You added a domain to the SharePoint blocked list, but that domain still shows up when you or your users try to share files and sites. This problem typically occurs because SharePoint enforces domain blocking at the tenant level, but the sharing dialog caches domain suggestions from the global address list and recent contacts. Site owners often assume the blocked domain is removed from the sharing dialog immediately after the policy is saved. This article explains why blocked domains persist in the sharing dialog and what settings site owners and administrators must verify to resolve the issue.
Key Takeaways: Blocked Domains Still Appear in SharePoint Sharing Dialog
- SharePoint admin center > Policies > Sharing: Controls the list of blocked domains for all SharePoint sites and OneDrive.
- Global address list cache: Domain suggestions in the sharing dialog come from cached contacts, not from the blocked domain policy.
- Site-level sharing settings: A site owner must verify that the site does not override the tenant-level blocked domain list.
Why Blocked Domains Still Show in the SharePoint Sharing Dialog
The blocked domains feature in SharePoint is a tenant-level security control. When you add a domain to the blocked list, SharePoint prevents sharing with external email addresses that end with that domain. However, the sharing dialog displays suggested recipients based on two separate data sources that the blocked domain policy does not filter.
The Sharing Dialog Uses Two Data Sources
The SharePoint sharing dialog shows suggested people from the global address list in Exchange Online and from the recent contacts list of the user who is sharing. These suggestions appear as autocomplete entries when a user types an email address. The blocked domain policy only blocks the actual share action after the user selects a recipient and clicks the share button. The dialog does not remove the domain from the autocomplete suggestions.
Domain Blocking Is Enforced at the Share Action, Not the Dialog Display
When a user selects a recipient whose email domain is on the blocked list and clicks Share, SharePoint displays an error message stating that sharing with that domain is not allowed. The domain remains visible in the suggestions because the policy is enforced at the permission-granting step, not at the suggestion-display step. This behavior is by design in SharePoint and Microsoft 365.
Site-Level Sharing Settings Can Override the Tenant Policy
A site owner can configure site-level sharing settings that allow sharing with all external domains, including those blocked at the tenant level. If the site-level setting is set to Anyone or New and existing guests without domain restrictions, the blocked domain policy may not apply. The tenant blocked domain list only applies when the site-level sharing setting is set to Existing guests or Only people in your organization.
Steps to Verify and Fix Blocked Domains in the Sharing Dialog
Follow these steps to check the tenant-level blocked domain list, review site-level sharing settings, and clear cached suggestions from the sharing dialog.
Step 1: Confirm the Blocked Domain List in the SharePoint Admin Center
- Open the SharePoint admin center
Sign in to the Microsoft 365 admin center with a Global Administrator or SharePoint Administrator account. In the left navigation, select Admin centers and then select SharePoint. - Go to the Sharing policy
In the SharePoint admin center, select Policies in the left menu. Then select Sharing from the list of policy types. - Check the blocked domains section
Scroll down to the Blocked domains section. Verify that the domain you want to block appears in the list. If the domain is missing, add it by typing the domain name in the formatexample.comand selecting Save. - Verify the domain format
Ensure the domain is entered without a leading @ symbol or subdomain unless you intend to block only that subdomain. For example,example.comblocks all email addresses ending with @example.com. Blockingsub.example.comblocks only that subdomain.
Step 2: Check the Site-Level Sharing Settings
- Open the site where blocked domains appear
Navigate to the SharePoint site where users see the blocked domain in the sharing dialog. Select the gear icon in the top right corner and then select Site permissions. - Review sharing settings
On the Site permissions page, select Sharing settings. Look for the Sharing options section. The setting must be Existing guests or Only people in your organization for the tenant blocked domain list to apply. If the setting is Anyone or New and existing guests, the blocked domain policy is not enforced on this site. - Change the site-level sharing setting if needed
If the site-level setting allows sharing with all external domains, select Existing guests or Only people in your organization. Select Save to apply the change.
Step 3: Clear the Cached Global Address List and Recent Contacts
- Instruct users to clear their browser cache
Users who see the blocked domain in the sharing dialog should clear their browser cache and cookies. In Microsoft Edge, select the three-dot menu, go to Settings > Privacy, search, and services, and under Clear browsing data select Choose what to clear. Select Cached images and files and Cookies and other site data. Then select Clear now. - Remove the domain from the browser autocomplete
When the user types the blocked domain in the sharing dialog, they can press the Down arrow key to highlight the suggestion and then press Shift+Delete to remove it from the browser autocomplete list. This action removes only the local suggestion, not the server-side cache. - Wait for the global address list to refresh
The global address list in Exchange Online updates every 24 to 48 hours. If a user recently added the blocked domain as a contact, the domain may still appear in the suggested list until the next GAL sync. Instruct users to manually type the full email address instead of relying on autocomplete.
If Blocked Domains Still Appear After the Main Fix
Even after verifying the tenant policy and site-level settings, some users may still see the blocked domain in the sharing dialog. The following scenarios explain why this happens and what to do about it.
The Blocked Domain Is Part of a Larger Domain Group
If you blocked example.com but users see suggestions from sub.example.com, the subdomain is not blocked unless you add it separately. Add the subdomain to the blocked list in the SharePoint admin center > Policies > Sharing > Blocked domains.
Users Have the Domain Saved as a Personal Contact in Outlook
Personal contacts stored in Outlook or the Outlook People app appear in the SharePoint sharing dialog. The blocked domain policy does not remove these contacts from the suggestions. Instruct users to delete the contact from their personal address book. In Outlook on the web, go to People, find the contact with the blocked domain, select it, and choose Delete.
The Site Uses a Custom Sharing Script or Third-Party Tool
Some third-party sharing extensions or PowerShell scripts bypass the SharePoint sharing dialog and grant access directly. These tools may not check the tenant blocked domain list. Review any custom sharing solutions and ensure they respect the blocked domain policy. Remove any custom sharing scripts that do not honor the tenant policy.
| Item | Tenant-Level Blocked Domain | Site-Level Sharing Setting |
|---|---|---|
| Purpose | Block sharing with specific external domains across all sites | Control how users on a site can share with external users |
| Where to configure | SharePoint admin center > Policies > Sharing | Site Settings > Site permissions > Sharing settings |
| Overrides tenant policy | N/A | Yes, if set to Anyone or New and existing guests |
| Affects sharing dialog suggestions | No, only blocks the share action | No, only controls permission types |
| Applies to OneDrive | Yes | No, OneDrive uses tenant-level settings only |
To confirm that the blocked domain policy is working, ask a user to type the full email address of a person on the blocked domain in the sharing dialog and select Share. The user should see an error message saying sharing with that domain is not allowed. If the share succeeds, the policy is not applied. Recheck the tenant blocked domain list and the site-level sharing settings.
For ongoing monitoring, review the SharePoint sharing audit logs in the Microsoft 365 compliance center. Search for failed sharing attempts to see if the blocked domain policy is blocking the expected domains. Use the audit log search with the activity Shared file, folder, or site and filter by the blocked domain.