Supported editions for this feature: Enterprise Plus SKUs with the Assured Controls add-on. Compare your edition
What are guests?
Workspace guest accounts let your users securely collaborate with people who don't have accounts within your organization. Imagine you need to work with a contractor who uses a different email system. With a Workspace guest account, they can view and respond to encrypted emails as a guest in your organization.
How guest accounts work
When someone in your organization sends an encrypted email Google Workspace creates a guest account for them automatically. The guest receives an email invitation to enable their account. After they follow a few set up steps, they can work with members of your organization.
Guest accounts are managed by your organization, using the Guestsorganizational unit in the organizational unit tree of your admin console. You can control which services guests have access to, set password requirements, and use other security features.
Enable guest accounts
You must be signed in as a super administrator for this task.
Follow the steps below to enable the Guestsorganizational unit in your admin console.
Before you begin
To use guest accounts, you need to set up client-side encryption for your organization. Follow the steps in the Client-side encryption setup overview for using an external encryption key service, including any special instructions for the Encryption with guest accountsoption.
You’ll also need to follow the steps to provide external access to client-side encrypted content .
Turn on Gmail Client-side Encryption
Gmail Client-side Encryption allows users in your organization to send encrypted messages to anyone so that they can securely collaborate externally without S/MIME.
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go to MenuDataComplianceClient-side encryptionGmail
- Set Client-side encryption statusto ON.
- Under Encryption with guest accounts, check the box for Allow users to send client-side encrypted messages to recipients who aren’t using S/MIME.
- At the bottom right, click Save.
Guest organizational unit settings
Most Guestsorganizational unit settings are inherited from your top-level organizational unit. The table below lists default overrides for guests that you can customize in your admin console.
| Setting |
Default configuration |
Result |
|---|---|---|
| Workspace resource type visibility MenuDirectory settingsWorkspace resource type visibility |
No visibility |
Guests cannot see your organization’s Google Groups or domain shared contacts |
| Visibility settings MenuDirectoryDirectory settingsVisibility settings |
No users |
Guests cannot see other users in your organization’s directory |
| Profile editing MenuDirectoryDirectory settingsProfile editing |
Name |
Guests can only update their name |
| SSO with third-party IDPs MenuSecuritySSO with third-party IDPs |
OFF |
Guests always sign in with Google and cannot use 3P IDPs |
| Account Recovery MenuSecurityAccount Recovery |
ON |
Guests can recover their accounts using their primary email |
| Passwordless MenuSecurityPasswordless |
OFF |
Guests must always sign in with their password |
| API Controls Unconfigured third-party apps MenuAccess and Data control > API ControlsSettingsUnconfigured third-party apps |
OFF |
Guests cannot access unconfigured third-party apps |
| Gmail automatic forwarding MenuAppsGoogle WorkspaceSettings for GmailEnd User AccessAutomatic forwarding |
OFF |
Guests cannot automatically forward incoming emails from their guest account |
