Manage Workspace guests

Supported editions for this feature: Workspace guests in Google Chat are supported in all Business and Enterprise SKUs. Workspace guests in Gmail Client-side encryption are supported in Enterprise Plus SKUs with the Assured Controls add-on. Compare your edition

If your users will be collaborating only with external users that use Client-side Encryption (CSE), see Provide external access to client-side encrypted content.

What are guests?

Workspace guest accounts let people who don't have accounts within your organization—such as a contractor who uses a different email system—securely collaborate with your users in Google Workspace apps.

How guest accounts work

When someone in your organization sends an encrypted email or invites an external user to a chat, Google Workspace creates a guest account for them. The guest receives an invitation to set up their account. After the guest acknowledges the Google Workspace Terms of Service and that any data they access belongs to your organization, they can start working with your users.

Guests are automatically added to the Workspace Guests organizational unit of your Admin console, where you can manage their accounts. You can update their information, control which services they have access to, set password requirements, and use other security features. For added security, guest accounts cannot be moved into other organizational units.

What can guests do?

Workspace guests can view and respond to encrypted emails, join chats, access shared documents and drives, and participate in meetings as a guest in your organization.

Email capabilities for guests

Workspace user ability

Supported for guests?

Receive and reply to encrypted emails on external accounts

Only with the Assured Controls Add-on

Chat capabilities for guests

Workspace user ability

Supported for guests?

Create Space

Browse Spaces

Guests can only browse spaces they're added to by members of your organization

Message Search

Guests can search chats and Spaces they are in

Request to Join Spaces

Chat with external users in a DM

Chat with internal users in a DM

When sent a message request

Chat with other guests in a DM

Only with guests created by the same host domain

Join a space marked as external created by an external organization

Join a space marked as external created by an external organization

When added by a user from your organization

Join internal spaces

Add others to a space

Modify space details

Use people suggestions

Suggestions only include users who have messaged the guest

Use @mention people suggestions in a Space

Suggestions only include users who have messaged the guest

Upload files to a space marked as external

With administrator permission

Upload files to a DM

With administrator permission

Access files uploaded to space marked as external

Access files uploaded to DM

View public spaces using a URL

Be invited to multiple spaces

Find, install, and run Chat apps

Add Webhooks to spaces

Initiate Meet requests

Block users

Report users

Report messages in spaces

React with emoji in spaces

React with emoji in DMs with organization users

React with custom emoji

Create, assign, or mark a space task as completed

Use @All in a space

With Space Manager permission

Pin a message, Google Docs file, or link to Chat Board

Drive capabilities for guests

Workspace user ability

Supported for guests?

Read the name and description of a file or folder

Read the content of a file

Read the list of items in a folder

Download a file

Copy a file

Add comments to a file

Modify the name and description of a file or folder

Modify the content of the file

Access historical revisions

Remove items from the My Drive folder

Share items from the My Drive folder

Share a shared drive item

Share a Shared Drive folder

Add files to shared drives

Modify the name or description of a shared drive

Add shared drive members

Access detailed file permissions

Reorganize items within a shared drive

Move items outside of a shared drive

Move items into the trash

Recover items from the trash

Empty the trash

Delete a file or folder

Delete items in shared drives

Delete an empty shared drive

Meet capabilities for guests

Workspace user ability

Supported for guests?

Join a Meet call from a Chat invite sent by an internal user

Note: Guests don't have access to Gmail, Google Calendar or Gemini in Workspace. They can't be included in Dynamic Groups.

Guest account limits

You get 5 free guest accounts for every paid Business and Enterprise license in your organization. For example, if your organization has 10 paid user licenses, you can have 50 guest accounts.

Managing guests

To complete these steps, you need the appropriate User management privilege. Without the correct privilege, you won't see all the controls needed to complete these steps.

The Guests directory lists all guest accounts created under your organization's domain, along with their email addresses, last access date, and status. You can filter guests by status, search for specific users, and manage them in many of the same ways you can manage your organization's users.

To open the Guests directory:

  1. Sign in with an administrator account to the Google Admin console.
  2. Go to Menu Directory and then Guests
  3. To filter the list, click User status, select the filter you want, then click Apply.
  4. To download a list of guests that are interacting with users in your organization, click the Download guests button at the top of the page.
    • Choose Currently applied filters or No filters.
    • Choose your download format: Google Sheets, Comma-separated values (CSV), or JSON
    • Click Download.
  5. To take actions on guest accounts, check a box next to one or more guests' names and click Actions to open a drop-down of options:
    • Email user: Send an email to one or more guests.
    • Suspend user: Temporarily suspend a guest from accessing their account but retain their associated data. Note that guests cannot be suspended in bulk. Learn more about suspending guests or restoring suspended guests.
    • Delete user: Delete one or more guests and all their associated data. Note that your users can still invite guests back again after deletion. Learn more about deleting guests or restoring recently deleted guests.
    • Add to groups: Add one or more guests to email groups within your organization. Learn more
  6. To open a guest's details page, click their Name.

