> ## Documentation Index
> Fetch the complete documentation index at: https://docs.box.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Migrating Legacy Governance Policies
**Important:**
Content Security Policies and Shared Link Policies were sunset on February 6, 2026. From that date until May 2026, the feature remains available only to GxP controlled-release customers. In May 2026, the feature will be turned off for all customers.
Because Box Shield functionality now exceeds that of legacy Governance policy functionality, Box recommends migrating any existing legacy Governance policies to Box Shield.
[Box Shield](/en/box-shield/using-box-shield/introducing-box-shield) is Box’s advanced security offering that helps organizations reduce risk and protect the flow of information. Shield’s [Access Policies](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings), when used in combination with [Automated Classification](/en/box-shield/shield-classification-labels-and-policies/classification-policies-automated-classification) and [Threat Detection](/en/box-shield/shield-threat-detection-rules/using-threat-detection), offer a more robust way of securing content in Box and make [Governance Security Policies](/en/box-governance/legacy-governance) obsolete.
This topic explains how to migrate those policies.
## Legacy Governance Policy Migration Overview
You may have the following types of legacy Governance policies that you would need to migrate:
* [Download](#migrate-download-policy)
* [Upload](#migrate-upload-policy)
* [Sharing](#migrate-sharing-policy)
* [Shared Link](#migrate-shared-link-policy)
For any of these that exist on your Governance page, you will enable or create one or more equivalent Box Shield policies.
An easy way to do this is to have two browser windows open side-by-side. In one, view the legacy Governance policy so you can view the details of the policy. In the other, create the equivalent Shield policy.
Migrate Download Policy
Migrating a legacy Governance download policy involves creating a Shield Detection Rules policy.
**Notes**
* There is not a direct analogue to the low/medium/high download activity setting. Instead, the Shield Anomalous Download rule identifies account holders who download potentially sensitive content for unusual work purposes, as explained in [Using Threat Detection](/en/box-shield/shield-threat-detection-rules/using-threat-detection).
* You can enable and configure only one Shield Anomalous Download policy. If you have multiple legacy policies, contact Box Support to assist you with migration.
### Legacy Download Policy Information
To migrate a legacy Download policy, first view and note the necessary information from that policy:
1. Go to **Admin Console > Governance**.
2. Select the **Content Security** tab.
3. Select the Download policy to migrate.
4. Select **Action > Edit**.
5. Make note of the following information:
* Policy Name
* Email address(es) of people who receive notifications
### Create the Comparable Shield Detection Rule
1. Go to **Admin Console > Shield**.
2. Select the **Detection Rules** tab.
3. In the Anomalous Download section, select **Enable**.
4. Copy the policy name from the legacy Download policy and paste it into the **Rule Name** field.
5. Optionally enter a **Description**. You may want to note that this policy replaces your legacy Governance Download policy.
6. Select a **Default Alert Priority**. The default value is *Medium*. See [Create, Edit, and Delete a Threat Detection Rule](/en/box-shield/shield-threat-detection-rules/create-edit-and-delete-a-threat-detection-rule#create-a-threat-detection-rule) for details.
7. Select whether you want policy alerts published to the **Box Event Stream**. See [Create, Edit, and Delete a Threat Detection Rule](/en/box-shield/shield-threat-detection-rules/create-edit-and-delete-a-threat-detection-rule#create-a-threat-detection-rule) for details on **Publish alerts to Box Event Stream**.
8. Copy the email address(es) from the legacy Download policy and paste them into the **Notify Users** field.
**Note**
The only email addresses or managed user names you can enter in this field are Co-Admins who have at least one Shield permission enabled in their user account settings.
9. Select **Next**.
10. Review the rule settings.
11. Select **Start Rule**.
See [Create, Edit, and Delete a Threat Detection Rule](/en/box-shield/shield-threat-detection-rules/create-edit-and-delete-a-threat-detection-rule) for more information.
### Delete Legacy Download Policies
Once you have migrated all of your legacy Governance Download policies, you can safely delete them. For each legacy Download policy:
1. Select the policy.
2. Select **Action > Delete**.
3. Select **Okay**.
Migrate Upload Policy
Migrating a legacy Governance upload policy involves three actions: verifying or creating classifications, creating a classification policy, and creating an access policy.
