Configure security settings

ArcGIS Online website security settings control access to the site and the pages in it. These settings include those for general security policies, password policies, sign in options, multifactor authentication, access notices, trusted servers, portal access, and more.

Tip:

Visit ArcGIS Trust Center for more in-depth security, privacy, and compliance information.

To configure site security, complete the following steps and the associated steps for the settings that you need to alter:

  1. Confirm that you are signed in as a member of the default administrator role or a custom role that has the set of administrative privileges to manage the organization's security settings.
  2. At the top of the site, click Organization, and click the Settings tab.
  3. Click Security on the side of the page.
  4. Configure any of the following security settings:

Policies

Change any of the policy settings related to access and permissions and sharing and searching as required for your organization.

Access and permissions

Change any of the following access and permissions settings as needed:

  • Allow anonymous access to your organization—Enable this option to allow anonymous users access to your organization's website without providing credentials. If this option is not enabled, anonymous users cannot access the website. This means users who are not signed in to the organization will be prompted to sign in when they access any item in the organization.

    Tip:

    If you disable anonymous access, organization members can still share public items using the public URL.

    If you enable anonymous access, ensure that the groups selected for the site configuration groups are shared with the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.

    Note:

    Verified organizations must allow anonymous access to the organization to ensure that all users can learn about the organization providing the authoritative data when they click the item owner name on the item page. Verified organizations that want to disable anonymous access must first have their verified status removed.

  • Display an option in your Sign In panel to allow members of other organizations to sign in using their ArcGIS Online credentials solely to access the organization content your members have shared with them—Enable this option to allow members of other ArcGIS Online organizations to access items shared with them by members of your organization. When this option is enabled, a separate sign in link is displayed at the bottom of the sign in window that allows users to sign in through www.arcgis.com and access the items shared with them.
  • Allow members to edit biographical information and who can see their profile—Enable this option to allow members to modify the biographical information in their profile and specify who can see their profile.
  • Allow members to download licensed Esri applications, such as ArcGIS Pro, from their settings page—Enable this option to allow organization members who have the necessary license to download the app using a link on their settings page. Disabling this option hides the download link for members.

Sharing and searching

Change any of the sharing and search settings described below as needed.

Sign-in policy

Configure a password policy and lockout settings as required for your organization as follows:

  • Members who are not administrators can make their content, groups, and profile public—Enable this option to allow members to make their profile or groups visible to everyone (public), share their web apps and other items with the public, and embed their content or groups in websites. If you disable this option, default administrators and members assigned the administrative privilege to share member content with the public can still make other members' content, groups, and profiles public.

    If you disable anonymous access to your organization, you can share maps, apps, and groups by sharing the item with everyone (public) and changing the URL of the item from your organization's private URL to the public ArcGIS Online URL (www.arcgis.com). For example, you can share one of your organization's maps with anonymous users by changing the URL from https://samplegis.maps.arcgis.com/home/webmap/viewer.html?webmap=fb39737f95a74b009e94d2274d44fd55 to https://www.arcgis.com/home/webmap/viewer.html?webmap=fb39737f95a74b009e94d2274d44fd55.

  • Members can search for content outside the organization—Enable this option to allow members to see maps, layers, apps, and files owned by users outside the organization.

    If you disable this setting, members cannot access content outside the organization. As an administrator, you can search for items outside the organization.

  • Show social media links on item and group pages—Enable this option to include links to Facebook and X on item and group pages.

Password policy

When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to organization-specific logins, such as SAML logins, or app credentials that use app IDs and app secrets.

The ArcGIS default password policy requires that passwords be at least eight characters and contain at least one letter and one number. If you want to update the password policy for your organization, click Manage password policy to configure the password length, complexity, and history requirements for members with ArcGIS accounts. You can specify the character length and whether the password must contain at least one of any of the following: uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member cannot reuse. To revert to the ArcGIS default policy at any time, click Use default ArcGIS policy.

Note:

Weak passwords won't be accepted. A password is considered weak if it's a commonly used password such as password1 or includes repetitive or sequential characters—for example, aaaabbbb or 1234abcd.

Lockout settings

By default, when a member attempts to sign in to their ArcGIS Online organization using an ArcGIS login, they are locked out of the website for 15 minutes after five failed attempts in a 15-minute period. Click Manage lockout settings to change the number of failed sign-in attempts permitted, or the lockout duration if that number is exceeded, or both. Click Restore defaults to return to the default lockout settings.

Logins

You can customize the organization's sign-in page to allow members to sign in using any of the following methods: ArcGIS logins, Security Assertion Markup Language (SAML) logins (previously known as enterprise logins), OpenID Connect logins, and social logins.

You can also customize the order in which the login methods appear on the organization's sign-in page. To reorder a login method, click its handle Reorder, and drag it to a new position. Click Preview to see what the sign-in page will look like.

