Allow external sharing with only trusted domains

Help and tips for Classroom teachers:

For IT administrators of Google Workspace and Google for Education

Supported editions for this feature: Business Standard and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus; Nonprofits; G Suite Business. Compare your edition

Let your users share only with certain organizations outside of your business or school. Add the organization's domain to your allowlist of trusted domains, and then choose sharing settings for your users.

Google services that work with trusted domains

Drive (includes Docs, Sheets, Slides) and Sites: Users can share files only with the domains on the allowlist. Learn more about sharing settings for Drive and Sites, and how to share with non-Google Accounts.
Classroom: When you put a domain on the allowlist, your users can join classes in that domain and their users can join your classes. Learn more.
Chat: Users in a trusted domain can chat with your organization. Depending on your Google Workspace edition, your users can create or join 1:1 messages or rooms that include users in a trusted domain. Learn about external Chat options.
Looker Studio: Learn about Looker Studio sharing permissions.

How the allowlist works

You have one allowlist that includes all your trusted domains. Drive, Sites, Classroom, Chat, and Looker Studio use the same allowlist.
Allowlist domain policies aren’t checked when a document is shared to a Google group. Users in a group can span different domains and have different sharing policies. This makes it difficult to determine which users would be able to access a particular document.
For example, a user can share a document with a group that is not in their allowlist domain, and they won’t receive a warning. However, if a user from that group has non-sharing permission in their particular domain, they still won’t be able to view the document that was shared with their group.

Set up a trusted domain

Expand all | Collapse all

Add a trusted domain to your allowlist

Domains you can add to the allowlist

You can add a primary or secondary domain, domain alias, or subdomain. For example, if you want to share with users at sales.solarmora.com, add this subdomain to the allowlist.
You can add up to 5000 domains (includes domains, domain aliases, and subdomains) to the allowlist.
Google Workspace Essentials accounts must be domain-verified (not email-verified) to access Drive files shared with their users.
Google service accounts (domain name ends with "gserviceaccount.com") can't be used as trusted domains. Learn more
Your domain cannot have non-English characters, such as á, ñ, ü, and ø, or any character from a non-English alphabet.

Step 1: Add a trusted domain

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AccountDomains.
Click Allowlisted domains.
Click Add domain.
Enter the domain, subdomain, or multiple domains separated by commas. You can add up to 200 domains at time, and your account can have total of 5000 trusted domains.
Click Add. Repeat to add more domains.
Click Save.

Step 2: Review trusted domains in the allowlist

In Google Drive and Docs, you can check for that the allowlisted domain is set up correctly and uses Google Workspace.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
Click Sharing settingsSharing options.
Below the Allowlisted Domains setting, click View configured allowlisted domains.
Check for the alert, "Incompatible with allowlisted domains." The domain may not be using Google Workspace, or the domain name is incorrect.

For sharing in Drive, Docs, Sheets, Slides, and Sites, set Drive sharing permissions.
For Classroom, go to Configure class settings.
For Chat, set external Chat options
For Looker Studio, set sharing permissions.

Remove a domain from your allowlist

To stop sharing between the domain and your organization, remove the domain from your allowlist. Users do not receive a notification about the change.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AccountDomains.
Click Allowlisted domains.
Point to the domain name and click Remove.
Click Remove domain.

Note: Once a domain is removed from the allowlist, users in that domain lose access to any shared files, and shared files are removed from their Shared with me folder in Drive.

Changes can take up to 24 hours but typically happen more quickly. Learn more

To confirm the changes, check your Drive sharing permissions or Configure class settings.

Troubleshooting

If you can't share with a domain on the allowlist:

Go to the Sharing settings for the service, such as Drive or Classroom.
Below Allowlisted domains, click View configure allowlisted domains.
Check for domains with the alert, "Incompatible with allowlisted domains":

Check the reasons that the domain isn't on the allowlist:

The domain name might be misspelled.

The domain is a Google Service account (name ends in "gserviceaccount.com"), which isn't supported as a trusted domain. Learn more

For Drive: The domain isn't using Google Workspace. Follow steps to allow sharing with non-Google accounts. Or the domain is using an email-verified Google Workspace Essentials edition. Only domain-verified editions can be used in the allowlist.

For Classroom: Sharing isn't available because the domain isn't using Google Workspace Education Fundamentals or Google Workspace Education Plus.

For Chat: The domain is on the allowlist, but users can't create external spaces. If you've checked the allowlisted domains box for Chat externally, also check this box for spaces.

For Looker Studio: Check the sharing settings for Looker Studio.

Was this helpful?

How can we improve it?