Applies to

Smartsheet
  • Enterprise

Capabilities

Who can use this capability

You must be a licensed System Admin to enable the Require Corporate Account and Require MFA governance policies for external sharing.

Governance policies for external collaborators

Require Corporate Account and Require MFA enhance security for external sharing by requiring your external collaborators to sign-in with single sign-on (SSO) and an additional layer of authentication (Require MFA) to gain access to any content that you share with them.

PLANS

  • Enterprise

Permissions

You must be a licensed System Admin to enable the Require Corporate Account and Require MFA governance policies for external sharing.

What's an external collaborator?

A user who's invited to collaborate on a sheet or workspace, but who isn't a member of the organization or domain that owns the sheet or workspace.

These policies ensure your external collaborators use a secure method to login —and one that passively validates that they're still employed by the organization you intend to collaborate with.

When an external collaborator who hasn't logged in with SSO/MFA tries to access an asset that requires SSO/MFA, the user sees a prompt instructing them that they must log in via SSO to access the asset.

While Require Corporate Account is set up on a plan-level,  Require MFA can be applied either account wide or on specific workspaces. System Admins can enable Workspace Admins to decide if they want to apply the additional security layer to specific workspaces they own.

The policies govern sheets, reports, and dashboards —all items that can be associated with a workspace.

Once enabled, the Require Corporate Account and Require MFA policies apply exclusively to core items (sheets, reports, and dashboards) within the core Smartsheet application, excluding items within Smartsheet Premium apps.


Require Corporate Account

Require Corporate Account is a plan-level policy that guarantees access to Smartsheet is restricted to users with corporate-authenticated credentials (SSO), thereby reducing the risk of potential unauthorized access.

Supported methods

  • Azure work account
  • Google work account
  • SAML SSO

Require MFA

This policy requires external collaborators to authenticate via Multi-Factor Authentication (MFA), enhancing security for them with an additional layer of verification. This ensures that, even if a password is compromised, unauthorized access can be thwarted by the MFA functionality.

  • To activate this policy, you must first enable the Require Corporate Account policy.
  • If an external collaborator's Identity Provider (IdP) doesn't support MFA or fails to communicate the MFA completion status with Smartsheet, our proprietary email-based MFA serves as a backup.

     

Supported methods

  • SAML (Okta, Azure, AD FS)
  • Microsoft work account
  • Email one-time password

     

Email-based MFA

This is a one-time, time-limited password mechanism (OTP) provided via email. It's designed to address scenarios where standard MFA through the collaborator's IdP isn't possible.

If the system can't determine that the external collaborator has completed MFA on an asset where the policy applies, an email is sent to their account as soon as they click on the asset.

If the user enters the verification code incorrectly three consecutive times, they must wait 30 minutes to try again.


About the mobile app

  • Currently, the mobile app automatically restricts external collaborators' access to assets when System Admins enforce one or both of the policies on the asset.
  • External collaborators who meet the SSO policy get access to secured assets through the mobile app.

System Admins

To activate the Require Corporate Account policy:

  1. Go to the Admin Center.
  2. Select the menu icon and navigate to Settings > Secure External Access.
  3. Slide the Require corporate accounts toggle to turn on the policy.

    If the internal sign-in option doesn't have SSO enabled, the Require Corporate Account policy will be automatically disabled.

To activate the Require MFA policy:

  1. Go to the Admin Center.
  2. Select the menu icon and navigate to Settings > Secure External Access.
  3. Slide the Require MFA toggle to turn on the policy.
    • To allow Workspace Admins to apply the policy on specific workspaces, select the Workspace opt-in button.
    • To enforce the policy on all plan assets, select Enforce on all plan assets.
Brandfolder Image
Secure External Access page

Workspace Admins

  • Workspace Admins can't set up the plan-level Require Corporate Account policy. The configuration is required by a System Admin.
  • If a System Admin enables Workspace opt-in, Workspace Admins can enforce the Require MFA policy on specific workspaces.
  • To generate a report showing all the workspaces with the Require MFA policy enforced, select Generate opt-in report. The workspace report spreadsheet includes the workspace name, indicating whether the Require MFA policy applies to each workspace, along with a URL link to access it, and a list of users with Admin permissions on the workspace.

