Manage Workspace guests (beta)

Supported editions for this feature: Enterprise Plus SKUs with the Assured Controls add-on. Compare your edition

If your users will be collaborating only with external users that use Client-side Encryption (CSE), see Provide external access to client-side encrypted content.

What are guests?

Workspace guest accounts let your users securely collaborate with people who don't have accounts within your organization. Imagine you need to work with a contractor who uses a different email system. With a Workspace guest account, they can view and respond to encrypted emails as a guest in your organization.

How guest accounts work

When someone in your organization sends an encrypted email Google Workspace creates a guest account for them automatically. The guest receives an email invitation to enable their account. After they follow a few set up steps, they can work with members of your organization.

Guest accounts are managed by your organization, using the Guests organizational unit in the organizational unit tree of your admin console. You can control which services guests have access to, set password requirements, and use other security features.

Enable guest accounts

You must be signed in as a super administrator for this task.

Follow the steps below to enable the Guests organizational unit in your admin console.

Before you begin

To use guest accounts, you need to set up client-side encryption for your organization. Follow the steps in the Client-side encryption setup overview for using an external encryption key service, including any special instructions for the Encryption with guest accounts option.

You’ll also need to follow the steps to provide external access to client-side encrypted content.

Turn on Gmail Client-side Encryption

Gmail Client-side Encryption allows users in your organization to send encrypted messages to anyone so that they can securely collaborate externally without S/MIME.

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to MenuDataComplianceClient-side encryptionGmail
Set Client-side encryption status to ON.
Under Encryption with guest accounts, check the box for Allow users to send client-side encrypted messages to recipients who aren’t using S/MIME.
At the bottom right, click Save.

Guest organizational unit settings

Most Guests organizational unit settings are inherited from your top-level organizational unit. The table below lists default overrides for guests that you can customize in your admin console.

Setting	Default configuration	Result
Workspace resource type visibility MenuDirectory settings Workspace resource type visibility	No visibility	Guests cannot see your organization’s Google Groups or domain shared contacts
Visibility settings Menu Directory Directory settings Visibility settings	No users	Guests cannot see other users in your organization’s directory
Profile editing Menu Directory Directory settings Profile editing	Name	Guests can only update their name
SSO with third-party IDPs Menu Security SSO with third-party IDPs	OFF	Guests always sign in with Google and cannot use 3P IDPs
Account Recovery Menu Security Account Recovery	ON	Guests can recover their accounts using their primary email
Passwordless Menu Security Passwordless	OFF	Guests must always sign in with their password
API Controls Unconfigured third-party apps Menu Access and Data control > API Controls Settings Unconfigured third-party apps	OFF	Guests cannot access unconfigured third-party apps
Gmail automatic forwarding Menu Apps Google Workspace Settings for Gmail End User Access Automatic forwarding	OFF	Guests cannot automatically forward incoming emails from their guest account

Was this helpful?

How can we improve it?