Make changes in a guest's details page

To complete these steps, you need the appropriate User management privilege. Without the correct privilege, you won't see all the controls needed to complete these steps.

Clicking on a guest's name takes you to their details page. A blue External badge beneath their name indicates that they're a guest. The email address created for their account—formatted like user_company.com@hostorg.com.guest.google—is also listed. Actions you can take are listed below the email address:

  • Reset password: Automatically generate or manually create a new password for the guest.
  • Update user: Update the guest's first or last name. A guest's primary email address can't be updated.
  • Add alternate emails: Alternate email addresses aren't available for guests.
  • Add to groups: Search for a group and add the guest.
  • Email: Send an email to the guest.
  • Suspend user: Suspend the guest account. See Security for details.
  • Restore data: Restore app data deleted by the guest during a specific timeframe.
  • Delete user: Delete the guest's account.
    • Your users can still invite guests back again after deletion. Learn more about deleting guests.
  • Change organizational unit: Guests can only be in the Guests organizational unit.

User details

You can update a guest's User information or Apps. Learn more about changing a user's name, photo, or email address.

Security

You can update security settings for a guest in the Security tab. Learn more about resetting a guest's password, setting up password recovery, and allowing guests to add password recovery details.

Groups

You can manage a guest's groups in the Groups tab.

Investigate

You can check log events for issues related to a guest in the Investigate tab. Click View logs to open the security investigation tool.

View guest domains

You can view the domains of your organization's guests in your Admin console.

  1. Go to Menu Account and then Domains and then Manage domains.
  2. Guest domains are listed as the Visitors Domain type.

Directory listing and access for guests

You can choose whether you want guests to appear in or be able to see your organization's directory. Learn more about how to manage your user Directory or control Directory access and listings.

Update your Guests organizational unit settings

You must be signed in as a super administrator for this task.

Guest account invitations are turned on by default for your organization. Most Guests organizational unit settings are inherited from your top-level organizational unit. The table lists the default settings for guests in the Admin console.

You may be able to manage additional guest account features depending on your Google Workspace edition. Check Additional guest settings for more information.

Setting

Default configuration

Result

Workspace resource type visibility

Menu Directory settings and then Workspace resource type visibility

No visibility

Guests cannot see your organization's Google Groups or domain shared contacts

Visibility settings

Menu Directory and then Directory settings and then Visibility settings

No users

Guests cannot see other users in your organization's directory

Profile editing

Menu Directory and then Directory settings and then Profile editing

Name

Guests can only update their name

SSO with third-party IDPs

Menu Security and then SSO with third-party IDPs

OFF

Guests always sign in with Google and cannot use 3P IDPs

Account Recovery

Menu Security and then Account Recovery

ON

Guests can recover their accounts using their primary email

Passwordless

Menu Security and then Passwordless

OFF

Guests must always sign in with their password

API Controls

Unconfigured third-party apps

Menu Access and Data control > API Controls and then Settings and then Unconfigured third-party apps

OFF

Guests cannot access unconfigured third-party apps

Gmail automatic forwarding

Menu Apps and then Google Workspace and then Settings for Gmail and then End User Access and then Automatic forwarding

OFF

 Guests cannot automatically forward incoming emails from their guest account

Additional guest settings

The table lists additional controls that admins can apply to the Workspace Guests organizational unit depending on their Google Workspace edition. Compare your edition

Business Starter

Business Standard

Business Plus

Enterprise Starter

Enterprise Standard

Enterprise Plus

DLP

Context-Aware Access policies

Trust Rules

Vault

Turn off guest account invitations

By default, your users can invite guests to your organization using Google Chat or Gmail Client-side Encryption (CSE). If you don't want your users to be able to invite guests, you can turn off guest account invitations in either Google Chat, Gmail CSE, or both.

Turn off guest account invitations in Chat

  1. Sign in with an administrator account to the Google Admin console.
  2. Go to Menu Security and then Access and data control and then External sharing and then Guest invitations.
  3. Clear Allow users to send guest invitations to people outside your organization.
  4. Click Save.

Turn off guest account invitations in Gmail

  1. Sign in with an administrator account to the Google Admin console.
  2. Go to Menu Data and then Compliance and then Client-side encryption and then Gmail and then Encryption with guest accounts.
  3. Clear Allow users to send client-side encrypted messages to recipients who aren't using S/MIME.
  4. Click Save.