Configure security settings

Default administrators and those with the appropriate privileges can configure security settings for policies, sharing and searching, password policies, sign in options, multifactor authentication, access notices, trusted servers, portal access, and more.

Tip:

Visit ArcGIS Trust Center for more in-depth security, privacy, and compliance information.

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure enabled.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the side of the page.
  4. Configure any of the following security settings:

Policies

Change any of the policy settings related to access and permissions and sharing and searching as required for your organization.

Access and permissions

Change any of the following access and permissions settings as needed:

  • Allow anonymous access to your organization—Enable this option to allow anonymous users access to your organization's website. If this option is not enabled, anonymous users cannot access the website. They also cannot view your maps with Bing Maps (if your organization is configured for Bing Maps).

    Tip:

    If you disable anonymous access, organization members can still share public items using the public URL.

    If you enable anonymous access, ensure that the groups selected for the site configuration groups are shared with the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.

    Note:

    Verified organizations must allow anonymous access to the organization to ensure that all users can learn about the organization providing the authoritative data when they click the item owner link on the item page. Verified organizations that want to disable anonymous access must first have their verified status removed.

  • Display an option in your Sign In panel to allow members of other organizations to sign in using their ArcGIS Online credentials solely to access the organization content your members have shared with them—Enable this option to allow members of other ArcGIS Online organizations to access items shared with them by members of your organization. When this option is enabled, a separate sign in link is displayed at the bottom of the sign in window, which allows users to sign in through www.arcgis.com and access the items shared with them.
  • Allow members to edit biographical information and who can see their profile—Enable this option to allow members to modify the biographical information in their profile and specify who can see their profile.
  • Allow members to download licensed Esri applications, such as ArcGIS Pro, from their settings page—Enable this option to allow organization members who have the necessary license to download the app using a link on their settings page. Disabling this option hides the download link for members.

Sharing and searching

Change any of the following sharing and search settings as needed:

  • Members who are not administrators can make their content, groups, and profile public—Enable this option to allow members to make their profile or groups visible to everyone (public), share their web apps and other items with the public, and embed their content or groups in websites. If you disable this option, default administrators and members assigned the administrative privilege to share member content with the public can still make other members' content, groups, and profiles public.

    If you disable anonymous access to your organization, you can share maps, apps, and groups by sharing the item with everyone (public) and changing the URL of the item from your organization's private URL to the public ArcGIS Online URL (www.arcgis.com). For example, you can share one of your organization's maps with anonymous users by changing the URL from https://samplegis.maps.arcgis.com/home/webmap/viewer.html?webmap=fb39737f95a74b009e94d2274d44fd55 to https://www.arcgis.com/home/webmap/viewer.html?webmap=fb39737f95a74b009e94d2274d44fd55.

  • Members can search for content outside the organization—Enable this option to allow members to see maps, layers, apps, and files owned by users outside the organization.

    If you disable this setting, members cannot access content outside the organization. As an administrator, you can search for items outside the organization.

  • Show social media links on item and group pages—Enable this option to include links to Facebook and X on item and group pages.

Sign-in policy

Configure a password policy and lockout settings as required for your organization.

Password policy

When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to organization-specific logins, such as SAML logins, or app credentials that use app IDs and app secrets.

The ArcGIS default password policy requires that passwords be at least eight characters and contain at least one letter and one number. If you want to update the password policy for your organization, click Manage password policy to configure the password length, complexity, and history requirements for members with ArcGIS accounts. You can specify the character length and whether the password must contain at least one of any of the following: uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member cannot reuse. To revert to the ArcGIS default policy at any time, click Use default ArcGIS policy.

Note:

Weak passwords won't be accepted. A password is considered weak if it's a commonly used password such as password1 or includes repetitive or sequential characters—for example, aaaabbbb or 1234abcd.

Lockout settings

By default, when a member attempts to sign in to their ArcGIS Online organization using an ArcGIS login, they are locked out of the website for 15 minutes after five failed attempts in a 15-minute period. Click Manage lockout settings to change the number of failed sign-in attempts permitted, or the lockout duration if that number is exceeded, or both. Click Restore defaults to return to the default lockout settings.

Logins

You can customize the organization's sign-in page to allow members to sign in using any of the following methods: ArcGIS logins, Security Assertion Markup Language (SAML) logins (previously known as enterprise logins), OpenID Connect logins, and social logins.

You can also customize the order in which the login methods appear on the organization's sign-in page. To reorder a login method, click its handle Reorder and drag it to a new position. Click Preview to see what the sign-in page will look like.

Note:

Login reordering is not yet available in organizations using ArcGIS Hub Premium.