Note:

Login reordering is not yet available in organizations using ArcGIS Hub Premium.

Turn on the ArcGIS login toggle button to allow users to sign in to ArcGIS using their ArcGIS logins. When either a SAML or OpenID Connect login is configured, you can turn off the ArcGIS login toggle button to direct users to the external identity provider's sign-in page instead of the organization's sign-in page.

Note:

Turning off the ArcGIS login toggle button only hides the ArcGIS sign-in options on the organization's sign-in page. You can still sign in to your organization using the URL www.arcgis.com.

Use the New SAML login button to configure SAML logins if you want members to sign in to ArcGIS using your organization's existing SAML identity provider (IdP).

Use the New OpenID Connect login button to configure OpenID Connect logins if you want members to sign in using your organization's existing OpenID Connect identity provider (IdP).

See the Readiness in 5 or Less: Organization Specific Logins video for the advantages of using organization-specific logins such as SAML and OpenID Connect logins.

You can also allow organization members to sign up for and sign in to ArcGIS using the logins they use with social networks such as Facebook, Google, GitHub, and Apple. To enable social logins, turn on the Social logins toggle button, and turn on the toggle buttons for the social networks you want to enable. See Manage login types for a more detailed description of how to change and manage login types for your organization.

Certificates and keys

You can manage and configure your organization's certificates and key pairs to support signed requests and encrypted assertions. The certificate used to sign SAML requests and encrypt the assertion response is managed in ArcGIS Online.

When you configure a new SAML login, ArcGIS Online provides a default certificate and key pair, displayed as ArcGIS Default. You can continue using the default, or you can generate or upload your own.

It is a multistep process to manage security certificate rotation. You can generate a self-signed certificate or upload an authority signed certificate. You must then add the certificate and key pair as a secondary SAML certificate during a transition period to ensure that SAML logins still function for your organization. Your administrator must update or reregister this new certificate information with your organization's IdP. Before the previous certificate expires, you must remove the secondary SAML certificate and begin using the new self-signed certificate or authority signed certificate.

Note:

The functionality to manage certificates and keys is in beta. To use this functionality, you must turn off the Block Esri apps and capabilities while they are in beta toggle button.

Create a custom sign-in category

You can customize your organizational sign-in experience using custom sign-in categories. Once you create a custom sign-in category, OAuth 2.0 applications managed in your organization can inherit these categories or can have their own sign-in categories. See Create a custom sign-in category for more details.

Multifactor authentication

Note:

This option controls multifactor authentication for ArcGIS organizational accounts with ArcGIS logins. To configure multifactor authentication for organization-specific (SAML or OpenID Connect) logins, contact your IdP to configure the corresponding options.

Multifactor authentication is not supported for ArcGIS organizational accounts created with social logins or ArcGIS public accounts.

Organizations that want to allow members to set up multifactor authentication for signing in to ArcGIS can turn on the Enable multifactor authentication for organization toggle button. Organizations can also enforce multifactor authentication by clicking the Enforce MFA button. Multifactor authentication provides an extra level of security by requesting additional information when members sign in.

If you enable one of these settings, organization members can set up multifactor authentication through their settings page and receive verification codes on their mobile phones or tablets from a supported authenticator app. ArcGIS Online supports authenticator apps that are based on a Time-based One-Time Password (TOTP) algorithm, such as Google Authenticator for Android and iOS. Members can search for TOTP authenticator apps in the app store of their choice.

Tip:

Members who enable multifactor authentication have a check mark in the Multifactor Authentication column Multifactor authentication of the member table on the Members tab on the Organization page.

Members who set up multifactor authentication can also register security keys through their settings page. Security keys allow members to complete second-step verification more securely and conveniently when signing in to their ArcGIS account. Supported security key options include USB security keys, Face ID, fingerprint readers, and phones.

If you enable multifactor authentication for your organization, you can also turn on the Allow use of recovery codes. Members will be responsible for storing recovery codes in a secure location. toggle button. This allows members who have set up multifactor authentication through their settings page to print or download recovery codes. Recovery codes are one-time use codes that provide second-step verification when members sign in to their ArcGIS account. Recovery codes are useful when members lose physical access to their authenticator app—such as losing access to their phone while traveling or if their phone or security keys are lost or stolen.

If you enable multifactor authentication for your organization, you must designate at least two administrators who will receive email requests to disable multifactor authentication as needed on member accounts. ArcGIS Online sends emails on behalf of members who request help with multifactor authentication through the Having trouble signing in with your code? link (on the page where the member is asked to provide the authentication code). At least two administrators are required to ensure that at least one will be available to help members with any multifactor authentication issues.

