{ "id": "32008fc4-667c-4f41-b509-061a97ec1f30", "created_at": "2026-04-06T01:29:31.469814Z", "updated_at": "2026-04-10T03:37:26.41061Z", "deleted_at": null, "sha1_hash": "25434b6694e4bb3764c48faaa2cb3a854bc1fd70", "title": "Manage external sharing for your organization", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114936, "plain_text": "Manage external sharing for your organization\r\nArchived: 2026-04-06 00:47:41 UTC\r\nThis article is for administrators. To learn how to share or set permissions for your own files, go to Share files\r\nfrom Google Drive.\r\nSupported for all Google Workspace, Cloud Identity, and G Suite editions\r\nAs an administrator, you can control if users can share files and folders from Google Docs, Sheets, Slides, Sites,\r\nMy Maps, and shared drives with people outside of your organization. You can also turn on an indicator to show\r\nthat a shared drive or Drive file is owned by or shared with someone outside of your organization.\r\nNote: Gems are stored and shared in Google Drive, so the sharing settings for Drive also apply to Gems. Any\r\nGoogle files included in a Gem are shared with anyone who has access to the Gem. For details, see Turn Gem\r\nsharing on or off.\r\nNote: The sharing settings for Drive also apply to sharing in Gemini Business. For details, see Control Gemini\r\nBusiness and Enterprise access to Workspace data.\r\nOn this page\r\nExample sharing setting scenarios\r\nTurn on or off external sharing of files and folders in Drive\r\nAllow external sharing with only certain domains\r\nTurn the indicator on or off for externally shared files\r\nControl who can move content to a shared drive owned by another organization\r\nTry managing Drive sharing with trust rules\r\nWhat about user accounts that no longer have Drive?\r\nNote: To control sharing with external non-Google users, turn visitor sharing on or off.\r\nExample sharing setting scenarios\r\nSet up custom sharing for a group or organizational unit\r\nYou might want to allow users only in certain groups or organizational units to share content externally, and block\r\nexternal sharing for everyone else. You can do this with Drive sharing settings or with trust rules.\r\nWith Drive sharing settings:\r\n1. If you haven't already, put the users in organizational units or configuration groups.\r\n2. Turn off external sharing for the top organizational unit, as described in the next section.\r\n3. At the left, click the group or organizational unit you want to allow to share externally.\r\nhttps://support.google.com/a/answer/60781\r\nPage 1 of 7\n\nImportant: Group settings override organizational unit settings. If a user belongs to multiple groups, the\r\nsetting for the group with the highest priority is applied to the user.\r\n4. Turn on external sharing.\r\nWith trust rules: Learn how in Create and manage trust rules for Drive sharing.\r\nYou can let users share files and folders with external users who don't have Google Accounts by turning on visitor\r\nsharing. You can choose to allow visitor sharing with anyone or only trusted domains. For instructions, see Allow\r\nsharing to non-Google users with visitor sharing.\r\nAllow only content in specific folders to be shared externally\r\nSupported editions for this feature: Business Starter, Business Standard, and Business Plus; Enterprise Standard\r\nand Enterprise Plus; Education Fundamentals, Education Standard, and Education Plus; Essentials, Enterprise\r\nEssentials, and Enterprise Essentials Plus; Nonprofits; G Suite Business. Compare your edition\r\nThe sharing settings available in your Admin console apply to users by organizational unit or groups. You don't\r\nhave control over individual folders in users My Drives.\r\nTo allow only certain files to be shared externally, you can use shared drives instead. With this approach, the\r\nshared drive acts as the folder.\r\n1. Create an organizational unit with no members.\r\n2. Turn off external sharing for the top organizational unit, as described in the next section.\r\n3. Turn on external sharing for the new organizational unit, overriding the setting for the top organizational\r\nunit.\r\n4. (Optional) To allow sharing with people outside your organization without Google Accounts, turn on\r\nvisitor sharing for the new organizational unit.\r\n5. Create a shared drive to contain files and folders for external sharing.\r\n6. Identify the people allowed to share the files externally and add those people as members of the shared\r\ndrive with the Contributor, Content manager, or Manager access level. If you have many users, add\r\nthem as a group.