Turn on the ArcGIS login toggle button to allow users to sign in to ArcGIS using their ArcGIS logins. When either SAML or OpenID Connect login is configured, you can turn off the ArcGIS login toggle button to direct users to the external identity provider's sign-in page instead of the organization's sign-in page.

Note:

Turning off the ArcGIS login toggle button only hides the ArcGIS sign-in options on the organization's sign-in page. You can still sign in to your organization by using the URL www.arcgis.com.

Use the New SAML login button to configure SAML logins if you want members to sign in to ArcGIS using your organization's existing SAML identity provider.

Use the New OpenID Connect login button to configure OpenID Connect logins if you want members to sign in using your organization's existing OpenID Connect identity provider.

See the Readiness in 5 or Less: Organization Specific Logins video for the advantages of using organization-specific logins such as SAML and OpenID Connect logins.

You can also allow organization members to sign up for and sign in to ArcGIS using the logins they use with social networks such as Facebook, Google, GitHub, and Apple. To enable social logins, turn on the Social logins toggle button, and turn on the toggle buttons for the social networks you want to enable.

Multifactor authentication

Note:

This option controls multifactor authentication for ArcGIS organizational accounts with ArcGIS logins. To configure multifactor authentication for organization-specific (SAML or OpenID Connect) logins, contact your identity provider to configure the corresponding options.

Multifactor authentication is not supported for ArcGIS organizational accounts created with social logins or ArcGIS public accounts.

Organizations that want to allow members to set up multifactor authentication for signing in to ArcGIS can turn on the Enable multifactor authentication for organization toggle button. Organizations can also enforce multifactor authentication by clicking the Enforce MFA button. Multifactor authentication provides an extra level of security by requesting additional information when members sign in.

If you enable one of these settings, organization members can set up multifactor authentication through their settings page and receive verification codes on their mobile phones or tablets from a supported authenticator app. ArcGIS Online supports authenticator apps that are based on a Time-based One-Time Password (TOTP) algorithm, such as Google Authenticator for Android and iOS. Members can search for TOTP authenticator apps in the app store of their choice.

Tip:

Members who enable multifactor authentication have a check mark in the Multifactor Authentication column Multifactor authentication of the member table on the Members tab on the Organization page.

Members who set up multifactor authentication can also register security keys through their settings page. Security keys allow members to complete second-step verification more securely and conveniently when signing in to their ArcGIS account. Supported security key options include USB security keys, Face ID, fingerprint readers, and phones.

If you enable multifactor authentication for your organization, you can also turn on the Allow use of recovery codes. Members will be responsible for storing recovery codes in a secure location. toggle button. This allows members who have set up multifactor authentication through their settings page to print or download recovery codes. Recovery codes are one-time use codes that provide second-step verification when members sign in to their ArcGIS account. Recovery codes are useful when members lose physical access to their authenticator app—such as losing access to their phone while traveling or if their phone or security keys are stolen.

If you enable multifactor authentication for your organization, you must designate at least two administrators who will receive email requests to disable multifactor authentication as needed on member accounts. ArcGIS Online sends emails on behalf of members who request help with multifactor authentication through the Having trouble signing in with your code? link (on the page where the member is asked to provide the authentication code). At least two administrators are required to ensure that at least one will be available to help members with any multifactor authentication issues.

Multifactor authentication works with ArcGIS accounts in Esri apps that support OAuth 2.0. This includes the ArcGIS Online website, ArcGIS Desktop 10.2.1 and later, ArcGIS apps, My Esri, and apps in ArcGIS Marketplace. In ArcGIS Desktop 10.2.1 and later, multifactor authentication can be used to connect to ArcGIS Online services from the ready-to-use services node in the catalog window.

Multifactor authentication must be disabled to access apps without OAuth 2.0 support. For some apps—such as ArcGIS Desktop 10.2.1 and later—that support OAuth 2.0, multifactor authentication must still be disabled before making a connection from ArcGIS Desktop to ArcGIS Server services available as part of ArcGIS Online. This includes geocoding and geoprocessing services that perform routing and elevation analysis. Multifactor authentication must also be disabled when storing credentials with Esri premium content.

Enforce multifactor authentication

Administrators can enforce multifactor authentication across their organization to ensure that members with ArcGIS logins are in compliance with security policies when signing in to ArcGIS Online, improving the security of their organization. When multifactor authentication is enforced, members with ArcGIS logins will be required to set up multifactor authentication for their accounts in order to sign in. Members will no longer be able to disable multifactor authentication for their own account, and they must contact their administrator to reset their multifactor authentication settings.

