Manage Workspace guests (beta)
Supported editions for this feature: Enterprise Plus SKUs with the Assured Controls add-on. Compare your edition
What are guests?
Workspace guest accounts let your users securely collaborate with people who don't have accounts within your organization. Imagine you need to work with a contractor who uses a different email system. With a Workspace guest account, they can view and respond to encrypted emails as a guest in your organization.
How guest accounts work
When someone in your organization sends an encrypted email Google Workspace creates a guest account for them automatically. The guest receives an email invitation to enable their account. After they follow a few set up steps, they can work with members of your organization.
Guest accounts are managed by your organization, using the Guests organizational unit in the organizational unit tree of your admin console. You can control which services guests have access to, set password requirements, and use other security features.
Enable guest accounts
You must be signed in as a super administrator for this task.
Follow the steps below to enable the Guests organizational unit in your admin console.
Before you begin
To use guest accounts, you need to set up client-side encryption for your organization. Follow the steps in the Client-side encryption setup overview for using an external encryption key service, including any special instructions for the Encryption with guest accounts option.
You’ll also need to follow the steps to provide external access to client-side encrypted content.
Turn on Gmail Client-side Encryption
Gmail Client-side Encryption allows users in your organization to send encrypted messages to anyone so that they can securely collaborate externally without S/MIME.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go to MenuDataand thenComplianceand thenClient-side encryptionand thenGmail
- Set Client-side encryption status to ON.
- Under Encryption with guest accounts, check the box for Allow users to send client-side encrypted messages to recipients who aren’t using S/MIME.
- At the bottom right, click Save.
Guest organizational unit settings
Most Guests organizational unit settings are inherited from your top-level organizational unit. The table below lists default overrides for guests that you can customize in your admin console.
|
Setting |
Default configuration |
Result |
|---|---|---|
|
Workspace resource type visibility MenuDirectory settingsand thenWorkspace resource type visibility |
No visibility |
Guests cannot see your organization’s Google Groups or domain shared contacts |
|
Visibility settings MenuDirectoryand then Directory settingsand thenVisibility settings |
No users |
Guests cannot see other users in your organization’s directory |
|
Profile editing MenuDirectoryand then Directory settingsand thenProfile editing |
Name |
Guests can only update their name |
|
SSO with third-party IDPs MenuSecurityand thenSSO with third-party IDPs |
OFF |
Guests always sign in with Google and cannot use 3P IDPs |
|
Account Recovery MenuSecurityand thenAccount Recovery |
ON |
Guests can recover their accounts using their primary email |
|
Passwordless MenuSecurityand then Passwordless |
OFF |
Guests must always sign in with their password |
|
API Controls Unconfigured third-party apps MenuAccess and Data control > API Controlsand then Settingsand thenUnconfigured third-party apps |
OFF |
Guests cannot access unconfigured third-party apps |
|
Gmail automatic forwarding MenuAppsand thenGoogle Workspaceand thenSettings for Gmailand thenEnd User Accessand thenAutomatic forwarding |
OFF |
Guests cannot automatically forward incoming emails from their guest account |