To activate MFA for workspace access:

  1. Go to the workspace and select Share in the top right corner. 
  2. Select Set up from the top of the sharing window. 
  3. Slide the Require MFA toggle to turn on the feature. Settings apply to all items in the workspace, not to individual items.
Brandfolder Image
Activate MFA for workspace access

Exempt list

The Exempt list (also known as the Trusted Domain list) allows System Admins to specify domains and individual email addresses that are exempt from the policies.

Enabling an exempt list initiates the creation of a sheet with specific columns. All System Admins have access to this sheet.

To create an Exempt list:

  1. Go to the Admin Center.
  2. Select the menu icon and navigate to Settings > Secure External Access
  3. Under Advanced Settings, select Create sheet on either of the following:
    • Exempt domains
    • Exempt email addresses
  4. To add new domains or email addresses to the Exempt list, enter them in the Domains/Emails allowed to share column and use the checkbox columns to indicate if the entity is exempt from the policies.

Exempt list sheet

System Admins can only add, edit, and delete rows on the sheet. The sheet contains the following columns:

  • Domains/Emails allowed to share: Lists the domains/email addresses that are allowed to share content with.
  • Exempt from Corporate Account Requirement: A checkbox that, when marked, exempts the domain/email address from requiring corporate account credentials to access shared content.
  • Exempt from MFA Requirement: A checkbox that, when marked, exempts the domain/email address from the requirement to use MFA for accessing shared content.
  • Modified By: Indicates the last user who made changes to the row.
  • Modified On: Shows the date and time when the last modification was made to the row.
  • Created By: Identifies the user who originally created the entry in the sheet.
  • Created: Displays the date and time when the entry was created.
  • Notes: An open field for any additional information or comments behind the domain/email address status.
Brandfolder Image
Exempt list sheet

API calls

External collaborators using public API calls to access shared Smartsheet assets that are protected by Require Corporate Account or Require MFA policies can only gain access to those assets via Smartsheet API if their domain or email address is on the Exempt list, or if it's a validated domain of the plan.

If your external collaborators encounter issues accessing their shared assets, they should reach out to the System Admin of the plan to which those assets belong.


Other things to know

  • These policies apply to users who aren't part of any validated domain in the plan that enabled the policy, or any domain/email address mentioned in the Exempt list for these policies.
  • Issued OTPs have a lifespan of ten minutes. Post-expiration, users must generate a new one.
  • If a System Admin turns off the Require Corporate Account policy while the Require MFA policy is on, an alert message will display advising them that disabling the Require Corporate Account policy automatically disables the Require MFA policy.
  • Existing System Admins are responsible for granting access to the Exempt list sheet to new or future System Admins.
  • Updates (new exemption entries) to the Exempt list may take up to three minutes to apply. 

Can we disable the email-based MFA functionality once the Require MFA policy is enabled?

No. Once the Require MFA policy is active, System Admins can't disable the email-based MFA functionality. It's designed as a backup to ensure continued security even if the primary MFA method is unavailable.

How will external collaborators who aren't part of any organization with Require Corporate Account/Require MFA access the system? Especially those who are independent consultants?

  • They can leverage social logins, such as Google SSO or Microsoft options (e.g., gmail.com, live.com).
  • They can receive an email-based code (email-based MFA) for verification.
  • System Admins can add users to the Exemption list if necessary.
     

How do we handle objections when external collaborators don't use Microsoft or Google for Require Corporate Account?

For Require Corporate Account, we currently support Google/Microsoft SSO or Corporate SAML login only.

Will any Workspace Admin be able to implement these policies?

Workspace Admins can enable the Require MFA policy at workspace level if a System Admin has enabled Require MFA policy at workspace level. Workspace Admins can't configure the Require Corporate Account policy.

Are there any domains automatically added to the Exempt list?

Yes. All verified domains within the plan are automatically exempted from both the Require Corporate Account and Require MFA policies, as users from these domains are treated as internal users to the plan.

Was this article helpful?
YesNo