Disabling multifactor authentication enforcement allows members to disable multifactor authentication for their own account and does not disable multifactor authentication for members that have it set up. They will continue to be prompted to sign in using multifactor authentication.

Administrators can also exempt members using ArcGIS logins from being required to set up multifactor authentication in order to sign in. Members on the exemption list can enable and disable multifactor authentication for their own account through their settings page.

Note:

Enforcing multifactor authentication signs out any members with ArcGIS logins who have not yet enabled multifactor authentication, interrupting all ongoing work and processes. Reach out to your members in advance to give them enough time to set up multifactor authentication before enabling multifactor authentication enforcement. To avoid unwanted disruptions, you can temporarily add members to the multifactor authentication exemption list.

Follow these steps to enforce multifactor authentication:

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Under Security, click Enforce MFA.
    Tip:
    Optionally, you can click Manage exemption list to add any users that will retain the ability to enable or disable multifactor authentication. If multifactor authentication is not enforced, the exemption list will have no effect. Click Save when finished.
  4. A window appears. Click Enforce.

    An MFA enforcement is currently in effect label appears in the security settings under MFA Enforcement.

  5. To disable multifactor authentication, click Disable MFA enforcement. To manage the exemption list, click Manage exemption list.

Email verification

Verifying the validity of organization members' email addresses helps ArcGIS Online users and administrators receive critical information from ArcGIS Online, such as password resets and account changes. Optionally, turn on the toggle button to prompt members with unverified email addresses to verify their addresses when signing in to the organization.

Default administrators and members with administrative privileges to manage security and infrastructure settings, manage members, and view all members can click View unverified members to see a list of members with unverified email addresses. Default administrators can also confirm and edit email addresses for any unverified members by clicking Edit email address beside the member's name.

Access notice

You can configure and display a notice of terms for users who access your site.

You can configure an access notice for organization members or all users who access your organization, or both. If you set an access notice for organization members, the notice is displayed after members sign in. If you set an access notice for all users, the notice is displayed when any user accesses your site. If you set both access notices, organization members see both notices.

To configure an access notice for organization members or all users, click Set access notice in the appropriate section, turn on the toggle button to display the access notice, and provide a notice title and text. Choose the Accept and Decline option if you want users to accept the access notice before proceeding to the site, or select OK only if you want users to only click OK to proceed. Click Save when finished.

Note:

HTML tags are not permitted in the access notice.

To edit the access notice for organization members or all users, click Edit access notice in the appropriate section and make changes to the title, text, or action button options. If you no longer want the access notice displayed, use the toggle button to disable the access notice. After disabling the access notice, the previously typed text and configuration will be retained if the access notice is re-enabled in the future. Click Save when finished.

Information banner

You can use information banners to alert all users who access your organization about your site's status and content. For example, inform users about maintenance schedules or classified information alerts by creating custom messages to appear at the top and bottom of your site. The banner appears on the Home, Gallery, Map Viewer, Map Viewer Classic, Scene Viewer, Notebook, Groups, Content, and Organization pages.

To enable the information banner for your organization, click Set information banner and turn on Display information banner. Add text in the Banner text field and choose a background color and font color. A contrast ratio appears for your selected text and background color. Contrast ratio is a measure of legibility based on WCAG 2.1 accessibility standards; a contrast ratio of 4.5 is recommended to adhere to these standards.

Note:

HTML tags are not permitted in the information banner.

You can preview the information banner in the Preview pane. Click Save to add the banner to your organization.

To edit the information banner, click Edit information banner and make changes to the banner text or styling. If you no longer want the information banner displayed, use the toggle button to disable the information banner. After disabling the information banner, the previously typed text and configuration will be retained if the information banner is re-enabled in future. Click Save when finished.

Trusted servers

For Trusted servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) server running ArcGIS Server or viewing secure Open Geospatial Consortium (OGC) services. ArcGIS Server hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Additionally, CORS must be configured to allow the specific domains that will be used to communicate with the server, such as your ArcGIS Online organization domain. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.

The host names must be provided individually. Wildcards cannot be used and are not accepted. The host name can be provided with or without the protocol in front of it. For example, the host name secure.esri.com can be provided as secure.esri.com or https://secure.esri.com.

Note:

Editing feature services secured with web-tier authentication requires a web browser enabled with CORS. CORS is enabled on all supported browsers.

Allow origins

By default, ArcGIS REST API is open to CORS requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on acme.com only, click Add and type https://acme.com in the text box and click Add domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify arcgis.com as a trusted domain, as applications running on the arcgis.com domain are always allowed to connect to ArcGIS REST API.

