PCG logo

Managing Permissions for External Users in Google Workspace

Within the scope of Identity & Access Management (IAMExternal Link), it is essential for Google Workspace admins not only to define access permissions for individuals within the organisation but also for external ones. Often, it is necessary for a smooth collaboration to provide external individuals such as freelancers, consultants, or partners with their own accounts within the organisation.

However, in most cases, they should not have full access to internal information. In this blog post, we will introduce you to ways in which you can grant or restrict access for external individuals in the Google Workspace Admin Console. Additionally, we will share best practices for implementation.

Generally, there are 2 ways you can go about this:

  1. Add external users to your own domain.
  2. Create a separate domain for external users.

Both ways offer both advantages and disadvantages.

#1. Adding external people to your own domain


  • Reduced administrative effort as you can manage all settings through a single admin console.
  • Simpler resource booking.


  • There is no clear separation between internal and external users.
  • Initial sharing changes may be required if files have been shared organisation-wide but should not be shared with external users.
  • Calendar information can only be hidden from external users through a workaround (see point 4 in Best Practices below).

Best Practices:

  1. Assign an email suffix like klaus.mustermann.external@domain.com or klaus.mustermann@ext.domain.com.
  2. Create a separate organisational unit specifically for external users and move the relevant users there.
  3. Shared Drive:
    1. Create target audiences (e.g., Internal and External).
    2. Enable access checks for target audiences to avoid overly generous sharing (under Apps > Google Workspace > Drive and Docs > Sharing settings)
  4. Customise calendar shares to prevent external users from accessing internal employees' calendars. To do this:
    1. Users must restrict their own calendars (no longer share with the entire organisation).
    2. Calendar should be shared to a group where internal users are in. (a and b can be found in Calendar Settings > Access Permissions).

#2. Adding external users to a separate domain


  • There is a completely visible separation of the organisation.
  • You don't need to change sharing policies for organisation-wide data.
  • Calendars of internal staff are not visible to external users by default.


  • It increases administrative overhead because there are two different admin consoles.
  • Shared resource booking is more complex.

Best Practices:

  1. If you want to share calendars, you have to do it manually via the share menu
  2. Assign an email suffix to external users, such as klaus.mustermann@ext.domain.com.
  3. If you do not want to completely share documents externally, it is best to create the primary domain as an Allowlist.


Ultimately, every organisation must determine its preferred sharing settings. While including external individuals in your own organisation might reduce administrative tasks, opting for a separate domain can offer advantages, especially if you have stringent security requirements.

Do you have questions or concerns about Permissions?

As an experienced Google Cloud Premier Partner and MSP, we're here to answer all your queries with expert advice, and support you in implementing and optimising Google Workspace efficiently. Our customers also enjoy complimentary admin support. Feel free to contact us!

Learn more

Services Used

Continue Reading

The most important announcements at Google Cloud Next '24

Google Cloud Next, Google's most important cloud conference, took place in Las Vegas from April 9 to 11. You can find the most significant information in our blog article!

Learn more
PCG renews Google Cloud "Infrastructure" specialization

The Public Cloud Group has held the Google Cloud Partner Specialization in Infrastructure since 2018. We are pleased to announce that we have now successfully renewed it.

Learn more
Ippen Digital Chooses Google Workspace

Ippen Digital, Europe's largest regional news network, embraced Google Workspace for seamless collaboration and enhanced productivity.

Learn more
Cloud Native Rockstar Award 2022

Benny Woletz earns recognition for excellence in the 'New Work & Collaboration' category for our solution for air conditioning specialist Viessmann.

Learn more
See all

Let's work together

United Kingdom
Arrow Down