As an administrator, you might want to prevent users from signing in to Google services using any accounts other than those you provided them with. For example, you might not want users within your corporate network to use their personal Gmail accounts or a managed Google Account from another domain.
Note: When you block access to consumer accounts, users might see the following error message: "This account is not allowed to sign in within this network".
Allow access only from specific domains
Available for ChromeOS devices.
To allow users to access Google services using an account only from a list of specified Google Workspace domains:
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Go to User experienceSign-in to secondary accounts.
- Select Allow users to only sign in to the domains below.
- Enter your organization’s domains.
(If you don’t, your users might not have access to Google services.)
Note: gserviceaccounts.com is included and critical for authenticated service accounts. - (Optional) To include consumer Google Accounts, such as those ending in @gmail.com and @googlemail.com, enter consumer_accounts in the list.
- Click Save.
Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.
Next steps
- From Users & browsers settings, you can also prevent users from browsing in Incognito mode. Go to Incognito ModeDisallow incognito mode and click Save. For details, see Incognito Mode.
- Set a sign-in restriction so that only users in your organization can sign in to devices running Chrome OS. For details, see Sign-in Restriction.
- Turn off guest browsing on devices. For details, see Guest mode.
Use a web proxy server to block accounts
Step 1: Choose a web proxy server
- Add a header to all traffic directed to google.com—The header identifies the domains from which users can access Google services.
- Support SSL interception—Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception.
Read specific instructions on how to block Google services from the following proxy service providers, selecting a server that meets your needs.
- Route all traffic outbound to google.com through your web proxy servers.
- Enable SSL interception on the proxy server.
- Configure every client device to trust your SSL proxy:
- Deploy the Internal Root Certificate Authority used by the proxy.
- Mark it as trusted.
- For each google.com request:
- Intercept the request.
- Add the HTTP header X-GoogApps-Allowed-Domains: followed by a comma-separated list with allowed domain names.
Make sure that the list includes the domain you registered with Google Workspace and any secondary domains you added.
Example:X-GoogApps-Allowed-Domains: mydomain1.com, mydomain2.com
- To allow users to sign in to specific accounts, add the following values to the header:
- domain_name for accounts on specific domains, such as altostrat.com and tenorstrat.com for accounts ending in @altostrat.com and tenorstrat.com
- consumer_accounts for consumer Google Accounts, such as @gmail.com and @googlemail.com
- gserviceaccounts.com for authenticated service accounts
- (Optional) Create a proxy policy to prevent users from inserting their own headers.
Note:
- This approach blocks sign-in access to Google consumer services other than Google Search, but doesn’t necessarily prohibit anonymous access.
- When you add the X-GoogApps-Allowed-Domains HTTP header, users will see errors accessing delegated mailboxes from a domain that's not in the header.
Common questions
What happens if unauthorized accounts try to access services?
- Describes the unavailable service
- Shows the unauthorized account they're using
- Lists the domains where the service is available
- Suggests that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account
What happens with services that don’t need authentication?
Why can’t I just filter the traffic instead?
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.