When you share OneDrive files with an external client, your organization’s security policies may block the recipient’s email domain. This happens because Microsoft 365 tenant administrators can restrict file sharing to a specific list of approved domains. If your client’s domain is not on that list, external sharing requests will fail or require admin approval.
This article explains how the domain allow list works, how to configure it in the Microsoft 365 admin center, and what to do if you are an end user who needs access to a blocked domain. You will learn the exact steps to add a client domain and the limitations that apply.
The instructions cover both the SharePoint admin center and the Microsoft 365 admin center because the setting affects OneDrive and SharePoint sharing at the tenant level.
Key Takeaways: Configuring a Domain Allow List for OneDrive External Sharing
- Microsoft 365 admin center > Settings > Org settings > SharePoint > Sharing: Controls tenant-wide external sharing policies, including domain allow and block lists.
- SharePoint admin center > Policies > Sharing > Domain allow list: Adds specific external domains that can receive OneDrive and SharePoint sharing invitations.
- OneDrive sync app > Settings > Account > Share files: End users can initiate sharing, but the domain must be allowed at the tenant level before the invitation is sent.
How the OneDrive Domain Allow List Works
The domain allow list is a security feature in Microsoft 365 that restricts external file sharing to only approved email domains. When an admin adds a domain to the allow list, users in that domain can receive sharing invitations from your organization. Domains not on the list are blocked by default.
This setting applies to both OneDrive for Business and SharePoint Online. It is configured at the tenant level in the Microsoft 365 admin center or the SharePoint admin center. The allow list overrides the default external sharing policy only for the domains you specify.
Two types of domain restrictions exist:
Allow List Only Mode
In this mode, sharing is permitted only with users whose email domain appears on the allow list. All other external domains are blocked. This is the most restrictive option and requires you to add every client domain you work with.
Allow and Block List Combined
You can set a default external sharing policy that allows sharing with all external users, then add specific domains to a block list. The allow list overrides the block list if a domain appears on both lists. Use this mode when you want to block only known risky domains while keeping sharing open for most external partners.
Prerequisites for Configuring the Domain Allow List
Before you modify the domain allow list, verify the following:
- You have Global Admin or SharePoint Admin role in Microsoft 365.
- External sharing is enabled for your tenant. If external sharing is turned off entirely, the allow list has no effect.
- You know the exact domain name of the client, for example contoso.com and all subdomains.
Steps to Add a Client Domain to the OneDrive Allow List
Follow these steps to configure the domain allow list in the Microsoft 365 admin center. The same setting applies to OneDrive and SharePoint sharing.
- Sign in to the Microsoft 365 admin center
Open a browser and go to https://admin.microsoft.com. Sign in with an account that has Global Admin or SharePoint Admin privileges. - Open Org settings
In the left navigation, select Settings and then Org settings. Scroll down and click SharePoint. - Navigate to the Sharing section
In the SharePoint settings page, click the Sharing tab. This tab contains all external sharing policies for OneDrive and SharePoint. - Scroll to Domain allow list
Under the heading Domain allow list, select Allow only specified domains. This enables the allow list mode. If you want to use both allow and block lists, select Allow sharing with all external domains first, then configure the block list separately. - Add the client domain
In the text box under Allow only specified domains, type the client’s domain name. For example, type contoso.com. If you need to allow all subdomains, add a separate entry for each subdomain or use the wildcard syntax contoso.com and all subdomains. Click Add to include it in the list. - Save the changes
Click Save at the bottom of the Sharing page. The new domain allow list takes effect within a few minutes. Existing sharing invitations that were blocked may need to be resent.
How to Verify the Domain Allow List Is Working
After adding the client domain, test the configuration by sharing a file from OneDrive with a user who has an email address in that domain.
- Open OneDrive in your browser
Go to https://onedrive.live.com and sign in with your work or school account. - Select a file and share it
Right-click a file and choose Share. In the sharing dialog, type the client’s email address, for example user@contoso.com. - Check the sharing result
If the domain is on the allow list, the invitation is sent immediately. If you see an error message that says Sharing with this domain is not allowed, the domain is not on the allow list or the list did not save correctly.
Common Issues and Limitations
OneDrive Sharing Still Fails After Adding the Domain
If sharing fails after you added the domain, check the following: Did you click Save after adding the domain? The allow list is not applied until you save the Sharing page. Also verify that external sharing is enabled at the tenant level. Go to Microsoft 365 admin center > Settings > Org settings > SharePoint > Sharing and ensure Anyone or New and existing external users is selected under External sharing for OneDrive.
The Client Domain Uses a Subdomain
If your client uses a subdomain like sub.contoso.com, you must add that subdomain explicitly. Adding only contoso.com does not automatically allow sub.contoso.com. Add each subdomain as a separate entry in the allow list.
End Users Cannot Add Domains to the Allow List
Only Global Admins or SharePoint Admins can modify the domain allow list. If you are an end user and your client’s domain is blocked, contact your IT administrator with the domain name and request that it be added to the allow list. Provide the exact domain and mention that sharing is currently blocked.
Domain Allow List vs Domain Block List: Key Differences
| Item | Domain Allow List | Domain Block List |
|---|---|---|
| Purpose | Restricts sharing to only approved external domains | Blocks sharing with specific external domains |
| Default behavior | All domains blocked except those on the list | All domains allowed except those on the list |
| When to use | High-security environments where only known partners receive files | Environments that allow broad sharing but need to block risky domains |
| Number of entries | Limit of 100 domains per tenant | Limit of 100 domains per tenant |
| Subdomain handling | Must add each subdomain explicitly | Must add each subdomain explicitly |
| Override priority | Allow list overrides block list if a domain appears on both | Block list is ignored if the domain is also on the allow list |
You can configure both lists simultaneously in the Microsoft 365 admin center. The allow list always takes precedence over the block list for domains that appear in both.
You can now configure the OneDrive domain allow list to grant your client access to shared files. Start by adding the client’s domain in the Microsoft 365 admin center under SharePoint sharing settings. If you manage multiple clients, add each domain separately to avoid blocking legitimate sharing requests. For advanced security, combine the allow list with expiration dates and password policies for shared links in the OneDrive sharing settings.