### Legacy Upload Policy Information
To migrate a legacy Upload policy, first view and note the necessary information from that policy:
1. Go to **Admin Console > Governance**.
2. Select the **Content Security** tab.
3. Select the Upload policy to migrate.
4. Select **Action > Edit**.
5. Make note of the following information:
* Policy Name
* The type(s) of information (Social Security number, credit card number, file type, or custom) that triggers the policy, and if file type, what files types, and if custom, what term(s)
* Email address(es) of people who receive notifications
### Verifying and Creating Classification Labels
To make content classification identifiable, you should have semantically useful names for classification labels.
1. Go to **Admin Console > Classification**.
2. Select the **Classification Labels** tab.
3. Review any existing classification labels to see if any fit the configuration of the upload policy. If not, or if you have no classification labels, [create a classification label](/en/box-shield/shield-classification-labels-and-policies/classification-labels) that fits the definition of the upload policy. See also [Creating and Using Classification Labels Based On Industry Best Practices](/en/box-shield/getting-started-with-box-shield/creating-and-using-classification-labels-based-on-industry-best-practices).
### Create the Comparable Classification Policy
1. Go to **Admin Console > Classification**.
2. Select the **Classification Policies** tab.
3. Select **Create Policy**.
4. Copy the policy name from the legacy Upload policy and paste it into the **Classification Policy Name** field.
5. Optionally enter a **Description**. You may want to note that this policy replaces your legacy Governance Upload policy.
6. In the File Criteria section, select the option(s) that match those in the upload policy:
* If the upload policy has just *File Type* selected, select **Specify file types**, and then enter one or more file extensions.
* If the upload policy has just *Social Security Number*, *Credit Card Number*, or *Custom words or numbers* selected, select **Specify data types**, and then select the matching Data Type(s). Select **Add Condition** to add more Data Types. In the drop-down list, select **Create Custom Terms** for the *Custom words or numbers* option in the upload policy. In the header, select **Any 1** for *When a file contains the following conditions*.
* If the upload policy has *File Type **and*** one or more of *Social Security Number*, *Credit Card Number*, or *Custom words or numbers* selected, you will have to create two Classification policies, one for *File Type* and one for the other options.
See [Classification Settings](/en/box-shield/shield-classification-labels-and-policies/classification-settings) for more details.
7. Select the **Classification Label** you want applied to content that matches the file criteria.
8. Select **Overwrite any existing classification label**. (This is the default choice.)
9. Select **Next**.
10. Review the policy, and then select **Enable**.
### Create the Comparable Shield Access Policy
1. Go to **Admin Console > Shield**.
2. Select the **Access Policies** tab.
3. Select **Create Policy**.
4. Enter a **Policy Name** similar to your Governance Upload policy.
5. Optionally enter a **Description**. You may want to note that this policy replaces your legacy Governance Upload policy.
6. In the Content Type section, select **Apply only to the content with the following classification label**, and then select the classification label that you selected for the Classification policy above.
7. Select and configure one or more security controls. See [Shield Access Policy Settings](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings) for details of each.
8. For the security controls that have an Enforcement Action, optionally select **Monitor restriction violations only**. (This is the action most similar to Governance Upload policies.)
9. Select **Next**.
10. Review the policy, and then select **Start Policy**.
### Delete Legacy Upload Policies
Once you have migrated all of your legacy Governance Upload policies, you can safely delete them. For each legacy Upload policy:
1. Select the policy.
2. Select **Action > Delete**.
3. Select **Okay**.
Migrate Sharing Policy
Migrating a legacy Sharing policy involves two actions: creating a Shield list and creating one or more Shield access policies.
### Legacy Sharing Policy Information
To migrate a legacy Sharing policy, first view and note the necessary information from that policy:
1. Go to **Admin Console > Governance**.
2. Select the **Content Security** tab.
3. Select the Sharing policy to migrate.
4. Select **Action > Edit**.
5. Make note of the following information:
* Policy Name
* The domain(s) defined in the policy
* Email address(es) of people who receive notifications
### Create the Shield List
1. Go to **Admin Console > Shield**.
2. Select the **Lists** tab.
3. Select **Create Shield List**, and then select **Domains**.
4. Enter a descriptive **Shield List Name**.
5. Optionally enter a **Description**. You may want to include that this list is intended to match the legacy Governance sharing policy.
6. Copy the domain(s) from the legacy Governance Sharing policy and paste them into the **Enter Domains** field.
7. Select **Next**.
8. Select **Create List**.
### Create the Comparable Shield Access Policy
1. Go to **Admin Console > Shield**.
2. Select the **Access Policies** tab.
3. Select **Create Policy**.
4. Enter a Policy **Name** similar to your legacy Governance Sharing policy.
5. Optionally enter a **Description**. You may want to include that this policy is intended to match the legacy Governance sharing policy.
