In certain extranet use case scenarios, an extra level of security and privacy can be achieved by using the Domain Name Policies feature of ExCM.
Domain Name Policies allow you to "include" and/or "exclude" extranet users from those domains via ExCM's Invite Users feature. Domain Name policies can be established on a site by site basis or globally or in combination.
Below are examples of using two different types of Domain Name Policies:
For example, let's say you use your extranet as a way to share private information with your customers. Furthermore, your policy is to provision a unique site collection for each of your customers. You use seperate site collections for each customer as a way to have a security and privacy boundary between the information you share with each customer.
Now you would like to enhance your security scheme further by specifiying that only external users who have your customer's domain name can be invited to join that customer's extranet site. This can easily be accomplished using a site-specific Domain Name Policy where Type = Inclusion.
Here is an example showing how this would be set up and would work:
Your customer is XYZ Corp and you create a dedicated extranet Site Collection to use in collaborating with them:
All of XYZ Corp's employees have emails with xyzcorp.com as their domain names. So, you can safely create a Domain Name Inclusion Policy that matches their domain name and then anyone with an email address with that domain name will be able to be invited to join the site, but no other domain names will be allowed.
To set this up, you would navigate to Site Settings > Extranet Management > Registration Settings and scroll down to the Domain Name Policies section of the page:
Then, you would click on Add new domain name policy and fill in the form and save it as shown here:
Your finished Domain Name Inclusion Policy would look like this:
This instructs ExCM to only allow registrations for the site from external users who have an email address that contains the xyzcorp.com domain name.
Now, if one of your employees uses the Invite Users feature and mistakenly invites a user from another customer to register for and join this site, the following error message will be displayed to the external user if she tries to register for the site:
The Global Domain Name Exclusion Policy is frequently used when you want to enforce a policy that extranet users cannot register for a site with common "free" email accounts such as Hotmail, Outlook.com, Gmail, etc.
You can create as many Global Domain Name Exclusion Policies as you would like by navigating to the Global Domain Policy settings page in Central Administration:
First, select your extranet web application from the drop-down:
From this point on, this page works similar to the Domain Name Policy section on the site-specific page shown above.
As shown above, click on Add Domain Policy and configure an exclustion policy to exclude extranet account email addresses from gmail.com:
When you click Save, you will see this message displayed:
Since Global Domain Policies are stored in your web application's extranet web application's web.config file, a timer job must push out the changes to the file. That process can take from 5 - 15 minutes depending on the size of your SharePoint farm.
Once you've given the timer job enough time to finish its work, you can click refresh on the page and you will see your Global Domain Policies appear in the list:
At this point, any external user who is invited to register for an extranet site using one of these excluded domain names, will see this message on the registration form:
©2019 PremierPoint Solutions. All Rights Reserved.