Become an Intelligent Content Management Expert with our free Admin certification - now available! Get started

Box Status
Print

Limit collaboration to allowlisted domains

Collaboration , Admin , Article , New , Instruction , Rollout

In the Enterprise Settings > Content & Sharing > Collaborating on Content > External Collaboration setting, you can allow external collaboration with any external user or limit collaboration to only external users in email domains you define. This topic explains how to limit collaboration to allowlisted email domains.

  1. Go to Enterprise Settings > Content & Sharing.
  2. In the Collaborating on Content section, go to the External Collaboration setting and select Limit collaboration to allowlisted domains.
  3. Click Manage Allowlist.
  4. In the Collaboration Allowlist dialog box, enter one or more email domains and press Enter after entering each one. See Domain Allowlist Configuration for additional details on how to configure allowlisted email domains.
  5. Click Add.

Your people can collaborate only with people from one of the email domains you specify.

Note

The limit on collaboration to allowlisted email domains goes both directions: Your user cannot invite someone who is not from one of the specified email domains, and someone not on the specific email domain cannot invite your user to collaborate.

Your user can invite someone to collaborate by opening the "Share" window on a folder or a file. In the "Share" window, your user can choose (a) Invite People or (b) Send Shared Link. 

Share_screen.png

          • If your user invites someone who is not from one of the specified email domains, the system will display an error message

Send_email_error.png

 

 

 

Important
If a folder is accessible to a set of collaborators outside your enterprise, clicking Limit collaboration to users within Enterprise for does not block that folder to those external collaborators, though the folder is blocked to new external collaborators.

If you are an admin of a folder and want to add an external collaborator whose domain is not on the allowlist, you need to add their domain to the allowlist to send them invitation to the folder.

 

Domain allowlist configuration

When you create your allowlist, you can also can exert finer control and limit collaboration to one direction, inbound or outbound, as defined from the perspective of someone inside your enterprise.

  • Inbound collaboration – Your people are INVITING SOMEONE FROM OUTSIDE IN TO your enterprise to collaborate on content that resides inside your organization.
    • To allow only inbound collaboration, prepend each email domain with a plus sign (+)
  • Outbound collaboration – People from outside your enterprise are INVITING SOMEONE FROM INSIDE your enterprise OUT to collaborate on content that resides outside your organization.
    • To allow only outbound collaboration, prepend each email domain with a minus sign (-)
  • To enable collaboration with any email domain, use an asterisk (*)
    • Typically you'll use an asterisk to enable unidirectional collaboration -- for example to allow only your users to be invited to other content and not allow any external users to be invited to your content.

Here are some examples:

 

Domains Allowlisted

Expected Behavior

abc.com

Box users within your company can invite people only from Company ABC and can only be invited to folders from Company ABC.

Note The allowlist is literal, and only works on single email domains. In this example, "x.abc.com" is not allowlisted. You would need to add it separately. Do not use spaces.

+abc.com

Your company's users can invite only people from Company ABC to their folders. Do not use spaces.

-abc.com

Only people in Company ABC can invite Box users from your company to join their folders as well. No one else can invite your company's users to their folders. Do not use spaces.

+*

Your company’s users can invite anyone from any email domain to collaborate on content within your enterprise, but no one outside of your company can invite your company’s users to collaborate externally. Do not use spaces.

-*

+abc.com

Anyone from any email domain can invite your people to collaborate on content externally, but your people can invite only users from company abc.com to collaborate on content that resides within your enterprise. Do not use spaces.

 

Other points:

  • Users not subject to allowlist: You can allow certain users special privileges to collaborate with email domains outside of the allowlisted email domains. To grant this privilege, below Users not subject to allowlist, enter the names or email addresses of your tenant's managed users in the box.
  • External Collaborator Invitations: Enables you to restrict external collaborators from inviting other external collaborators into content owned by your enterprise and to prevent them from increasing other external collaborators' permission levels.

 

Collaboration allowlist limits

Domains

Box supports up to 200,000 collaboration domains without degrading the collaboration or admin experience.  Exceeding this soft limit may degrade performance.

Exempted users

Box supports a maximum of 1,000 exempted users, with a noticeable slowing in the Settings save action. Exceeding this hard limit degrades performance.

 

Things to know about collaboration restrictions

  • External collaboration allowlisting is only available as part of the Governance package and must be enabled by request. Please contact your Box Representative or Billing Support to enable these features.
  • You can set collaboration restrictions at the enterprise, user, and folder level. Box uses the most restrictive setting at any given time. For example, if an enterprise allows collaboration with 100 email domains and a user within the enterprise further restricts collaborators for a particular folder, that folder will be governed by the user's more restrictive settings.

Related articles