Dropbox Protect FAQs

Admins Updated May 13, 2026

Overview and basics

Who can access Dropbox Protect?

Dropbox Protect is available only to Dropbox Protect admins. Users without a Protect license can’t view or manage Protect settings.

When should admins use Protect?

You should use Protect any time you want to review or manage access to company documents as part of ongoing access oversight and data governance efforts.

Company links and document access

What are company links?

Company links make it easy to share documents broadly inside an organization, but they can also increase exposure if they’re shared more widely than intended. Protect helps admins find and manage documents that use company links so they can review or limit access when needed.

When a document has a company link:

The link works only for people signed in with your company account
Anyone in the organization who has the link can access the document, even if they aren’t a named collaborator
Access level depends on the link’s access level setting, such as view or edit

Learn how to manage shared links in the Dropbox Protect dashboard.

How to use Protect to manage shared company links?

Protect helps admins identify documents that have company or public links and remove or limit those links to reduce risk.

If I remove an account or link, does it affect a user’s ability to access Dash?

No. Dash access is limited to users with assigned licenses. Removing personal accounts, external vendors, or public links only changes access to specific documents. It doesn’t affect their ability to use Dash.

Do company links automatically grant access to documents?

No. Users can only see documents they already have access to as collaborators or through previously accessed links. Cleaning up company links does not expand document access.

Admin access

Can admins view document contents?

No. Protect admins are not automatically granted access to document contents. They can view access levels and metadata, such as collaborators and sharing links, but they can’t view document contents unless they already have access.

Note: Admins aren’t added as collaborators by default, but they can add themselves if needed. If a document has a company or public link, admins can also use that link to access the document.

Learn how to add collaborators.

Can admins remove an owner from an item?

No. The Remove collaborator action only removes collaborators, not owners. This prevents documents, folders, or drives from being left without an owner.

Connected apps and data sources

What apps are supported?

Protect supports the following apps:

Google Drive
Dropbox
Microsoft OneDrive, SharePoint, and Teams documents

Learn how to connect apps to Dropbox Protect.

Can you monitor files outside of supported connected apps?

No. Protect only lets you monitor files connected to Google Drive, Dropbox, Microsoft OneDrive, SharePoint, and Teams.

Content from apps that aren’t connected won’t appear in Protect.

Accounts and identities

Which user accounts appear in Protect?

Protect shows user accounts that have access to documents in the apps connected to Protect.

This includes:

Active accounts
Suspended or archived accounts
Accounts that are owners or collaborators
Accounts with access through company or public links

Notes:

Deleted accounts may appear briefly until the connected app finishes synchronizing.
For Dropbox, invited team members are also shown.
Only accounts with document level access in the connected app appear in Protect.

Which Microsoft user accounts appear in Protect?

For Microsoft 365, Protect shows user accounts that have access to at least one document, drive, or SharePoint or Teams item.

This includes owners and collaborators.

Note: User accounts that exist in Azure but don’t have access to any content won’t appear because Protect displays accounts based on document access levels.

Which Google user accounts appear in Protect?

For Google Drive, account information is collected from the Google Workspace Directory.

Protect shows user accounts that have access to documents in My Drive or shared drives, based on directory and access level data.

Admins can limit which users are included using directory controls. Only accounts that have access to content will appear.

Which Dropbox user accounts appear in Protect?

For Dropbox, Protect shows all Dropbox team member accounts returned by the Dropbox API.

These accounts appear if they have access to content or are part of the connected Dropbox team.

Why don’t some groups or service accounts appear as expected?

Some groups and service accounts don’t have associated email addresses, including Dropbox groups and certain Microsoft service accounts.

Because Protect relies on email domains to classify accounts as internal, outside, or personal, these accounts:

May not appear in the Shared with column on the Protect dashboard
Can’t be filtered using owner or collaborator filters
Can’t be targeted by actions that rely on email addresses

These limitations only apply to accounts with document access in the connected app.

How quickly does a new account appear in Protect?

A new user account will appear in Protect after the user creates a document or is granted access to a document in a connected app.

It can take up to about one hour for the account and its access levels to appear, depending on synchronization timing.

File visibility and synchronization

What types of files appear in Protect?

Protect displays files, folders, shared drives, and other shared containers across connected apps.

Items that don’t have an owner, collaborators, or sharing links are hidden from the interface.

App-specific exceptions include:

Dropbox: Archived team folders and folders where all internal access has been removed
Google: Shared drives with no owner and no internal access

Why isn’t a file appearing in Protect?

A file may not appear for several reasons:

The file is in an app that isn’t connected to Protect
The file has no owner, collaborators, or sharing links
The file was recently created, deleted, or had its access levels changed and hasn’t finished synchronizing
The file is excluded due to app-specific limitations

Most updates appear within about one hour. If the file still doesn’t appear after that time, check that the app is connected and that the file has active access levels.