Members with ArcGIS logins can now personally reset their multifactor authentication if they are in an organization that has enforced multifactor authentication. To reset multifactor authentication, members must sign in using their current credentials and second-step verification.

Multifactor authentication works with ArcGIS accounts in Esri apps that support OAuth 2.0. This includes the ArcGIS Online website, ArcGIS Pro, ArcGIS apps, and My Esri.

Multifactor authentication must be disabled to access apps without OAuth 2.0 support. For some apps that support OAuth 2.0, multifactor authentication must still be disabled before making a connection to ArcGIS Server services available as part of ArcGIS Online. This includes geocoding and geoprocessing services that perform routing and elevation analysis. Multifactor authentication must also be disabled when storing credentials with Esri premium content.

See manage multifactor authentication for more details.

Email verification

Verifying the validity of organization members' email addresses helps ArcGIS Online users and administrators receive critical information from ArcGIS Online, such as password resets and account changes.

Members of the default administrator role or a custom role with the set of privileges to manage the organization's security settings can click View unverified members to see a list of members with unverified email addresses. Default administrators can also confirm and edit email addresses for any unverified members by clicking Edit email address next to the member's name. Optionally, turn on the Always prompt email verification for members with unverified email addresses toggle button to verify their addresses when they sign in to the organization.

Access notice

You can configure and display a notice of terms for users who access your site.

You can configure an access notice for organization members or all users who access your organization, or both. If you set an access notice for organization members, the notice is displayed after members sign in. If you set an access notice for all users, the notice is displayed when any user accesses your site. If you set both access notices, organization members see both notices.

To configure an access notice for organization members or all users, click Set access notice for organization members or Set access notice for all users, turn on the toggle button to display the access notice, and provide a notice title and text. Choose the Accept and Decline option if you want users to accept the access notice before proceeding to the site, or select OK only if you want users to only click OK to proceed. Click Save when finished.

Note:

HTML tags are not permitted in the access notice.

To edit the access notice for organization members or all users, click Edit access notice in the appropriate section, and make changes to the title, text, or action button options. If you no longer want the access notice displayed, use the toggle button to disable the access notice. After disabling the access notice, the previously typed text and configuration will be retained if the access notice is re-enabled in the future. Click Save when finished.

Information banner

You can use information banners to alert all users who access your organization about your site's status and content. For example, inform users about maintenance schedules or classified information alerts by creating custom messages to appear at the top and bottom of your site. The banner appears on the Home, Gallery, Map Viewer, Scene Viewer, Notebook, Groups, Content, and Organization pages.

To enable the information banner for your organization, click Set information banner, and turn on Display information banner. Add text in the Banner text text box, and choose a background color and font color. A contrast ratio appears for the selected text and background color. Contrast ratio is a measure of legibility based on WCAG accessibility standards; a contrast ratio of 4.5 is recommended to adhere to these standards.

Learn more about accessibility in ArcGIS Online

Note:

HTML tags are not permitted in the information banner.

You can preview the information banner in the Preview pane. Click Save to add the banner to your organization.

To edit the information banner, click Edit information banner, and make changes to the banner text or styling. If you no longer want the information banner displayed, use the toggle button to disable the information banner. After disabling the information banner, the previously typed text and configuration will be retained if the information banner is re-enabled in the future. Click Save when finished.

Trusted servers

For Trusted servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) ArcGIS Server site or viewing secure Open Geospatial Consortium (OGC) services. Hosted web layers secured with token-based security do not need to be added to this list.

Servers added to the trusted servers list must support CORS. Additionally, CORS must be configured to allow the specific domains that will be used to communicate with the server, such as your ArcGIS Online organization domain. Layers hosted on servers without CORS support may not function as expected. All currently supported versions of ArcGIS Server support CORS by default. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.

The host names must be provided individually. Wildcards cannot be used and are not accepted. The host name can be provided with or without the protocol in front of it. For example, the host name secure.esri.com can be provided as secure.esri.com or https://secure.esri.com.

Allow origins

By default, ArcGIS REST API is open to CORS requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on acme.com only, click Add, type https://acme.com in the text box, and click Add domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify arcgis.com as a trusted domain, as applications running on the arcgis.com domain are always allowed to connect to ArcGIS REST API.

Allowed email links

ArcGIS Online organizations with a basic or premium license for ArcGIS Hub or an ArcGIS Workflow Manager organization extension can send an email to members that only contains links from allowed domains. For example, to allow links from acme.com, click Add link, type https://acme.com in the text box, and click Add link. You can specify up to 100 domains for your organization. You do not need to specify arcgis.com or esri.com, as these domains are always allowed. To learn how to configure this list for your ArcGIS Hub organization or community organization, see Advanced settings in ArcGIS Hub.

