## Environment-level domain restrictions

To enhance control over user activity in your app, Frontegg offers account domain restriction within your environment settings, allowing you to either allow or block user sign-ups when users belonging to specific domains try to access your app. This option becomes especially useful if you want to fine-tune user traffic by allowing or restricting users from accessing it.

#### Use cases

Suppose you aim to enhance user control in your application by implementing Frontegg's domain restriction feature. By enabling this functionality, you can regulate user sign-ups based on specific domain criteria.

As an administrator, you can input the domains from which users can sign up. For example, `@xyzcorporation.com` and `@partnercompany.com`. With domain restrictions enabled, users attempting to sign up with email addresses outside the specified domains are notified that their sign-up is restricted.

### Feature highlights

Domain restriction offers the following finely-grained options:

- **Deny only** - Users belonging to domains in this list are blocked from signing up.
- **Allow only** - Users belonging to domains in this list are the only ones allowed to sign up for an account in this environment (see note).
- **Deny public domain** - Users with emails from public domains (e.g., Gmail, Yahoo) are restricted from signing up to this environment.


Environment-specific settings
Note that account sign-up settings are not applied across all of your environments when enabled in one of them. You need to apply these settings separately to initiate them in specific environments.

### Environment sign-up restrictions setup

To set environment restrictions by domain, go to [ENVIRONMENT] → Configurations → Keys & domains → Domains → Account sign-up restrictions. Here, you can either **Deny domains**, **Allow domains**, or **Deny all public domain emails**.

![domain-restriction-2](/assets/domain-restriction-1.e928d71fdb78416084a26cd5203b1e2fd77ce8fe1d03a8877418e96dbef9ec8d.415a2cb4.png)

### Domain restriction via API

Check out our [API Reference](/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_createdomainrestriction) to perform domain restriction via API.

## Account-level IP and domain restrictions

The Frontegg portal gives you a centralized interface to manage domain and IP restrictions for the accounts within your environment.

IP vs. domain restrictions
IP restrictions apply to sign-up and logging in, meaning users accessing from a blocked IP will be denied access. Domain restrictions apply to sign-up and invitation, meaning users with a blocked domain cannot register or be invited, but already activated users remain unaffected.

### Restricting an IP

To restrict access for a specific IP address, follow these steps:

1. Open the **Frontegg portal**.
2. Navigate to a specific account → click the Security tab → choose **"Restrictions"**.
3. Enable **IP address restriction** by toggling the switch.
4. Confirm by clicking **Enable**.
5. Select the restriction type from the dropdown menu: **Allow only** or **Deny only**.
6. Click **Add IP**.
7. Enter the IP address in the **IP** field. Supported formats: IPv4, IPv6, masks, and CIDR notation.
8. (Optional) Add a description for the IP address.
9. Click **Add**.
10. To disable an IP restriction without removing the IP from the list, deactivate the toggle in the row of the IP you want to disable.
11. To permanently remove an IP restriction, click the **bin icon** in the row of the IP you want to remove and click **Delete IP**.
12. To switch the restriction type for all IP addresses between **Deny only** and **Allow only**, select the required restriction list type from the dropdown menu and click **Change**.


![permissions](/assets/account-security.c25871a3114fb111c0b29069ba89817968d3bbbe43e7889e745d03d554a02d2d.8d25b62c.png)

![permissions](/assets/account-security-ip.24ae207a651dd4ff5ab4216d976d96249736bc069bb0d315c0651fc1ecc7187f.8d25b62c.png)

### Restricting a domain

To restrict access for specific domains, follow these steps:

1. Open the **Frontegg portal**.
2. Navigate to a specific account → click the Security tab → choose **"Restrictions"**.
3. Select the **Domain** tab.
4. Enable **Domain restriction** by toggling the switch.
5. Confirm by clicking **Turn on**.
6. Select the restriction type from the dropdown menu: **Allow only** or **Deny only**.
7. Click **Add domain**.
8. Enter the domain in the **Domain** field. The syntax is auto-validated.
9. Click **Add**.
10. To permanently remove a domain restriction, click the **bin icon** in the row of the domain you want to remove and click **Delete domain**.
11. To switch the restriction type for all domains between **Deny only** and **Allow only**, select the required restriction list type from the dropdown menu and click **Change**.
12. To block all public domain email addresses, toggle the **Block all public domain emails** switch on.