Do deleted items appear in Protect?

No. Deleted items aren’t displayed in Protect.

If an item was previously visible and then deleted, it can take up to about one hour for that change to appear due to synchronization timing.

How long does it take for updates to appear?

Protect doesn’t update in real time. Data from connected apps is synchronized on a regular schedule.

Updates typically appear within about one hour after a change occurs in a connected app or after an action is run.

If you don’t see updates after more than one hour, refresh the page or check the status of the connected app.

Managing links, collaborators, and document access

What actions can admins take on documents?

Protect allows admins to manage document access across connected apps by taking the following actions:

Add a link. Create a company or public link to an item
Remove a link. Remove a company or public link from an item
Add a collaborator. Grant a user access to an item
Remove a collaborator. Remove a user’s access to an item
Stop sharing. Remove all links and collaborators from an item
Delete. Move an item to trash in the connected app

Notes:

Dropbox team documents don’t have owners. If you use Stop sharing, all access is removed and the item will no longer appear in Protect.
Deleted items are moved to trash based on the connected app’s retention behavior. Shared drives, user drives, and SharePoint sites can’t be deleted.

Learn how to manage shared links in the Dropbox Protect dashboard.

How long do access changes take to complete?

Small actions may complete in seconds. Large bulk actions can take 30 minutes or longer, depending on how many items are affected.

What are access levels and why can’t I modify them?

Access levels are settings that come from a top-level folder, shared drive, site, or library in a connected app. When access levels are applied at a higher level, they automatically apply to all nested files and subfolders.

Dropbox Protect follows the access level model of each connected app, such as Google Drive, Dropbox, and Microsoft 365. Because the access levels are controlled by the source app, they can’t be changed on individual files or subfolders. If you try, you’ll see an error indicating that the access level is inherited and can’t be modified at that level.

Learn how to manage and fix errors with top-level access in Protect.

When do changes appear on the Dropbpx Protect dashboard?

After an action runs, it can take up to about one hour for updates to appear while connected services confirm access level changes.

How can I confirm that an action succeeded?

You can review results in Action history.

Learn how to use the Action history page in Dropbox Protect.

I tried removing a public link, but Action history shows no results. Why?

This usually means the filtered items didn’t include any public links, so no changes were made.

However, if the change was made recently, wait about an hour and try again.

Managing and automating document access

How can I automate document access control in Dropbox Protect?

You can automate document access management by using Policies. Policies allow admins to define rules based on access conditions, such as:

Documents with open company or public links
Documents shared with external collaborators
Other access-related criteria

When a policy condition is met, Protect can send notifications to admins, automatically take actions such as removing links or access, or both.

How the policy responds depends on how it’s configured.

To learn more, see:

How do policy notifications work?

If a policy has alerting enabled, selected admins receive an email every 24 hours.

The email includes:

The policy name
The number of matching items
A link to view those items in Protect

Can alerts be sent through Slack?

No. Slack notifications aren’t supported.

Columns, filters, and dashboard data

What does “Shared with: Private” mean?

Shared with: Private means only the owner has access to the item.

However, Dropbox groups aren’t included in the Shared with count. Because of this, an item may appear as Private even if a Dropbox group has access.

What do the Last modified and Age columns mean?

Last modified shows the most recent time the item was edited or its access levels were changed.
Age shows when the item was created or uploaded.

For Dropbox, the Age column may be blank because creation date information isn’t always available through the API.

How do filters work in Protect?

Filters let you narrow results based on document access and activity criteria.

Last modified and Age filters use predefined time ranges and follow the PST and PDT time zones.
Keyword filters search item titles and support OR logic when multiple keywords are used.
Other filters, such as Shared with, Link type, and App, help you focus on specific types of access or connected apps.

Learn how to use filters on the Dropbox Protect dashboard.

Why does the modified date look older than the age date?

In rare cases, connected app APIs may return inconsistent timestamps, especially after items are moved or ownership changes occur.

This can result in the Last modified date appearing older than the Age date.

File ownership in connected apps

What does the Owner field represent?

The Owner field shows the account that owns the file in the connected app, such as Google Drive, Microsoft 365, or Dropbox.

This refers to file-level ownership in the source system, not Protect ownership or admin roles.

What does “Unknown” file owner mean?

An item may display Unknown as the file owner when Dropbpx Protect can’t retrieve ownership details from the connected app.

This can occur in cases such as:

A shared drive that doesn’t have an assigned manager
An item owned by an external account where ownership details aren’t visible to your organization

What does “Team” file owner mean in Dropbox?

In Dropbox, Team ownership means the file belongs to a Team folder rather than an individual user.

Team folders and their contents don’t have individual file owners. Instead, ownership is managed at the team level within Dropbox.

Product functionality and limits

Are there file size limits in Protect?

No. There are no file size limits in Protect. File size limits are determined by the connected app.

Learn how to connect apps to Dropbox Protect.

Can admins view the contents of files?

No. Protect doesn’t support file previews.

To protect sensitive information, admins can view access levels and metadata but can’t open or view file contents unless they already have access in the connected app.

What reporting and export features are available in Dropbox Protect?

Protect includes built-in reporting and export capabilities to help admins review document ownership and sharing across connected apps.

Overview report. Provides a high-level summary of items, ownership, and sharing activity, including open links and external access.
Stale access report. Highlights items that haven’t been modified for a specified period of time, helping identify potentially outdated or high-risk content.
Action history. Shows the results of actions run in Protect, including successful updates, skipped actions, and errors.

Admins can also export filtered results and report data to CSV.

Learn more:

Action history and error handling

What is Action history?

The Action history page shows the results of actions run in Protect.

Each item included in an action may return a different result. Some items may be skipped update successfully, while others may return errors.

What information appears in the Action history details pane?

Each Action history entry includes a details pane that provides additional context about the action.

The details pane shows:

The actor (the admin who ran the action)
The action performed
The timestamp
The total number of items selected
The number of successful updates
The number of skipped updates
The number of errors

Error message and handling

The table below explains common errors by action type and connected app.

Status	Description	Message	Troubleshooting
Error	Item limit has been reached. Some apps limit how many items can be updated at once. Select fewer items and try again.	There are too many items selected to apply fixes.	Select fewer items and retry the action again. For Google, select less than 500,000 total items. For Dropbox, select less than 10,000 total items.
Error	The app connection is limited. The app has temporarily limited some actions. Try again later.	There is an issue with the app connection, but the reason is unknown.	Try again at a later time.
Error	The app connection is not active. Reconnect the app and try again. If the problem continues, check the app and its settings.	This happens with the app is disconnected. The integration required to perform this action is disconnected or not configured correctly.	Try reconnecting the integration and try again.
Error	Some access could not be removed. Some sharing access was removed, but some may still be active. This can happen if the app blocked the change or if syncing is still in progress. Try again later.	This occurs when some links or collaborators were removed, but not all.	Try again at a later time.
Error	Item not found.	This occurs if an item was moved, deleted, or is not yet available.	Try again at a later time.
Error	Something went wrong. There was a problem.	This happens when an unspecified error occurs.	Try again at a later time.
Skipped	No permission to make this change. Permission to make this change may be controlled externally. If possible, contact the item owner or an app admin for help.	This occurs when a user with sufficient permissions was not found or when you try to perform an action on a user that's not part of the organization.	Update access in the source app.
Skipped	Cannot add collaborator. The collaborator doesn't yet have access to the selected app. Confirm they have access and try again later.	This occurs when an admin tries to add a collaborator that does not have access to selected connector. Sometimes ingestion lag can cause delays with trying to add a collaborator to an item.	Check the collaborators’ access to the source app and try again later.
Skipped	Not allowed by app settings. The settings for this action are turned off in the app. To make this change, update the settings in the app and try again.	This specific error message occurs because the the source app is not configured to allow for this change.	Check the source app settings and try again.
Skipped	Access update not required. Access was previously updated. No further action is required.	This occurs when an account being removed was previously already removed.	Check the access in the source app and try again.
Skipped	Access update not required. The account already has access through a group. The requested action is completed.	The account already has access.	No action is needed.
Skipped	Access permission managed by top-level source. Access is managed by a folder, drive, or app that includes this item. Update access at the top-level source. If the top-level source was selected, no further action is required.	This error occurs when access is managed at the top level source (folder or drive).	Check the top level item. If it was updated, no action is needed. If it wasn’t updated, remove access at the top level.
Skipped	Cannot update owner access. Access for item owners and admins can't be changed until ownership is transferred to someone else.	This occurs because the system prevents owners being removed from items.	Change the owner of the item and try again.
Skipped	Action is not allowed for this top-level source. This action is not allowed for top-level source folders, sites or shared drives.	This occurs if you are trying to delete a shared drive. This action is not allowed.	Nothing further can be done in Protect, but you can try this action in the source app.
Skipped	Action is not supported for this item. Can't update because the app doesn't support this action for this item.	This occurs when a connector doesn't support a certain action.	Nothing further that can be done in Protect, but you can try this action in the source app.
Skipped	Action is not allowed for Microsoft 365. Microsoft 365 groups can’t be removed.	This error occurs if you try removing Microsoft 365 groups from Team sites that they were created on.	Nothing further that can be done in Protect, but you can try this action in the source app.
Skipped	Guest access update required. Can't complete this action while a guest link is still active. Remove guest access, then try again.	This error occurs when attempting to remove a company link when a guest link is present in Microsoft 365. Guest access in Microsoft cannot exist without the Company (Everyone group) permission.	Remove the guest link and try again.

Was this article helpful?

Yes, thanks!

Not really

Thanks for your feedback!

Other ways to get help

Community

Contact support

Social media support