Learn practical AI for business and earn your AI Professional certification. — Learn More

Box Status
Print

Domain Management, Verification, and Auto Enrollment

Admin , Article , New , Instruction , Rollout

Many organizations control more than just their primary domain. For Box admins, validating their Box managed users who do not use the organization's primary domain for their Box accounts requires extra work.

The Domain Management function in Admin Console > Enterprise Settings > Custom Setup allows you to:

  • Verify Internet domains that you own and control to simplify your user and content management and to help prevent security breaches.
  • Auto enroll potential users who attempt to create a Box account using an email address in a domain you manage as managed users.

This topic contains the following sections:

Domain Management

Domain management includes adding, verifying, and deleting domains.

Adding a Managed Domain

Adding those domains in the Domain Management list automates the validation process. This also:

  • Prevents unscrupulous people from outside the organization attempting to create Box accounts using email addresses in those domains.
  • Allows you to enable auto enrollment for the domain.

The validation of a domain requires the existence of a unique code added to a DNS (domain name system) record for the domain. This means you must have access to your domain host.

Note: Only primary admins, not co-admins, can add managed domains. They are typically the part of your users' email address that follows the @, e.g. John@Example.com, but can also be lower-level domains such as student.portal.example-university.edu.

Adding a managed domain consists of three separate tasks:

  1. Add the domain and get a unique code (also known as a hash).
  2. Create a new DNS record for the domain with the unique code.
  3. Validate the domain.

To add the domain:

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, click Add Domain.
  3. Enter the domain name. Managed domains are those you can control through your DNS TXT record and do not include hostnames. 
  4. Click Next Step.
  5. Click Copy. The unique code is copied to your clipboard. You may want to open a blank text document and paste the code there for use in the next task.
  6. Click Submit. The domain is added to the list with a status of Incomplete Setup.

To create a new DNS record for the domain:

Note: The exact steps differ depending on your hosting provider.

  1. Go to the administration console or dashboard of your domain's hosting provider.
  2. Go to where the domain is managed.
  3. Go to where the DNS records for the domain are kept.
  4. Add a TXT record with the following information:
    • Host: The @ character, which means this is for the top-level domain.
    • Value: The code (hash) that was copied previously.
  5. Save the record.

To validate the domain:

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, next to the domain you want to verify, which should show a status of Incomplete Setup, click the 3-dot button, and then click Refresh Status.

Box pings the domain to verify the existence of the DNS record with the correct code, and if verified, updates the status to Complete.

Verifying an Unverified Domain

You may have domains in your Domain Management list that are unverified. This can occur when a domain is added to your organization by Box Customer Support or for domains that you had added before domain verification was available.

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, next to the domain you want to verify, which should show a status of Incomplete Setup, click the 3-dot button, and then click View Setup.
  3. Copy the code, and then complete the To create a new DNS record for the domain and To validate the domain procedures above.

Note: You need to disable auto-enrollment before you can remove domain verification.

Deleting a Managed Domain

Note: Only primary admins, not co-admins, can delete managed domains.

You should delete a domain from the Domain Management list only if you have no managed users with accounts containing email addresses with that domain. Deleting such a domain results in the users losing access to shared links. 

If you have SSO enabled for your organization, you cannot delete such a domain from the Domain Management list until all managed users containing email addresses with that domain change the email address in their accounts to a different email address with a different domain. Depending on how your SSO is configured, admins may be able to make this change, or users may be required to make this change themselves.

To delete a managed domain: 

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, find the domain you want to delete.
  3. Click the 3-dot button and then Remove Domain. If any managed users have email addresses in this domain, you will receive a warning that they will no longer have the access to shared links after you delete the domain. Tick the checkbox to confirm.
  4. Click Remove Domain to finish.

Domain Auto Enrollment

Auto enrollment is a feature that:

  • Prevents users from creating free Box accounts using their company email
  • Ensures that new users with the company email domain who have been invited to collaborate on managed content are automatically enrolled as managed users of the enterprise

Enable this option on verified domains to prevent managed content from being accessed from free accounts, especially after employees leave the company.

Auto enrollment for a domain means that potential users who attempt to create a Box account using an email address in a domain you manage will be required to enroll as a managed user with that email address. This will result in:

  • Your paid seat count increasing.
  • The user will be subject to all of your account security requirements, including SSO.

Notes:

  • If your company has multiple instances of Box, that is, more than one EID (enterprise ID), that you manage and that share the same domain, there are additional steps you must take before enabling domain auto enrollment. Contact Box support or your Box account team for assistance.
  • Auto enrollment will be turned on by default for all newly verified domains with a DNS record as of 7 November 2025. This can be disabled if required. Pre-existing verified domains will not be automatically enabled with auto-enrollment.
    • When the admin verifies their domain, auto-enrollment is enabled by default. If a user creates a new account within this domain, they are automatically converted to a managed user. If a user is already using the same domain name and has an existing unmanaged account, they will not be converted to a managed user.

Domain Auto Enrollment Limitations

There are several limitations that will prevent you from enabling auto-enrollment on a managed domain:

  • If the domain is in the Managed Domains list in multiple organizations and one of those organizations enables auto enrollment, no other organization can enable auto enrollment for that domain. This is to ensure that an auto enrolled user gets added to the correct organization.
  • If the domain does not have a valid txt record. This can occur when a domain was added to an organization by Box Customer Support or for domains added to your organization before domain verification was available. You can add a txt record as described in Verifying an Unverified Domain above.
  • If the domain is not verified. This can occur if the domain was added in Domain Management but did not finish verification. You can verify an unverified domain at any time. 
  • The domain is denylisted. Domains that are denylisted cannot be added to a Box account. Domains are typically denylisted for security reasons.
  • The domain is restricted. Box restricts domains of email service providers from auto enrollment, domains such as gmail.com, outlook.com, aol.com, yahoo.com, and similar. Box restricts Box-related domains, such as box.com, from auto enrollment in non-Box organizations. And certain domains are restricted for reasons that are beyond the scope of this documentation. For more information, contact your Box support representative.

Note: If a domain is a managed domain in multiple organizations, and one of those organizations enables auto enrollment, no new organization can add that domain as a managed domain. 

Enabling Auto Enrollment for a Managed Domain

A managed domain must be fully validated, that is, added using all the steps above, before auto-enrollment can be enabled for the domain.

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, hover over a domain with an Auto Enrollment status of Disabled, click the More Options button (More Options button), and then click Enable Auto Enrollment.
  3. In the Enable Auto Enrollment dialog box, select the I understand that by enabling Auto Enrollment, new users who sign up with this domain will occupy a paid seat check box.
  4. Click Enable

Disabling Auto Enrollment for a Managed Domain

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, hover over a domain with an Auto Enrollment status of Enabled, click the More Options button (More Options button), then click Disable Auto Enrollment.
  3. In the Disable Auto Enrollment dialog box, select the check box: "I understand that by disabling Auto Enrollment, new users who sign up with this domain will become unmanaged users. These are not controlled or monitored by your Admin, Co-Admin, or your organization's security policies, meaning that they represent a potential security and compliance risk."
  4. Click Disable

Related articles