Cross-Tenant Block |
|---|---|---|
| Scope | SharePoint and OneDrive sharing dialogs only | All B2B collaboration across the tenant, including groups, Teams, and SharePoint |
| Blocks invitation | Yes, at the moment the user clicks Send | Yes, at the moment the external user is added to the tenant |
| Hides domain from people picker | No, unless you set ShowPeoplePickerSuggestionsForBlockedDomains to $false | Yes, the domain does not appear in the people picker at all |
| Configuration location | SharePoint admin center or SharePoint Online PowerShell | Azure AD admin center or Azure AD PowerShell |
| Applies to existing guests | No, existing guests from the blocked domain can still access shared content | Yes, existing guests from the blocked domain lose access after the policy is saved |
Use the SharePoint blocked domain list for a quick, narrow block on sharing. Use the Azure AD cross-tenant block for a comprehensive block that prevents any collaboration with the domain. For best results, configure both.
You can now enforce a domain block that hides the domain from the sharing dialog and prevents all sharing attempts to that domain. Start by verifying your blocked domain list in the SharePoint admin center, then apply the PowerShell setting to remove those domains from the people picker. For a stronger block, add the domain to the Azure AD cross-tenant access block list. As an advanced step, consider using SharePoint site-level sharing policies to restrict external sharing to only specific domains, which gives you more granular control than a tenant-wide block.