Skip To Content

Configure security settings

As a default administrator of your organization, you can configure security settings for policies, sharing and searching, password policies, enterprise logins, sign in options, multifactor authentication, trusted servers, and portal access. This is a privilege reserved for the administrator role.

  1. Verify that you are signed in as an administrator of your organization.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the left side of the page.
  4. Configure any of the following security settings:
  5. Click Save to save the changes you've made.


Change any of the following policy settings as needed:

  • Allow access to the organization through HTTPS onlyHTTPS is enabled by default. Keep this box checked to ensure that your organization's data as well as any temporary identification tokens that allow access to your data are encrypted during communications over the Internet. Uncheck the box to turn off HTTPS.

    HTTPS is intended for organizations that only access their own content or for organizations that access their own content or content from other HTTPS organizations. It is also possible for an organization to enable HTTPS and have its users access additional non-HTTPS content from outside the organization. However, not all applications support consuming maps with mixed content, and this may result in a compromised user experience in the various map viewers.

    If you keep HTTPS enabled and want to publish hosted web layers from ArcGIS Desktop, you must add your organization to your list of portal connections (in the format https://<organization short name> For more information, see Managing portal connections from ArcGIS Desktop in the ArcGIS help.

  • Allow anonymous access to your organization—Keep this box checked to allow anonymous users access to your organization's website. If this box is unchecked, anonymous users will not be able to access the website. They will also not be able to view your maps with Bing Maps (if your organization is configured for Bing Maps). If you enable anonymous access (by checking the box), make sure that the groups selected for the site configuration groups are shared to the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.


    Verified organizations must allow anonymous access to the organization. Verified organizations that want to disable anonymous access must first have their verified status removed.

  • Allow only standard SQL queries—Keep this box checked to prevent nonstandard queries from being accepted in your organization's hosted feature layers.

    This helps prevent SQL injection attacks. When standardized queries are enabled, ArcGIS Online checks for standard syntax and does not allow database-specific functions and syntax such as queries to Windows Azure SQL Database or subqueries such as cast(POP_CNTRY as varchar) like '7%'. If you are currently using database-specific functions and syntax, you will need to update the where clauses in your application's code to use standard SQL syntax supported by ArcGIS Online.

  • Allow members to edit biographical information and who can see their profile—Keep this box checked to allow members to modify the biographical information in their profile and specify who can see their profile.

Sharing and searching

Change any of the following sharing and search settings as needed:

  • Members can share content publicly—Keep this box checked to allow members to make their profile visible to everyone (public), share their web apps and other items with the public, or embed their maps or groups in websites.

    If you uncheck this box, members will not be able to make their profile public, share their content publicly, or embed content in websites. Social media buttons are also disabled. As an administrator, you can share members' items with the public. You can also make a member's profile visible to everyone (public) so the member can be invited to groups outside the organization.

    If you've disabled anonymous access to your organization, you can share maps, apps, and groups by sharing the item with everyone (public) and changing the URL of the item from your organization's private URL to the public ArcGIS Online URL ( For example, you could share one of your organization's maps with anonymous users by changing the URL from to

  • Members can search for content outside the organization—Keep this box checked to allow members to see maps, layers, apps, and files owned by users outside the organization.

    If you uncheck this box, members will be unable to access content outside the organization. As an administrator, you can choose to search for items outside the organization.

  • Show social media links on item and group pages—Keep the box checked to include links to Facebook and Twitter on item and group pages.

Password policy

When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to enterprise logins or app credentials that use app IDs and app secrets.

Click Update Password Policy to configure the password length, complexity, and history requirements for members with ArcGIS accounts. Click Use ArcGIS Default Policy to reset the organization to use the standard ArcGIS Online password policy (at least eight characters with at least one letter and one number).

You can specify the character length and whether the password must contain at least one of any of the following: uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member cannot reuse. Passwords are case sensitive and cannot be the same as the user name.

Enterprise logins

Use the Set Identity Provider and Get Service Provider buttons to set up enterprise logins if you want members to sign in to ArcGIS using the same logins they use to access your enterprise information systems.

Sign in options

If you set up enterprise logins, you see a Sign In Options section where you can configure the options that appear on the organization sign in page. You can choose to display all three sign-in options (enterprise login, ArcGIS Online login, and social login) on the organization sign in page, or you can choose to only display the enterprise login option. If you choose the second option to allow members to sign in from the organization sign-in page using enterprise logins, members with ArcGIS Online accounts can still sign in to the organization through

Social logins

Click Configure and check the Allow members to join your organization and sign in using social logins box to set up your organization so members can sign up and sign in to ArcGIS using the logins they use with social networks such as Facebook and Google.

Multifactor authentication

Multifactor authentication provides an extra level of authentication by requesting a verification code in addition to a user name and password. Check the Allow members to choose whether to set up multifactor authentication for their individual accounts box if you want an extra level of authentication when members sign in. You will need to choose at least two designated administrators if you enable multifactor authentication.

Members with ArcGIS accounts can enable multifactor authentication through their profile page and receive verification codes on their mobile phones or tablets from a supported authentication app (currently, Google Authenticator for Android and iOS and Authenticator for Windows Phone). Multifactor authentication is not supported with enterprise logins at this time. Members who have enabled multifactor authentication have a check mark in the device Multifactor authentication column of the member table on the Organization page.

You must designate at least two administrators who will receive email requests to disable multifactor authentication on member accounts. ArcGIS Online sends emails on behalf of members who request help with multifactor authentication through the Having trouble signing in? page. At least two administrators are required as a way to ensure that at least one will be available to help members with any multifactor authentication issues.

Trusted servers

For Trusted Servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) ArcGIS Server or viewing secure OGC services. ArcGIS Server hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Additionally, CORS must be configured to allow the specific domains that will be used to communicate with the server, such as your ArcGIS Online organization domain. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.

The host names must be entered individually. Wildcards cannot be used and are not accepted. The host name can be entered with or without the protocol in front of it. For example, the host name can be entered as or


Editing feature services secured with web-tier authentication requires a web browser enabled with CORS. CORS is enabled on all supported browsers.

Allow origins

By default, ArcGIS REST API is open to Cross-Origin Resource Sharing (CORS) requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on only, enter in the text box and click Add Domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify as a trusted domain, as applications running on the domain are always allowed to connect to ArcGIS REST API.

Allow portal access

Configure a list of portals (for example with which you want to share secure content. This will allow members of your organization to use their enterprise logins to access the secure content when viewing it from these portals. This is only applicable for portals at Portal for ArcGIS version 10.5 and later. This setting is not needed for sharing secured content between ArcGIS Online organizations. To share content privately between organizations, see Share items with another organization.

The portal URLs must be entered individually and must include the protocol. Wildcards cannot be used and are not accepted. If the portal being added allows both HTTP and HTTPS access, two URLs need to be added for that portal (for example and Any portal added to the list is validated first and, therefore, must be accessible from the browser.