Register external links sent in emails

ArcGIS Online organizations with a basic or premium license for ArcGIS Hub or an ArcGIS Workflow Manager organization extension can send an email to members that only contains links from allowed domains. For example, to allow links from acme.com, click Add link and type https://acme.com in the text box and click Add link. You can specify up to 100 domains for your organization. You do not need to specify arcgis.com or esri.com, as these domains are always allowed. To learn how to configure this list for your ArcGIS Hub organization or community organization, see Advanced settings in ArcGIS Hub.

Allow portal access

Configure a list of portals (for example https://otherportal.domain.com/arcgis) with which you want to share secure content. This allows members of your organization to use their organization-specific logins (including SAML logins) to access the secure content when viewing it from these portals. This is only applicable for portals at ArcGIS Enterprise version 10.5 and later. This setting is not needed for sharing secured content between ArcGIS Online organizations. To share content privately between organizations, see Share items with another organization.

The portal URLs must be provided individually and must include the protocol. Wildcards cannot be used and are not accepted. If the portal being added allows both HTTP and HTTPS access, two URLs must be added for that portal (for example http://otherportal.domain.com/arcgis and https://otherportal.domain.com/arcgis). Any portal added to the list is validated first and, therefore, must be accessible from the browser.

Apps

You can specify which external apps can be accessed by organization members and, optionally, make approved web apps available to organization members in the app launcher. You can also specify a list of Esri apps that should be blocked from members to comply with regulations, standards, and best practices.

Approve apps

All Esri apps, licensed apps, and apps purchased from ArcGIS Marketplace are automatically approved for member access. To give organization members access to other types of apps without a Request for Permissions prompt, you must specify a list of approved apps for the organization. Approved apps can include web, mobile, or native apps hosted in your organization or outside your organization. For access to external apps, you can also restrict member sign-in to only those apps added to the approved apps list.

Note:

Publicly shared approved web apps can also be made available to organization members in the app launcher. Licensed apps automatically appear in the app launcher for members with appropriate licenses. For more information, see Manage apps in the app launcher.

Do the following to approve apps for access by organization members:

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the side of the page and click Apps to move to the Apps section of the page.
  4. Optionally, turn on the Members can only sign in to external apps that are approved toggle button.

    If you turn on this setting, organization members can only sign in to external apps that you add to the approved apps list. This applies to external apps that are not currently registered with your organization. Esri apps and apps purchased from ArcGIS Marketplace are always approved, and access is not blocked with this setting.

  5. Under Approved apps, click Add approved app.
  6. Search for an app using one of the following methods:
    • Browse to the app in the list.
    • Search by name—When searching by app name, you can only find apps that are hosted in your organization.
    • Search by item URL—When searching by item URL, you can only find apps shared with the public. The item URL is found on the Overview tab (URL section) of the app's item page.
    • Search by App ID—If you own or have access to the app item, you can find the App ID on the Settings tab (Application Settings > Registered Info) of the app's item page. Another way to find the App ID is by opening the app in a private browser window, clicking the sign-in link for the app, and looking for the client_id value in the URL displayed in the browser's address bar.
      Tip:

      The client_ids of apps that members have already signed in to are also displayed in organization reports.

  7. Select an app to approve.
  8. If you selected a web app, you can optionally turn off the Show in app launcher toggle button to hide the web app in the app launcher.

    To show the web app in the app launcher, leave this toggle button turned on and follow the steps in Manage apps in the app launcher.

  9. Click Save to add the app to the approved apps list.

Blocked Esri apps

If your organization wants to restrict access to apps that are included with user types and cannot be controlled through licensing, you can configure a list of blocked apps and capabilities. You can also block access to apps and capabilities that are currently in beta.

Blocked apps and capabilities are removed from the app launcher and their items cannot be created from the content page or from a web map. Administrators can still see blocked apps and capabilities when managing licenses and adding new members but cannot select them. App items that are created before an app is blocked remain visible in the organization, but members cannot sign in to them. If a blocked app is shared with your organization, members cannot sign in and use the app.

Turn on the Block Esri apps and capabilities while they are in beta toggle button to prevent members from accessing beta apps. You can click See list of apps and capabilities to see which apps and capabilities are currently in beta.

To block apps that are not in beta, click Manage blocked Esri apps and capabilities, select the apps and capabilities you want to block, and click Save. The list includes apps and capabilities that are currently in beta, and selecting them in this list blocks access to them even when they are out of beta.

Administrators can remove apps from their organization's blocked apps list by deselecting them in the Manage blocked Esri apps and capabilities window or by clicking the Remove button Remove next to the app in the list.