How to Restrict Teammate Invites by Email Domain in Ninety
Ninety lets Owners and Admins restrict teammate invitations to a list of approved email domains. Once the restriction is on, anyone inviting teammates can only invite email addresses ending in one of your approved domains, which keeps personal email addresses (like Gmail or Outlook.com) and other outside accounts out of your workspace.
The setting lives in Company Settings, in the same Security section as Require MFA (you'll need to scroll down beyond the individual tool configurations), and is available on all Ninety plans.
How the email domain allow-list works
When the restriction is active, Ninety checks the domain of each invited email address (the part after the "@") against your approved list before allowing the invite.
For example, if your only approved domain is abcdemo.co, then jordan@abcdemo.co can be invited, but jordan@gmail.com is rejected. A few details to know:
Matching is exact and case-insensitive on text after the "@" character. Wildcards (such as *.abcdemo.co) are not supported.
Existing teammates are grandfathered in. Enabling the restriction never removes or affects people already in your account, even if their email addresses are on a different domain.
Turning the toggle on without entering any domains does not change anything. Enforcement begins only once at least one valid domain is on the list.
You can approve multiple domains (useful for multi-brand companies or after an acquisition).
How to set up the allow-list
Owners and Admins can configure the restriction from Company Settings.
Click your name at the bottom of the left navigation.
Click Company Settings.
Click Configuration and scroll to the Security section.
Turn on the Restrict teammate invites by email domain toggle.
In the Approved email domains (comma-separated) field, enter your approved domains separated by commas (for example, abcdemo.co, abcdemo.com).
Your changes save automatically. The field's helper text confirms the matching rules: Exact match on the domain after @. Case-insensitive. No wildcards. From this point on, new invites are limited to the domains you entered.
Inviting teammates under the restriction
When the restriction is active, anyone who can invite teammates (Owners, Admins, and Managers) sees the following on the Add Teammate screen, whether they open it from Add Teammates in the left navigation or from the Directory:
A hint listing your approved domains: "Only emails ending in abcdemo.co can be invited. Existing teammates are not affected."
An inline error if an address is outside the approved domains: "This email is outside your company's allowed domain list abcdemo.co."
A disabled Add teammates button until every address entered matches an approved domain.
For the standard invite process, see Adding and Inviting Users to Your Account.
User permissions for email domain gating
Only Owners and Admins can configure the allow-list. Managers can see the toggle but can't edit it, and they're still gated by the allow-list when they invite teammates.
The table below summarizes who can do what.
Role | Configure the allow-list | Invite teammates under the restriction |
Owner / Admin | Yes | Yes (gated by the allow-list at invite time) |
Manager | No (can see the toggle but not edit it) | Yes (sees the hint; gated by the allow-list) |
Team Member and Observer | No | No (cannot invite teammates) |
For a full breakdown of what each role can do, see User Roles and Permissions. This setting sits in the same Security section as multi-factor authentication; see Company Settings for an overview of all company configuration options.
If your organization enforces this setting
If your company belongs to a larger organization, that organization may enforce the email domain restriction across all its companies. When this is the case, the Restrict teammate invites by email domain toggle and the approved-domains field appear disabled, with a note identifying your organization and directing you to contact your organization admin to request changes. The domains set at the organization level apply to invites in your company.
What this setting does not do
It does not affect or remove existing teammates, even those on non-approved domains. To remove someone, use the Directory.
It does not support wildcard domains.
It does not block a teammate from changing their email after they've accepted an invite.
It does not retroactively cancel pending invites if you later change the domain list; pending invites resolve normally.
Frequently asked questions
Can I approve more than one domain?
Yes. Enter each approved domain in the field, separated by commas. This is useful for companies with multiple brands or those that have gone through an acquisition.
Do email aliases or plus-addressing still work?
Yes. Ninety checks only the domain (the text after the "@"), so addresses with aliases or plus-addressing are allowed as long as the domain is on your approved list.
What happens to existing teammates whose email is on a different domain?
Nothing. Existing teammates are grandfathered in and are never affected by the restriction. If you want to remove someone, do it through the Directory.
I entered a domain with a typo. How do I fix it?
Return to Company Settings > Configuration > Security, update the domain in the field, and the change is saved automatically. Invalid entries show an inline error and won't save until corrected.
I turned the toggle on, but nothing is restricted. Why?
Enforcement starts only once at least one valid domain is on the list. Turning the toggle on with an empty domain field doesn't restrict anything until you add a domain.