Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box Status
Print

Domain Management, Verification, and Auto Enrollment

Article , New , Instruction , Rollout

 

Many organizations control more than just their primary domain. For Box admins, validating their Box managed users who do not use the organization's primary domain for their Box accounts requires extra work.

The Domain Management function in Admin Console > Enterprise Settings > Custom Setup allows you to

  • Verify Internet domains that you own and control to simplify your user and content management and to help prevent security breaches
  • Auto enroll potential users who attempt to create a Box account using an email address in a domain you manage as managed users.

This topic contains the following sections:

Domain Management

Domain management includes adding, verifying, and deleting domains.

Adding a Managed Domain

Adding those domains in the Domain Management list automates the validation process. This also:

  • Prevents unscrupulous people from outside the organization attempting to create Box accounts using email addresses in those domains.
  • Allows you to enable auto enrollment for the domain.

The validation of a domain requires the existence of a unique code added to a DNS (domain name system) record for the domain. This means you must have access to your domain host.

Note

Only primary admins, not co-admins, can add managed domains. Managed domains consist of only second-level and top-level domains, also known as a root domains, and do not include hostnames or subdomains.

Adding a managed domain consists of three separate tasks:

  1. Add the domain and get a unique code (also known as a hash).
  2. Create a new DNS record for the domain with the unique code.
  3. Validate the domain.

To add the domain:

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, click Add Domain.
  3. Enter the domain name, which is the second-level and top-level domain identifier, also known as a root domain. (This is typically what would follow the @ in an email address.)
  4. Click Next Step.
  5. Click Copy. The unique code is copied to your clipboard. You may want to open a blank text document and paste the code there for use in the next task.
  6. Click Submit. The domain is added to the list with a status of Incomplete Setup.

To create a new DNS record for the domain:

Note

The exact steps differ depending on your hosting provider.

  1. Go to the administration console or dashboard of your domain's hosting provider.
  2. Go to where the domain is managed.
  3. Go to where the DNS records for the domain are kept.
  4. Add a TXT record with the following information:
    • Host: The @ character, which means this is for the top-level domain.
    • Value: The code (hash) that was copied previously.
  5. Save the record.

To validate the domain:

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, next to the domain you want to verify, which should show a status of Incomplete Setup, click the 3-dot button, and then click Refresh Status.

Box pings the domain to verify the existence of the DNS record with the correct code, and if verified, updates the status to Complete.

Upon validation, you can also enable auto-enrollment for the domain (recommended).

Verifying an Unverified Domain

You may have domains in your Domain Management list that are unverified. This can occur when a domain is added to your organization by Box Customer Support or for domains that you had added before domain verification was available.

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, next to the domain you want to verify, which should show a status of Incomplete Setup, click the 3-dot button, and then click View Setup.
  3. Copy the code, and then complete the To create a new DNS record for the domain and To validate the domain procedures above.

Deleting a Managed Domain

Note

Only primary admins, not co-admins, can delete managed domains.

You should delete a domain from the Domain Management list only if you have no managed users with accounts containing email addresses with that domain. Deleting such a domain results in the users losing access to shared links. 

If you have SSO enabled for your organization, you cannot delete such a domain from the Domain Management list until all managed users containing email addresses with that domain change the email address in their accounts to a different email address with a different domain. Depending on how your SSO is configured, admins may be able to make this change, or users may be required to make this change themselves.

To delete a managed domain: 

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, find the domain you want to delete.
  3. Click the 3-dot button and then Remove Domain. If any managed have with email addresses in this domain, you will receive a warning that they will no longer have the access to shared links after you delete the domain. Tick the checkbox to confirm.
  4. Click Remove Domain to finish.

Domain Auto Enrollment

Auto enrollment is a feature that:

  • Prevents users from creating free Box accounts using their company email
  • Ensures that new users with the company email domain who have been invited to collaborate on managed content are enrolled as managed users of the enterprise

Enable this option on verified domains to prevent managed content from being accessed from free accounts, especially after employees leave the company.

Auto enrollment for a domain means that potential users who attempt to create a Box account using an email address in a domain you manage will be required to enroll as a managed user with that email address. This will result in:

  • Your paid seat count incrementing.
  • The user will be subject to all of your account security requirements, including SSO.

Note

If your company has multiple instances of Box, that is, more than one EID (enterprise ID), that you manage and that share the same domain, there are additional steps you must take before enabling domain auto enrollment, Contact Box support or your Box account team for assistance.

Domain Auto Enrollment Limitations

There are several limitations that will prevent you from enabling auto-enrollment on a managed domain:

  • If the domain is in the Managed Domains list in multiple organizations and one of those organizations enables auto enrollment, no other organization can enable auto enrollment for that domain. This is to ensure that an auto enrolled user gets added to the correct organization.
  • In the domain does not have a valid txt record. This can occur when a domain was added to an organization by Box Customer Support or for domains added to your organization before domain verification was available. You can add a txt record as described in Verifying an Unverified Domain above.
  • If the domain is not verified. This can occur if the domain was added in Domain Management but did not finish verification. You can verify an unverified domain at any time. 
  • The domain is denylisted. Domains that are denylisted cannot be added to a Box account. Domains are typically denylisted for security reasons.
  • The domain is restricted. Box restricts domains of email service providers from auto enrollment, domains such as gmail.com, outlook.com, aol.com, yahoo.com, and similar. Box restricts Box-related domains, such as box.com, from auto enrollment in non-Box organizations. And certain domains are restricted for reasons that are beyond the scope of this documentation. For more information, contact your Box support representative.

Enabling Auto Enrollment for a Managed Domain

A managed domain must be fully validated, that is, added using all the steps above, before auto-enrollment can be enabled for the domain.

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, hover over a domain with an Auto Enrollment status of Disabled, click the More Options button (More Options button), and then click Enable Auto Enrollment.
  3. In the Enable Auto Enrollment dialog box, select the I understand that by enabling Auto Enrollment, new users who sign up with this domain will occupy a paid seat check box.
  4. Click Enable

Disabling Auto Enrollment for a Managed Domain

  1. Go to Admin Console > Enterprise Settings > Custom Setup
  2. In the Domain Management section, hover over a domain with an Auto Enrollment status of Enabled, click the More Options button (More Options button), and then click Disable Auto Enrollment.
  3. In the Disable Auto Enrollment dialog box, select the I understand that by disabling Auto Enrollment, new users who sign up with this domain will become unmanaged users check box.
  4. Click Disable

Related articles