Adelia Risk built this Google Workspace security benchmark because we kept finding the same problems during audits. Companies paying for Business Plus or Enterprise licenses were running on default settings that left them exposed. Not because anyone made a bad decision, but because Google ships Workspace configured for convenience, not security.
This benchmark covers 97 Google Workspace security settings across 8 areas, organized by Admin Console section. Every setting maps to a specific policy ID, a recommended configuration, and the risk level if you leave it unchanged. We wrote it for IT admins, managed service providers, and security teams who need a clear answer to a direct question: Is this tenant configured correctly?
The FBI’s Internet Crime Complaint Center reported $12.5 billion in losses from cybercrime in 2023. A misconfigured Google Workspace tenant is exactly the kind of gap attackers look for. SPF records are missing, external sharing is wide open, and there is no two-step verification enforcement. These aren’t exotic attack vectors. They’re the basics that lead to data breaches, and most organizations get at least a few of them wrong.
If you’d rather have us run a Google Workspace security audit for you, we do that too. But this guide gives you everything you need to do it yourself.
How to Use This Guide
We split the benchmark into 8 area pages, one for each major section of Google Workspace security best practices. Each page walks you through how to secure Google Workspace in that area, with the recommended settings, risk level, and Admin Console path for every policy. You can work through them in order or jump straight to the area that concerns you most.
If you want the short version, download the Google Workspace security checklist to track your progress across all 97 settings.
The 8 Google Workspace Security Areas
| Area | Policies | What It Covers | Guide |
|---|---|---|---|
| Authentication | 6 | MFA, password rules, login challenges, session controls | Authentication guide |
| Gmail & Calendar | 24 | SPF, DKIM, DMARC, spam filters, attachment scanning, DLP, calendar sharing | Gmail & Calendar guide |
| Drive & Docs | 9 | External sharing, link defaults, publishing, shared drives, DLP | Drive guide |
| Chat & Meet | 9 | Chat history, external chat controls, Meet safety, DLP for messaging | Chat & Meet guide |
| Admin Controls | 17 | Admin roles, super admin hygiene, account recovery, context-aware access, data export controls | Admin guide |
| Apps, Services & API | 9 | OAuth scopes, API access, third-party app control, Gemini AI controls, Marketplace | Apps guide |
| Devices & Mobile | 10 | MDM enrollment, device policies, endpoint verification, Chrome policies | Devices guide |
| Monitoring & Compliance | 13 | Alert center, audit logs, SIEM integration, retention policies | Monitoring guide |
Authentication
Authentication is the front door to your Google Workspace security. If attackers get past it, every other setting in this guide becomes irrelevant. The authentication section covers 6 policies focused on two-step verification, phishing-resistant authentication methods, and password management.
The single most impactful setting here is AUTH-005, two-step verification enforcement. We still find organizations that have MFA “available” but not required. That’s not the same thing. Pair it with AUTH-010 (phishing-resistant authentication like hardware security keys) and you’ve closed off the most common account takeover methods.
Read the full authentication guide –>
Gmail & Calendar
Business email compromise accounted for $2.77 billion in reported losses in 2024, and a misconfigured Gmail setup is one of the easiest doors to leave open. With 24 policies and 9 rated critical, this is the largest and highest-stakes section of the benchmark. It covers email authentication (SPF, DKIM, DMARC), pre-delivery message scanning, attachment safety, spam filtering, content compliance, data loss prevention, and calendar sharing.
We moved calendar sharing into this section after Check Point researchers found a phishing campaign in late 2024 that used fake Google Calendar invites to bypass email security filters, hitting over 300 organizations.
The email authentication trio (GMAIL-005 SPF, GMAIL-010 DKIM, GMAIL-015 DMARC) should be non-negotiable at this point, but we regularly audit tenants where DMARC is either missing or set to “none” instead of “quarantine” or “reject.” GMAIL-075 (disabling automatic forwarding) is another one we flag constantly. One compromised account with auto-forwarding enabled can silently exfiltrate mail for weeks before anyone notices.
Read the full Gmail & Calendar guide –>
Drive & Docs
Google Drive sharing defaults are generous. Too generous for most business environments. The 9 policies in this section control who can share files externally, how link sharing works, whether users can publish documents to the web, and how shared drives and DLP are configured.