\r\nNote:\r\nYou can add people outside of your organization as members of a shared drive if they have Google\r\nAccounts. If they don't have Google Accounts, you can turn on visitor sharing so your users can\r\nshare content with them.\r\nReview and understand the permissions granted by each access level. Determine the right access\r\nlevel for the shared drive members based on your organization's specific needs.\r\n7. Assign the shared drive to the new organizational unit.\r\n8. Move content into the shared drive.\r\n9. (Optional) If you want to be notified when content is added to the shared drive and shared externally, you\r\ncan set up a reporting rule based on Drive log events.\r\nhttps://support.google.com/a/answer/60781\r\nPage 2 of 7\n\nTurn on or off external sharing of files and folders in Drive\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSharing content in Drive with people outside your organization can be an important collaboration process, but it\r\nalso carries risk of data leaks. If you turn on external sharing, you have options to limit sharing, such as warning\r\nusers before they share or blocking link sharing.\r\nIf you turn off external sharing, users can't share the following items with external users:\r\nInvitations to items created in Docs, Sheets, and Slides\r\nLinks to files stored in Drive\r\nItems attached to emails, either uploaded directly from devices or stored in Drive\r\nExternal users also lose access to any items previously shared with them.\r\nYou can also block these same items coming from external users to users in your organization. These restrictions\r\napply to external group members. When files are shared with a group that has external users, those external users\r\ncan't access the file.\r\nNote: Restrictions apply at the user level, not at the group level. So while files can be shared with an external\r\ngroup, external users in that group who are blocked by your sharing settings can't access the files.\r\nTo turn external sharing on or off:\r\n1. In the Google Admin console, go to Menu and then Apps and then Google Workspace\r\nand then Drive and Docs.\r\nRequires having the Service Settings administrator privilege.\r\n2. Click Sharing settings and then Sharing options.\r\nhttps://support.google.com/a/answer/60781\r\nPage 3 of 7\n\n3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for\r\ndepartments) or configuration group (advanced).\r\nGroup settings override organizational units. Learn more\r\n4. To turn on external sharing, click On and choose sharing options.\r\n5. To turn off external sharing, click Off. You can also block external content from being shared with your\r\nusers, including content in third-party storage systems.\r\n6. Click Save. Or, you might click Override for an organizational unit.\r\nTo later restore the inherited value, click Inherit (or Unset for a group).\r\nIt can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.\r\nAllow external sharing with only certain domains\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nYou can allow file sharing with only trusted (allowed) domains. When you use an allowlist to restrict sharing:\r\nThe domain must be a Google Workspace domain unless you're using visitor sharing.\r\nYou can't select only certain domains in the allowlist for file sharing. All trusted domains are included.\r\nUsers can't share files with personal accounts.\r\nIf your organization has a mix of Cloud Identity and Google Workspace licenses, the allowlist applies to\r\nCloud Identity users, too.\r\nBefore you begin: If needed, learn how to apply the setting to a department or group.\r\nIf you haven't already, add trusted domains to your allowlist.\r\nhttps://support.google.com/a/answer/60781\r\nPage 4 of 7\n\n1. In the Google Admin console, go to Menu and then Apps and then Google Workspace\r\nand then Drive and Docs.\r\nRequires having the Service Settings administrator privilege.\r\n2. Click Sharing settings and then Sharing options.\r\n3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for\r\ndepartments) or configuration group (advanced).\r\nGroup settings override organizational units. Learn more\r\n4. Click Allowlisted Domains and choose sharing options.\r\n5. Click Save. Or, you might click Override for an organizational unit.\r\nTo later restore the inherited value, click Inherit (or Unset for a group).\r\n6. (Forms only) Under Sharing settings, click Form responses. Choose whether users in your domain can\r\nrespond to forms that are created externally or share forms externally for responses.