Governance policies for external collaborators

What's an external collaborator?

An external collaborator is a user who has been invited to collaborate on a sheet or workspace but whose email address doesn’t match the domains associated with the plan that owns the sheet or workspace and who isn’t a member of that plan.

Policy behavior and coverage

External collaborators accessing items that require Single Sign-On (SSO) or Multi-Factor Authentication (MFA) must sign in with their company account unless they’re on the exempt list. They’ll be prompted to use their organization’s SSO login to verify their identity.

The Require work accounts with SSO policy applies at the plan level, while Require MFA can be enforced account-wide or for specific workspaces. System Admins can allow Workspace Admins to enable MFA for their workspaces. These policies apply to sheets, reports, and dashboards, all of which can be part of a workspace.

These policies ensure that external users from outside your organization’s validated domains sign in securely, confirming their continued employment with their respective organizations. An Exempt list allows System Admins to exclude specific domains or email addresses for exceptions. The Exempt list is also referred to as the Trusted Domain list.

Notes

• You must complete a configuration process to enable your users to sign in to Smartsheet using SAML or SSO. This configuration can be done at the plan level for users on Enterprise plans or at the domain level for all users associated with a specific email domain
• Once enabled, the Require work accounts with SSO and Require MFA policies apply exclusively to core items (sheets, reports, and dashboards) within the core Smartsheet application, excluding items within Smartsheet Premium apps
• These policies apply to users who aren't part of any validated domain in the plan that enabled the policy, or any domain/email address mentioned in the Exempt list for these policies

Get started

Refer to the help articles below to learn how to set up the policies:

• Require work accounts with SSO: A plan-level policy that guarantees access to Smartsheet is restricted to users with corporate-authenticated login (SSO), thereby reducing the risk of potential unauthorized access
• Require MFA: External collaborators are required to authenticate via Multi-Factor Authentication (MFA), enhancing their security with an additional layer of verification. Even if a password gets compromised, the MFA functionality can thwart unauthorized access
• Exempt list: Allow System Admins to specify domains and individual email addresses exempt from the policies

Like the web and desktop apps, the Smartsheet mobile app honors any Secure External Access policies enabled in Admin Center.

API calls

External collaborators using public API calls to access shared Smartsheet items protected by Require work accounts with SSO or Require MFA policies can only gain access to those items via Smartsheet API if their domain or email address is on the Exempt list, or if it's a validated domain of the plan.

If your external collaborators encounter issues accessing their shared items, they should reach out to the System Admin of the plan to which those items belong.