DRIVE-005 (external sharing restrictions) and DRIVE-025 (publishing to web) are both critical. We’ve seen cases where a single user publishing an internal spreadsheet to the web exposed client data that sat indexed in Google Search for months. The fix takes about two minutes in the Admin Console.
Chat & Meet
Google Chat and Google Meet don’t get the same security attention as email or Drive, but the risks are real. An open chat platform lets third-party apps read your messages. A meeting without access controls can let anyone with a link walk in. This section covers 9 policies across Google Chat and Google Meet.
CHAT-050 (DLP for Chat) is the only high-risk policy here, catching sensitive data shared in messages that people treat as casual. The rest are medium and low risk, but they add up fast when your team is using Chat as a second inbox and Meet for every client call. Chat history settings, external chat restrictions, and Meet recording controls all deserve a look.
Read the full Chat & Meet guide –>
Admin Controls
Admin account security is where we see some of the scariest gaps. This section has 17 policies covering how many global admins you have, whether super admin accounts are used for daily work, account recovery settings, context-aware access, and data export controls.
Four policies in this section are critical. ADMIN-005 says you should have between 2 and 4 super admin accounts (not 1, not 12). ADMIN-010 says none of those super admin accounts should be anyone’s daily-driver email.
ADMIN-022 covers context-aware access, which restricts who can reach your data based on device state, location, and other signals. ADMIN-025 covers super admin account recovery, which if misconfigured can let an attacker take over your entire tenant. We see these wrong more often than we see them right.
Read the full Admin Controls guide –>
Apps, Services & API
Adelia Risk has audited tenants with over 200 OAuth grants active, and nobody could explain what most of them were for. That’s the core problem with third-party app access in Google Workspace: it grows silently. This section has 9 policies covering which apps can connect to your tenant through OAuth, what data scopes they can request, how the Google Workspace Marketplace is configured, and how Gemini AI features interact with your data.
APPS-005 (API access control) and APPS-010 (OAuth scope restrictions) are both critical. Without these in place, any user can grant a third-party app full access to their email, calendar, and files with a single “Allow” click. Consent phishing is one of the fastest-growing attack methods we see. Attackers trick users into granting OAuth permissions to malicious apps, and one click is all it takes. Most of these grants happen when someone installs a Chrome extension or signs into a SaaS tool with their Google account.
Read the full Apps, Services & API guide –>
Devices & Mobile
An employee leaves the company on Friday and still has full email access on their personal phone on Monday. That’s the default behavior if you haven’t configured MDM. This section has 10 policies covering MDM enrollment, device compliance, endpoint verification, and Chrome browser management.
DEVICE-005 (MDM enabled) is the only critical policy here and the starting point. You can’t enforce any device policy if devices aren’t enrolled. From there, the guide covers encryption requirements, compromised device blocking, endpoint verification for desktops and laptops, and basic Chrome browser policies. Context-aware access, which builds on device signals to control who can reach your data, is covered in the Admin Controls guide.
Read the full Devices & Mobile guide –>
Monitoring & Compliance
The monitoring section has 13 Google Workspace security policies covering the Alert Center, audit log configuration, SIEM integration, data retention, and investigation tools. None of these policies will prevent an attack on their own. They’re what let you detect one in progress and investigate after the fact.
All 7 high-risk policies in this section matter, but MON-005 (audit log review) and MON-010 (email notification rules for audit and login events) are where to start. If you don’t have someone reviewing logs and notifications set up for suspicious activity, you’re flying blind. We’ve worked incidents where the breach happened weeks before detection because nobody was watching the logs.
Read the full Monitoring & Compliance guide –>
Download the Google Workspace Security Checklist
We turned the full 97-point benchmark into a self-assessment checklist you can print or share with your team. It covers every policy from every section in a checkbox format so you can track what’s done and what still needs attention. Use it alongside the detailed guides, or hand it to a new team member as a starting point.
Need Help With Your Google Workspace Security Audit?
Adelia Risk runs Google Workspace security audits for organizations that want a second set of eyes or don’t have the bandwidth to work through all 97 settings on their own. We review your Admin Console configuration, flag what’s misconfigured, and give you a prioritized remediation plan. Learn more about our audit services.
Last verified: March 2026
The Adelia Risk Google Workspace Security Benchmark covers 97 settings across 8 security areas. Start with Authentication or download the checklist.