Allow portal access

Configure a list of portals (for example https://otherportal.domain.com/arcgis) with which you want to share secure content. This allows members of your ArcGIS Online organization to use their organization-specific logins (including SAML logins) to access the secure content when viewing it from these portals. This setting is not needed for sharing secured content between ArcGIS Online organizations. To share content privately between organizations, see Share items with another organization.

The portal URLs must be provided individually and include the protocol. Wildcards cannot be used and are not accepted. The portal being added must allow HTTPS access (for example https://otherportal.domain.com/arcgis). Any portal added to the list is validated first and, therefore, must be accessible from the browser.

Apps

You can specify which external apps can be accessed by organization members and, optionally, make approved web apps available to organization members in the app launcher. You can also specify a list of Esri apps that should be blocked from members to comply with regulations, standards, and best practices.

Approve apps

All Esri apps, licensed apps, and apps purchased from ArcGIS Marketplace are automatically approved for member access.

Note:

ArcGIS Marketplace will be retired in the first quarter of 2027. The ArcGIS Marketplace website was shut down in March 2026. See the ArcGIS Marketplace Retirement Esri Technical Support article for details.

To give organization members access to other types of apps without a Request for Permissions prompt, you must specify a list of approved apps for the organization. Approved apps can include web, mobile, or native apps hosted in your organization or outside your organization. For access to external apps, you can also restrict member sign-in to only those apps added to the approved apps list.

Note:

Publicly shared approved web apps can also be made available to organization members in the app launcher. Licensed apps automatically appear in the app launcher for members with appropriate licenses. For more information, see Manage apps in the app launcher.

To approve apps for access by organization members, complete the following steps:

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure.
  2. At the top of the site, click Organization, and click the Settings tab.
  3. Click Security on the side of the page, and click Apps to move to the Apps section of the page.
  4. Optionally, turn on the Members can only sign in to external apps that are approved toggle button.

    If you turn on this setting, organization members can only sign in to external apps that you add to the approved apps list. This applies to external apps that are not currently registered with your organization. Esri apps and apps purchased from ArcGIS Marketplace are always approved, and access is not blocked with this setting.

  5. Under Approved apps, click Add approved app.
  6. Search for an app by doing one of the following:
    • Browse to the app in the list.
    • Search by name—When searching by app name, you can only find apps that are hosted in your organization.
    • Search by item URL—When searching by item URL, you can only find apps shared with the public. The item URL is found on the Overview tab (URL section) of the app's item page.
    • Search by App ID—If you own or have access to the app item, you can find the App ID on the Settings tab (click Application Settings > Registered Info) of the app's item page. Another way to find the App ID is by opening the app in a private browser window, clicking the sign-in link for the app, and looking for the client_id value in the URL displayed in the browser's address bar.
      Tip:

      The client_ids of apps that members have already signed in to are also displayed in organization reports.

  7. Select an app to approve.
  8. Optionally, if you selected a web app, turn off the Show in app launcher toggle button to hide the web app in the app launcher.

    To show the web app in the app launcher, leave this toggle button turned on and follow the steps in Manage apps in the app launcher.

  9. Click Save to add the app to the approved apps list.

Blocked Esri apps

To restrict access to apps that are included with user types and cannot be controlled through licensing, you can configure a list of blocked apps and capabilities. You can also block access to apps and capabilities that are currently in beta.

Blocked apps and capabilities are removed from the app launcher and their items cannot be created from the content page or from a web map. Organization administrators can still see blocked apps and capabilities when managing licenses and adding new members but cannot select them. App items that are created before an app is blocked remain visible in the organization, but members cannot sign in to them. If a blocked app is shared with your organization, members cannot sign in and use the app.

Turn on the Block Esri apps and capabilities while they are in beta toggle button to prevent members from accessing beta apps. You can click See list of apps and capabilities to see which apps and capabilities are currently in beta.

To block apps that are not in beta, click Manage blocked Esri apps and capabilities, select the apps and capabilities you want to block, and click Save. The list includes apps and capabilities that are currently in beta, and selecting them in this list blocks access to them even when they are out of beta.

Organization administrators can remove apps from their organization's blocked apps list by deselecting them in the Manage blocked Esri apps and capabilities window or by clicking the Remove button Remove next to the app in the list.

Developer credentials

As a developer with an organizational account, you can create developer credentials.

You can find a developer credential item by clicking Find API key, token, or client ID and entering a value. You can also click View API keys by expiration date to sort by a specific time period, such as a week or month.

Regional data hosting

Regional data hosting specifies the location where types of items are stored. All other content and user information remains hosted in the U.S.

To enable Raster analysis with Living Atlas data, turn on the Allows raster analysis to be performed in the same region co-located with Living Atlas data for better performance. The analysis input could temporarily leave your region, and the output will be temporarily stored outside of your region before being transferred back to your organization toggle button.