Block access to consumer accounts

As an administrator, you might want to prevent users from signing in to Google services using any accounts other than those you provided them with. For example, you might not want them to use their personal Gmail accounts or a managed Google Account from another domain.

Note: When you block access to consumer accounts, users might see the following error message: "This account is not allowed to sign in within this network"

Use Chrome policies to block accounts

To only allow users from specific domains to access Google services:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click User & browser settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Go to User experience and then Sign-in to secondary accounts.
  6. Select Allow users to sign-in only to the G Suite domains set below.
  7. (Optional) To see a list of your domains, click organization’s domains under the domain list box.
  8. Enter the list of all of your organization’s domains.
    (If you don’t, your users might not have access to Google services.)
  9. (Optional) To include other types of accounts, enter the following text in the list:
    • For consumer Google Accounts, such as and, add consumer_accounts.
    • For authenticated service accounts, add
  10. Click Save.
  11. (Optional) To prevent users from browsing in Incognito mode:
    1. From the Admin console Home page, go to Devicesand thenChrome.
    2. Click User & browser settings.
    3. Go to Incognito Mode and then Disallow incognito mode.
      For details, see Incognito Mode.
    4. Click Save.
  12. (Optional) Consider setting additional device policies:
    • Set a sign-in restriction so that only users in your organization can sign in to devices running Chrome OS. For details, see Sign-in Restriction.
    • Turn off guest browsing on devices. For details, see Guest mode.

Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.

Use a web proxy server to block accounts

Step 1: Choose a web proxy server

To only allow users on your network to access Google services using specific Google Accounts from your domain, you need a web proxy server that can:
  • Add a header to all traffic directed to—The header identifies the domains from which users can access Google services.
  • Support SSL interception—Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception.

Read specific instructions on how to block Google services from the following proxy service providers, selecting a server that meets your needs.

Step 2: Configure the network to block certain accounts

To prevent users from signing in to Google services using Google Accounts other than those you explicitly specify:
  1. Route all traffic outbound to through your web proxy servers.
  2. Enable SSL interception on the proxy server.
  3. Configure every client device to trust your SSL proxy:
    1. Deploy the Internal Root Certificate Authority used by the proxy.
    2. Mark it as trusted.
  4. For each request:
    1. Intercept the request.
    2. Add the HTTP header X-GoogApps-Allowed-Domains: followed by a comma-separated list with allowed domain names.
      Make sure that the list includes the domain you registered with G Suite and any secondary domains you added.
      Example: X-GoogApps-Allowed-Domains:,
  5. To allow users to sign in to specific accounts, add the following values to the header:
    • domain_name for accounts on specific domains, such as and for accounts ending in and
    • consumer_accounts for consumer Google Accounts, such as and
    • for authenticated service accounts
  6. (Optional) Create a proxy policy to prevent users from inserting their own headers.

Note: This approach blocks sign-in access to Google consumer services other than Google Search, but doesn’t necessarily prohibit anonymous access.

Common Questions

What happens if unauthorized accounts try to access services?

If a user tries to access Google services from an unauthorized account, they see a web page that:
  • Describes the unavailable service
  • Shows the unauthorized account they're using
  • Lists the domains where the service is available
  • Suggests that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account

What happens with services that don’t need authentication?

Google doesn’t maintain a list of blocked services. If a particular service requires sign-in, access gets blocked. Services that don’t require authentication, such as Google Search and YouTube, won’t be blocked.

Why can’t I just filter the traffic instead?

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case because legitimate traffic from a user’s managed Google Account goes to the same URL as the traffic you want to block.

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue