Block access to consumer accounts

As an administrator, you might want to prevent users from signing in to Google services using any accounts other than those you provided them with. For example, you might not want users within your corporate network to use their personal Gmail accounts or a managed Google Account from another domain.

Note: When you block access to consumer accounts, users might see the following error message: "This account is not allowed to sign in within this network".

Allow access only from specific domains

To allow users to access Google services using an account only from a list of specified Google Workspace domains:

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Browser Cloud Management, go to Menu Chrome browserSettings.
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to User experienceSign-in to secondary accounts.
Select Allow users to only sign in to the domains below.
Enter your organization’s domains.
(If you don’t, your users might not have access to Google services.)
Note: gserviceaccounts.com is included and critical for authenticated service accounts.
(Optional) To include consumer Google Accounts, such as those ending in @gmail.com and @googlemail.com, enter consumer_accounts in the list.
Click Save.

Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.

Next steps

From Users & browsers settings, you can also prevent users from browsing in Incognito mode. Go to Incognito ModeDisallow incognito mode and click Save. For details, see Incognito Mode.
Set a sign-in restriction so that only users in your organization can sign in to devices running Chrome OS. For details, see Sign-in Restriction.
Turn off guest browsing on devices. For details, see Guest mode.

Use a web proxy server to block accounts

Step 1: Choose a web proxy server

To only allow users on your network to access Google services using specific Google Accounts from your domain, you need a web proxy server that can:

Add a header to all traffic directed to google.com—The header identifies the domains from which users can access Google services.
Support SSL interception—Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception.

Read specific instructions on how to block Google services from the following proxy service providers, selecting a server that meets your needs.

Step 2: Configure the network to block certain accounts

To prevent users from signing in to Google services using Google Accounts other than those you explicitly specify:

Route all traffic outbound to google.com through your web proxy servers.
Enable SSL interception on the proxy server.
Configure every client device to trust your SSL proxy:
1. Deploy the Internal Root Certificate Authority used by the proxy.
2. Mark it as trusted.
For each google.com request:
1. Intercept the request.
2. Add the HTTP header X-GoogApps-Allowed-Domains: followed by a comma-separated list with allowed domain names.
  Make sure that the list includes the domain you registered with Google Workspace and any secondary domains you added.
  Example: X-GoogApps-Allowed-Domains: mydomain1.com, mydomain2.com
To allow users to sign in to specific accounts, add the following values to the header:
- domain_name for accounts on specific domains, such as altostrat.com and tenorstrat.com for accounts ending in @altostrat.com and tenorstrat.com
- consumer_accounts for consumer Google Accounts, such as @gmail.com and @googlemail.com
- gserviceaccounts.com for authenticated service accounts
(Optional) Create a proxy policy to prevent users from inserting their own headers.

Note:

This approach blocks sign-in access to Google consumer services other than Google Search, but doesn’t necessarily prohibit anonymous access.
When you add the X-GoogApps-Allowed-Domains HTTP header, users will see errors accessing delegated mailboxes from a domain that's not in the header.

Common questions

What happens if unauthorized accounts try to access services?

If a user tries to access Google services from an unauthorized account, they see a web page that:

Describes the unavailable service
Shows the unauthorized account they're using
Lists the domains where the service is available
Suggests that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account

What happens with services that don’t need authentication?

Google doesn’t maintain a list of blocked services. If a particular service requires sign-in, access gets blocked. Services that don’t require authentication, such as Google Search and YouTube, won’t be blocked.

Why can’t I just filter the traffic instead?

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case because legitimate traffic from a user’s managed Google Account goes to the same URL as the traffic you want to block.

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?