6. In the Content Type section, for each classification label that you have defined, select **Apply only to the content with the following classification label**, and then select a classification label.
Once you have done this for all of the policies you create for all of your classification labels, select **Apply to all content without a classification label**.
7. Select **Add Security Control**, and then select **External Collaboration Restriction**.
8. Select **Block specified domains**.
9. Select **Select**.
10. Enter the Shield list you created above.
11. Decide how you want to configure the other policy settings. See [Shield Access Policy Settings](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings) for details.
12. Optionally select **Monitor restriction violations only**. (This is the action most similar to Governance Upload policies.)
13. Select **Next**.
14. Review the policy, and then select **Start Policy**.
15. Repeats this procedure for each classification policy you have defined, and then once more for content with no classification policy applied.
### Delete Legacy Sharing Policies
Once you have migrated all of your legacy Governance Sharing policies, you can safely delete them. For each legacy Sharing policy:
1. Select the policy.
2. Select **Action > Delete**.
3. Select **Okay**.
Migrate Shared Link Policy
Migrating a legacy Shared Link policy involves creating an access policy. Because legacy Shared Link policies require existing classification labels, you do not need to create any to migrate.
### Legacy Shared Link Information
To migrate a legacy Shared Link policy, first view and note the necessary information from that policy:
1. Go to **Admin Console > Governance**.
2. Select the **Shared Link Policies** tab.
3. Make note of the following information:
* Policy Name
* Classification
* Shared link restriction
### Create the Comparable Shield Access Policy
1. Go to **Admin Console > Shield**.
2. Select the **Access Policies** tab.
3. Enter a **Policy Name** similar to a Shared Link policy.
4. Optionally enter a **Description**. You may want to include that this policy is intended to match a legacy Shared Link sharing policy.
5. In the Content Type section, select **Apply only to the content with the following classification label**, and then select the classification label of the Shared Link policy.
6. Select Add Security Control, and then select Shared Link Restriction. Select the restriction:
* If the legacy Shared Link policy restriction was *Company and Collaborators only*, select **People in your company and invited people**.
* If the legacy Shared Link policy restriction was *Collaborators only*, select **Invited people only**.
See [Shield Access Policy Settings](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings) for details.
7. For the security controls that have an Enforcement Action, optionally select **Monitor restrictions only**. (This is the action most similar to Governance Upload policies.)
8. Select **Next**.
9. Review the policy, and then select **Start Policy**.
10. Repeat steps 6 through 13 for each legacy Shared Link policy.
### Delete Legacy Shared Link Policies
Once you have migrated all of your legacy Governance Shared Link policies, you can safely delete them. For each legacy Shared Link policy, hover over the row and select **Edit**, then **Delete**, and then **Delete**.
### Removing Shield Access Policy restrictions on content
Admins/Co-admins can remove applied restrictions to autoclassified content and replicate the behavior of “Restore” action from legacy upload policy (quarantine) by leveraging Classification Management functionality in Content Manager:
1. Go to **Content -> Content Manager**
2. From the advanced filters, select the **Classification** filter
1. Select the previously defined label related to legacy upload policies
3. Search for content
1. Review content classified by the classification policy
4. Select desired files
5. Click the ellipsis “...” and select **Classify**
6. From the labels, choose only one action:
1. Select another label from the dropdown to update content classification and associated access policies
2. Or remove the automatically applied label and associated access policies completely
### Apply Classification Labels and Access Policies to Legacy Quarantine Content
Admin/Co-admins can find content flagged by legacy upload policies and classify it manually in Content Manager to maintain legacy restrictions.
1. Run UAR ([User Activity Report](/en/box-admin-tools/reporting-and-insights/running-reports)) and look for the “Violated Upload Policy” event to identify files flagged by legacy upload policies (last 7 years)
2. Copy and paste affected ID(s) into the Content Manager search input and trigger search
3. Select the desired files from search results
4. Click the ellipsis “...” and select **Classify**
5. Select a label defined as replacement for legacy upload policies
6. Apply classification label to selected content
After applying the classification, content will automatically fall under Access Policy defined for the assigned label.
**Note:**
Admins can search for multiple IDs simultaneously, with queries supporting approximately 40 space-separated IDs. Queries exceeding this limit will generate an error message indicating excessive length.