Workspace security settings
Configure workspace-wide security rules such as allowed email domains, required two-factor authentication, blocked file extensions, restricted apps, and security logs.
Workspace security settings protect the workspace boundary
Use workspace security settings when the rule should apply to everyone in a workspace, not just to your personal account.
| Setting area | What admins control |
|---|---|
| Allowed email domain | Who can join with a company, school, or organization email domain. |
| Required two-factor authentication | Whether members must set up two-factor authentication before continuing. |
| Blocked file extensions | Which file types are blocked from upload. |
| Restricted integration apps | Which integration apps are not allowed in the workspace. |
| Security logs | How admins review workspace access events. |
These controls are broader than a canvas Share dialog. A canvas permission decides who can open one canvas. Workspace security settings decide what the workspace allows before item permissions are even considered.
For personal account security, use Account security settings.
Availability
| Item | Details |
|---|---|
| Available on | Workspaces where admin security settings are included. Some settings depend on plan and workspace policy. |
| Available for | Web app, desktop app, and mobile app. |
| Who can configure it | Workspace admins. |
| Who is affected | Workspace members, invited members, and people trying to access workspace-controlled content. |
| Where to start | Workspace settings → Admin or Security area. |
Open workspace security settings
Confirm the active workspace first. Then open the workspace settings menu and go to the admin or security area. If you cannot find the settings menu, start with Open workspace settings.
If the admin/security area is missing, check your role and plan. Non-admins usually cannot configure workspace security. One-person workspaces, Edu and Edu Pro one-person plans, and managed external workspaces can expose fewer workspace administration controls.
Allowed email domain
Use an allowed email domain when the workspace should only allow members from a trusted company, school, or organization domain. For example, a workspace can require invited members to use an address from the organization's domain instead of a personal email address.
The current admin setting accepts a domain value and can be cleared to disable the restriction. Enter the domain without turning it into a long policy note. The useful rule is simple: people whose email does not match the allowed domain can be blocked from joining or continuing through workspace-controlled access.
Allowed domains do not replace normal member review. You still need to invite the right people, choose the right role, and remove people who should no longer belong to the workspace.
Require two-factor authentication
Use required two-factor authentication when every member should prove account control with a second factor before entering the workspace. This is useful for finance, client work, student records, confidential planning, or any workspace where a stolen password would create real damage.
When this policy is enabled, members who have not set up two-factor authentication may be asked to configure it before continuing. Individual setup happens in Account security settings. If your organization uses SSO or another identity provider, that provider may own multi-factor authentication outside ALLO.
Before enabling the requirement for a large workspace, tell members what will change. Make sure admins have working recovery methods and backup codes.
Block file extensions
Use file extension restrictions when a workspace should block uploads for risky or unwanted file types. This is a blocklist: admins add extensions that should not be uploaded. ALLO normalizes the value so admins can write extensions with or without a leading dot.
This setting is for future uploads. Do not rely on it as a cleanup tool for files that already exist. If a file was already uploaded and should be removed, find the file or the work that contains it and delete it according to your workspace policy.
Good extension restrictions are specific. Blocking every unknown file type can interrupt normal creative work. Blocking known risky executable formats or organization-prohibited formats is usually more practical.
Restrict integration apps
Use restricted apps when company policy does not allow certain integrations in a workspace. This can matter when a team handles confidential client work, school data, regulated information, or work that should not be sent to external tools.
An app restriction is not the same as deleting content created before the restriction. It controls whether the integration can be used going forward in that workspace.
Security logs
Workspace security logs help admins review account access into the workspace. Logs can include member identity, email, sign-in time, IP address, device/browser details, and approximate location.
Use these logs to answer questions like:
- Did this member sign in recently?
- Was there sign-in activity from an unfamiliar device or network?
- Did a member report a suspicious access event?
- Did a security policy change line up with a sign-in issue?
Security logs are not a full audit trail of every canvas edit, file open, comment, or object movement. For content history, use the relevant canvas, project, activity, comment, or object history feature where available.
Member management and security work together
Workspace security settings do not replace member management. If a person should not belong to the workspace, remove or deactivate the member. If a person should belong but needs a stronger sign-in requirement, use required two-factor authentication. If a person should only access one canvas, use item sharing instead of workspace membership.
Start with Manage workspace members when the question is “who belongs here?” Start with this article when the question is “what security rules should this workspace enforce?”
Troubleshooting workspace security settings
| Symptom | Likely cause | What to do |
|---|---|---|
| Admin or Security settings are missing | Your role, plan, or workspace type does not expose those controls. | Confirm your role, active workspace, and plan. Ask another admin to check if needed. |
| A member cannot join after an invite | Email domain restriction, seat limits, or member state is blocking access. | Confirm the invited email domain and use When an invite does not arrive if the email never arrived. |
| A member is blocked by two-factor authentication | Workspace policy requires 2FA, but their account has not completed setup. | Send them to Account security settings. |
| File upload fails with a workspace policy message | The file extension may be blocked. | Ask an admin whether the extension is intentionally restricted, or use an allowed file format, then check Files if you need to find existing material. |
| A security log location looks wrong | VPN, office routing, or mobile networks can affect location. | Compare time, device, browser, and IP/network context before escalating. |
| You need help deciding a safe policy | Security settings affect the whole workspace. | Contact support with the workspace name, desired policy, and why it is needed. |
Related articles
- Open workspace settings
- Invite workspace members
- Manage workspace members
- Account security settings
- Manage active sessions
- When you can't access work