Blocked Domains Still Appear in the Sharing Dialog: Root Cause and Fix

You have added a domain to the SharePoint blocked domains list, yet users can still type that domain in the sharing dialog and send invitations. The domain appears in the external sharing prompt as if the block never took effect. This problem occurs because SharePoint Online and OneDrive enforce the blocked domains list only at the final sharing request stage, not during the type-ahead search or dialog autocomplete. This article explains why blocked domains still appear in the sharing dialog and provides the exact fix to enforce the block correctly.

Why Blocked Domains Show in the Sharing Dialog

The SharePoint sharing dialog uses a client-side type-ahead feature that queries the Microsoft Graph to suggest users and domains. This query does not check the tenant-level blocked domains list. The blocked domains list is applied only when the sharing request is submitted to SharePoint Online. At that point, the system evaluates the target domain against the block list and rejects the invitation if the domain is blocked.

Because the check happens after the user clicks the Share button, the domain continues to appear in the autocomplete suggestions. This is by design. The type-ahead feature is meant to show all possible recipients based on directory data, not to enforce security policies. The actual enforcement occurs at the sharing submission layer.

Where the Blocked Domains List Is Stored

The blocked domains list is stored in the SharePoint Online tenant settings and in the OneDrive admin settings. It is a comma-separated list of domain names. This list is read by the sharing service when a user sends an invitation. The list is not read by the client-side JavaScript that populates the sharing dialog.

How the Sharing Dialog Works

When a user types an email address in the sharing dialog, the browser sends a request to the Microsoft Graph People API. The API returns suggested contacts and domains from the user’s organization directory and from the global address list. The API does not filter results against the blocked domains list. Therefore, any domain that exists in the directory or in the user’s previous contacts will appear.

Steps to Enforce Blocked Domains Correctly

To prevent blocked domains from appearing in the sharing dialog, you must configure cross-tenant access settings in Azure AD in addition to the SharePoint blocked domains list. This combination blocks the domain at both the sharing request level and the directory lookup level.

Method 1: Add the Domain to the SharePoint Blocked Domains List

1. Sign in to the SharePoint admin center
   Go to https://admin.microsoft.com and select SharePoint from the admin centers list. Alternatively, go directly to https://admin.microsoft.com/SharePoint.
2. Open the Sharing settings
   In the left navigation, select Policies and then click Sharing. This opens the external sharing settings page.
3. Scroll to the Blocked domains section
   Under the heading “Blocked domains,” click the checkbox for “Block specific domains.” A text box appears.
4. Enter the domain you want to block
   Type the domain name, for example example.com. Do not include the @ symbol. Separate multiple domains with commas or new lines.
5. Save the settings
   Click Save at the bottom of the page. The domain is now added to the blocked list.

Method 2: Block the Domain in Azure AD Cross-Tenant Access Settings

This method prevents the domain from appearing in the sharing dialog autocomplete and blocks all cross-tenant access from that domain.

1. Sign in to the Azure AD admin center
   Go to https://entra.microsoft.com and sign in with a Global Administrator account.
2. Navigate to External Identities
   In the left menu, select Identity > External Identities > Cross-tenant access settings.
3. Add an organizational setting
   Click Add organization. In the pane that opens, select Specify tenant ID or domain name and enter the domain you want to block, for example example.com. Click Add.
4. Block inbound and outbound access
   After the tenant is added, click the tenant row to open its settings. Under the Inbound access tab, set Access status to Block access for all users. Under the Outbound access tab, set Access status to Block access for all users.
5. Save the settings
   Click Save at the top of the page. The domain is now blocked at the Azure AD level.

Method 3: Use PowerShell to Block the Domain

You can also add the blocked domain using the SharePoint Online Management Shell. This method is useful for bulk operations.

1. Install the SharePoint Online Management Shell
   Open Windows PowerShell as an administrator and run the command Install-Module -Name Microsoft.Online.SharePoint.PowerShell.
2. Connect to SharePoint Online
   Run Connect-SPOService -Url https://yourtenant-admin.sharepoint.com and sign in with your admin credentials.
3. Set the blocked domain list
   Run the command Set-SPOTenant -BlockedDomainList "example.com". To block multiple domains, separate them with a comma: Set-SPOTenant -BlockedDomainList "example.com,test.com".
4. Verify the setting
   Run Get-SPOTenant | Select-Object -ExpandProperty BlockedDomainList to confirm the domain is listed.

If Blocked Domains Still Appear After the Main Fix

Domain Is Cached in the User’s Browser or Outlook

The sharing dialog may show a domain because the user has previously sent email to someone at that domain. The domain is cached in the user’s browser autocomplete or in Outlook’s Auto-Complete list. Clearing the browser cache or removing the contact from Outlook does not affect the SharePoint sharing dialog because the dialog queries the Microsoft Graph People API, which includes the user’s Outlook contacts.

To remove a cached contact from the People API, the user must delete the contact from their Outlook contacts folder. After deletion, it may take up to 24 hours for the change to reflect in the sharing dialog.

Domain Is Part of a Larger Tenant with Multiple Domains

If the blocked domain is a subdomain of a domain that is not blocked, the subdomain may still appear. For example, if you block sub.example.com but allow example.com, the sharing dialog may still show sub.example.com because the root domain is allowed. To block all subdomains, add the root domain to the blocked list and also add each subdomain explicitly.

Sharing Dialog Shows the Domain but Blocks the Share

In some cases, the domain appears in the dialog but the sharing invitation is rejected when the user clicks Share. This is the expected behavior. The domain appears because the type-ahead query does not filter against the blocked list, but the actual share is blocked. To confirm the block is working, attempt to share a file with an email at the blocked domain and verify that SharePoint shows an error message.

Item	SharePoint Blocked Domains List	Azure AD Cross-Tenant Access Settings
Effect on sharing dialog autocomplete	Does not remove the domain from suggestions	Removes the domain from suggestions after up to 24 hours
Effect on sharing invitations	Blocks the invitation at submission time	Blocks the invitation and prevents any sign-in from the domain
Scope	SharePoint Online and OneDrive only	All Microsoft 365 services including Teams, Exchange, and SharePoint
Configuration location	SharePoint admin center > Policies > Sharing	Azure AD admin center > External Identities > Cross-tenant access settings
Time to apply	Immediate	Up to 24 hours

You can now block unwanted domains from appearing in the SharePoint sharing dialog by combining the SharePoint blocked domains list with Azure AD cross-tenant access settings. The most effective approach is to configure both settings. Use the SharePoint list to block sharing invitations and use Azure AD to block the domain from appearing in the type-ahead suggestions. For immediate results, clear the browser cache and ask users to delete Outlook contacts for the blocked domain.