Supported editions for this feature: Enterprise Plus SKUs with the Assured Controls add-on. Compare your edition
What are guests?
Workspace guest accounts let your users securely collaborate with people who don't have accounts within your organization. Imagine you need to work with a contractor who uses a different email system. With a Workspace guest account, they can view and respond to encrypted emails as a guest in your organization.
How guest accounts work
When someone in your organization sends an encrypted email Google Workspace creates a guest account for them automatically. The guest receives an email invitation to enable their account. After they follow a few set up steps, they can work with members of your organization.
Guest accounts are managed by your organization, using the Guests organizational unit in the organizational unit tree of your admin console. You can control which services guests have access to, set password requirements, and use other security features.
Enable guest accounts
You must be signed in as a super administrator for this task.Follow the steps below to enable the Guests organizational unit in your admin console.
Before you begin
To use guest accounts, you need to set up client-side encryption for your organization. Follow the steps in the Client-side encryption setup overview for using an external encryption key service, including any special instructions for the Encryption with guest accounts option.
You'll also need to follow the steps to provide external access to client-side encrypted content.
Turn on Gmail Client-side Encryption
Gmail Client-side Encryption allows users in your organization to send encrypted messages to anyone so that they can securely collaborate externally without S/MIME.
-
Sign in with an administrator account to the Google Admin console.
If you aren't using an administrator account, you can't access the Admin console.
- Go to Menu
Data
Compliance
Client-side encryption
Gmail - Set Client-side encryption status to ON.
- Under Encryption with guest accounts, check the box for Allow users to send client-side encrypted messages to recipients who aren't using S/MIME.
- At the bottom right, click Save.
Guest organizational unit settings
Most Guests organizational unit settings are inherited from your top-level organizational unit. The table below lists default overrides for guests that you can customize in your admin console.
| Setting | Default configuration | Result |
|---|---|---|
| Workspace resource type visibility Menu Directory settings
Workspace resource type visibility |
No visibility | Guests cannot see your organization's Google Groups or domain shared contacts |
| Visibility settings Menu Directory
Directory settings
Visibility settings |
No users | Guests cannot see other users in your organization's directory |
| Profile editing Menu Directory
Directory settings
Profile editing |
Name | Guests can only update their name |
| SSO with third-party IDPs Menu Security
SSO with third-party IDPs |
OFF | Guests always sign in with Google and cannot use 3P IDPs |
| Account Recovery Menu Security
Account Recovery |
ON | Guests can recover their accounts using their primary email |
| Passwordless Menu Security
Passwordless |
OFF |
Guests must always sign in with their password |
| API Controls Unconfigured third-party apps Menu Access and Data control > API Controls
Settings
Unconfigured third-party apps |
OFF | Guests cannot access unconfigured third-party apps |
| Gmail automatic forwarding Menu Apps
Google Workspace
Settings for Gmail
End User Access
Automatic forwarding |
OFF | Guests cannot automatically forward incoming emails from their guest account |