\r\nNote: If you turn these options off, Google Drive sharing settings are applied to form responders.\r\n7. Click Save. Or, you might click Override for an organizational unit.\r\nTo later restore the inherited value, click Inherit (or Unset for a group).\r\nIt can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.\r\nTurn the indicator on or off for externally shared files\r\nBy default, when a shared drive or Drive file is owned by or shared with someone outside of your organization, an\r\nExternal warning indicator is shown. However, you can turn the setting on or off for some or all of your users. If\r\nyou turn the setting off, you can still review the files that are externally shared in the Drive log events.\r\nTo turn the indicator on or off:\r\nBefore you begin: If needed, learn how to apply the setting to a department or group.\r\n1. In the Google Admin console, go to Menu and then Apps and then Google Workspace\r\nand then Drive and Docs.\r\nRequires having the Service Settings administrator privilege.\r\n2. Click Sharing settings and then Sharing options.\r\n3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for\r\ndepartments) or configuration group (advanced).\r\nGroup settings override organizational units. Learn more\r\nhttps://support.google.com/a/answer/60781\r\nPage 5 of 7\n\n4. Click Highlight external files and then check or uncheck the Highlight external files box to turn on or\r\noff the indicator.\r\n5. Click Save. Or, you might click Override for an organizational unit.\r\nTo later restore the inherited value, click Inherit (or Unset for a group).\r\nIt can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.\r\nUnderstand indicator display behavior\r\nWhen the warning indicator is turned on, it's shown for Drive files that are owned by or shared with someone\r\noutside of your organization, with the following exceptions:\r\nThe indicator isn't shown if a group in Google Groups owned by your organization can access the file, even\r\nif the group includes members outside of your organization.\r\nThe indicator is always shown if any service accounts can access the file, regardless of whether the service\r\naccount is owned by someone inside or outside of your organization.\r\nThe indicator is always shown if any automatically generated Google Classroom groups can access the file.\r\nControl who can move content to a shared drive owned by another organization\r\nYou can allow or block moving content from shared drives that involve an external source or target. For example:\r\nYou can block moving content from a shared drive in your organization to an external shared drive or\r\nexternal user's My Drive.\r\nYou can block moving content from a user's My Drive in your organization to an external shared drive.\r\nFor details, go to Restrict who can move content to external shared drives.\r\nTry managing Drive sharing with trust rules\r\nSupported editions for this feature: Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard\r\nand Education Plus; Enterprise Essentials Plus. Compare your edition\r\nInstead of using Drive settings for sharing outside your organization, you can use trust rules to manage sharing\r\nboth outside and inside your organization. Trust rules give you more control over who your users can share with.\r\nFor details, see Create and manage trust rules for Drive sharing.\r\nWhat about user accounts that no longer have Drive?\r\nIf a user in your organization no longer has the Drive and Docs service for their account—for example, the Google\r\nWorkspace license was removed from their account—files they own can be shared only within your organization,\r\neven if the sharing settings applied to their files allow external sharing.\r\nTo remove the external-sharing restriction from the user's files, you can add an Archived User (AU) license to\r\ntheir account. For details, go to Add Archived User licenses.\r\nhttps://support.google.com/a/answer/60781\r\nPage 6 of 7\n\nSet general access sharing options for your organization\r\nRestrict the access users can give to files\r\nStop, limit, or change sharing\r\nSource: https://support.google.com/a/answer/60781\r\nhttps://support.google.com/a/answer/60781\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://support.google.com/a/answer/60781" ], "report_names": [ "60781" ], "threat_actors": [ { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438971, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25434b6694e4bb3764c48faaa2cb3a854bc1fd70.pdf", "text": "https://archive.orkl.eu/25434b6694e4bb3764c48faaa2cb3a854bc1fd70.txt", "img": "https://archive.orkl.eu/25434b6694e4bb3764c48faaa2cb3a854bc1fd70.jpg" } }