Answer-first summary for fast verification
Answer: Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
The correct answer is D because it aligns with Google's documentation and best practices for domain restriction exceptions. The domain restricted sharing organization policy requires adding external partner domains by their Cloud Identity or Google Workspace customer IDs as exceptions when set to 'Custom' mode. This approach maintains the security posture by keeping the policy enabled while allowing specific external domains. Option C is incorrect because Google groups cannot contain customer IDs; groups contain users or service accounts, not entire domains. Option A completely disables the security control, violating best practices. Option B suggests using IAM alone, which won't work because the organization policy overrides IAM permissions for domain restrictions. The community discussion shows strong consensus for D (83% of answers), with detailed explanations referencing Google documentation that specifies customer IDs must be added directly as exceptions, not via groups.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have implemented a domain-restricted sharing organization policy to comply with Google's best practices. An engineering team now needs to grant access to users from an external partner's domain. What is the recommended method to create an exception for this partner domain while still adhering to the best practice of using the organization policy?
A
Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
B
Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
C
Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
D
Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.