Define domains allowed to access Google Workspace

Setting the policy turns on Chrome's restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.

Leaving this setting empty or unset means users can access Google Workspace with any account.

Users cannot change or override this setting.

Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all domains, as described in

Example value:,

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Define domains allowed to access Google Workspace

Registry PathSoftware\Policies\Google\Chrome
Value NameAllowedDomainsForApps
Value TypeREG_SZ
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)