Allow external sharing with only trusted domains

Supported for all Google Workspace, Cloud Identity, and G Suite editions except as noted

Let your users share only with certain organizations outside of your business or school. Add the organization's domain to your allowlist of trusted domains, and then choose sharing settings for your users.

Services that work with trusted domains

  • Google Drive—Users can share files with domains on the allowlist.
  • Classroom—When you put a domain on the allowlist, your users can join classes in that domain and users in the allowlisted domain can join your classes.
  • Google Chat—Users in a trusted domain can chat with users in your organization. Depending on your Google Workspace edition, your users can create and join one-to-one messages or spaces that include users in a trusted domain. Not supported for Enterprise Starter.
  • Looker Studio—Users in your organization can access assets from domains on the allowlist.

How the allowlist works

Expand section  |  Collapse all

Use one allowlist for all trusted domains
  • You have one allowlist that includes all your trusted domains. Drive, Sites, Classroom, Chat, and Looker Studio use the same allowlist.
  • Allowlist domain policies aren’t checked when a document is shared to a group in Google Groups. Users in a group can span different domains and have different sharing policies. This span makes it difficult to determine who can access a particular document.

    For example, if a user shares a document with a group that’s not in their allowlisted domain, they won’t receive a warning if a member of that group can’t view or share the document due to their limited group permissions.

Domain guidelines
  • You can add a primary or secondary domain, domain alias, or subdomain. 
  • You can add up to 5,000 domains, including domain aliases and subdomains, to the allowlist.
  • Google Workspace Essentials accounts must be domain-verified, not email-verified, to access Drive files shared with their users. 
  • Google service accounts (domain name ends in gserviceaccount.com) can't be used as trusted domains.
  • Your domain cannot have non-English characters, such as á, ñ, ü, and ø, or any character from a non-English alphabet.

Step 1: Add a trusted domain to your allowlist

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenDomainsand thenAllowlisted domains.
  3. Click Add domain.
  4. Enter the domain, subdomain, or multiple domains separated by commas. You can add up to 200 domains at time.
  5. Click Add. Repeat to add more domains.
  6. Click Save.

Step 2: Review & troubleshoot trusted domain setup

You can check that the allowlisted domain is set up correctly and uses Google Workspace.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settingsand thenSharing options.
  4. For Allowlisted Domains, click View configured allowlisted domains.
  5. If you get an Incompatible with allowlisted domains error, review Troubleshoot setup errors on this page.
  6. If needed, remove any incompatible domains from your allowlist and add them again following the guidelines.

Troubleshoot setup errors

  • The domain name is misspelled.
  • The domain is a Google service account (domain name ends in gserviceaccount.com). Learn more
  • For Drive files, the domain isn't using Google Workspace. To troubleshoot, follow the steps in Allow sharing to non-Google users with visitor sharing.
  • The domain is using an email-verified Google Workspace Essentials edition. You can only use domain-verified editions in the allowlist.

Step 3: Set up sharing access for users

Troubleshoot sharing errors

  • Classroom—Sharing isn't available because the allowlisted domain isn't using Google Workspace Education Fundamentals or Google Workspace Education Plus.
  • Chat—The domain is on the allowlist, but users can't create external spaces. If you checked the allowlisted domains box for Chat externally, you need to also check this box for spaces. ​Or the domain is using an email-verified Google Workspace Essentials edition. You can only use domain-verified editions in the allowlist.

Remove a domain from your allowlist

Remove the domain from your allowlist to stop sharing between your organization and the domain. Users don't get a notification about the change. When a domain is removed, users in that domain lose access to any shared files. The files are also removed from their Shared with me folder in Drive.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenDomainsand thenAllowlisted domains.
  3. Point to the domain name and click Remove.
  4. Click Remove domain.
Changes can take up to 24 hours but typically happen more quickly. Learn more
 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu