Free Sample — 15 Practice Questions
Preview 15 of 54 questions from the Associate Google Workspace Administrator exam.
Try before you buy — purchase the full study guide for all 54 questions with answers and explanations.
Question 23
Your company wants to start using Google Workspace for email. Your domain is verified through a third-party provider. You need to route the email to Google Workspace. What should you do?
A. Change your domain’s A record to point to Google’s mail servers.
B. Configure a forwarding rule in your current email system to redirect all messages to Gmail.
C. Update your domain’s MX records to the Google Workspace MX records provided in the setup instructions.
D. Create a CNAME record that maps your domain to “gmail.com.”
Show Answer
Correct Answer: C
Explanation:
To route email to Google Workspace, you must tell the internet’s mail routing system where to deliver messages for your domain. This is done by updating the domain’s MX (Mail Exchanger) records to the Google Workspace MX records provided during setup. A records and CNAMEs are not used for mail routing, and forwarding from an existing system is unnecessary once Google Workspace is the primary mail service.
Question 21
Your organization has experienced a recent increase in unauthorized access attempts to your company’s Google Workspace instance. You need to enhance the security of user accounts while following Google-recommended practices. What should you do?
A. Disable password recovery options to prevent unauthorized individuals from accessing user accounts.
B. Implement a strong password policy and enable text messages as the 2-Step Verification (2SV) using text messages.
C. Enforce the use of physical security keys as the 2-Step Verification (2SV) method for all users.
D. Enforce a strong password policy that requires users to include special characters, numbers, and uppercase letters.
Show Answer
Correct Answer: C
Explanation:
Google-recommended best practices for securing Google Workspace accounts emphasize phishing-resistant multi-factor authentication. Physical security keys provide the strongest protection against unauthorized access and phishing, far exceeding SMS-based 2SV or password-only controls. Options that rely only on stronger passwords or SMS 2SV do not adequately address modern attack methods, and disabling recovery options can create account lockout risks without materially improving security.
Question 12
You work for a global organization that has offices in the United States and the European Union (EU). There is an organizational unit (OU) for employees in the United States and a separate OU for employees in the EU. Your company regulations need you to ensure that your users' data is located in the same region as their physical office. What should you do?
A. Set the OU data location to No preference.
B. Turn on advanced settings and select Enable features that may process data across multiple regions.
C. Turn on advanced settings and select Disable features that may process data across multiple regions.
D. Set a data region policy for each region’s OU.
Show Answer
Correct Answer: D
Explanation:
The requirement is to ensure data residency based on users’ physical location. Applying a data region policy to each OU enforces where user data is stored (EU data in EU regions, U.S. data in U.S. regions). The other options either allow flexible storage or only limit processing features without guaranteeing region-specific data storage.
Question 29
Your company handles sensitive client data and needs to maintain a high level of security to comply with strict industry regulations. You need to allow your company’s security team to investigate potential security breaches by using the security investigation tool in the Google Admin console.
What should you do?
A. Create an activity rule that triggers email notifications to the security team whenever a high-risk security event occurs.
B. Assign the User Management Admin role to the security team.
C. Assign the super admin role to the security team
D. Create an administrator role with Security Center access. Assign the role to the security team.
Show Answer
Correct Answer: D
Explanation:
To let the security team investigate incidents using the Security Investigation tool in the Google Admin console, they need access to the Security Center. Creating a custom administrator role with Security Center access and assigning it to the team provides the required capabilities while following the principle of least privilege. Other options either grant insufficient permissions or overly broad access.
Question 52
Your organization has hired temporary employees to work on a sensitive internal project. You need to ensure that the sensitive project data in Google Drive is limited to only internal domain sharing. You do not want to be overly restrictive. What should you do?
A. Configure the Drive sharing options for the domain to internal only.
B. Restrict the Drive sharing options for the domain to allowlisted domains.
C. Create a Drive DLP rule, and use the sensitive internal Project name as the detector.
D. Turn off the Drive sharing setting from the Team dashboard.
Show Answer
Correct Answer: C
Explanation:
The requirement is to limit only the sensitive project data to internal-domain sharing while avoiding broad restrictions. Domain-wide sharing controls (A) would affect all Drive content and are overly restrictive. A DLP rule targeting the specific sensitive project data allows you to block external sharing only for that content, preserving normal sharing behavior for other files.
Question 35
You are managing the buildings and resources for your organization. You need to create several conference rooms with a capacity of 10 people each, equipped with a whiteboard and projector, and wheelchair accessible. You want to ensure the process is efficient. What should you do?
A. Automate room creation by using a third-party app from the Google Workspace Marketplace.
B. Create a CSV file and add all resources. Write a script using the Workspace API to reference the CSV file and create all the resources.
C. Create each conference room individually in the Google Admin console. Add the features for each room.
D. Use the Google Admin console to bulk upload the rooms. Create a resource with the specified features and apply the features to that resource.
Show Answer
Correct Answer: D
Explanation:
The most efficient approach is to use the Google Admin console’s bulk upload capability to create multiple rooms at once and apply the same features (capacity, whiteboard, projector, wheelchair accessibility). This avoids manual, repetitive work, does not require custom scripting or third‑party tools, and is designed specifically for managing resources at scale.
Question 45
Your organization allows employees to use their personal mobile devices to check their work emails. You need to remove the employee’s work email data from their phone when they leave the organization. What should you do?
A. Set up basic mobile management on the devices.
B. Set up advanced mobile management on the devices.
C. Set up data protection rules to prevent data sharing externally.
D. Set up 2SV authentication on the devices.
Show Answer
Correct Answer: A
Explanation:
Basic mobile management (BYOD/account-level management) allows the organization to remotely wipe only the work account data, such as work email, from an employee’s personal device when they leave. This meets the requirement without affecting personal data. Advanced management is unnecessary, while data protection rules and 2SV do not enable removal of existing data.
Question 37
Your company distributes an internal newsletter that contains sensitive information to all employees by email. You’ve noticed unauthorized forwarding of this newsletter to external addresses, potentially leading to data leaks. To prevent this, you need to implement a solution that automatically detects and blocks such forwarding while allowing legitimate internal sharing. What should you do?
A. Add a banner to the newsletter that warns users that external sharing is prohibited.
B. Create a Gmail content compliance rule that targets the internal newsletter, identifying instances of external forwarding. Configure the rule to reject the message when such forwarding is detected
C. Develop an Apps Script project by using the Gmail API to scan sent emails for the newsletter content and external recipients. Automatically revoke access for violating users.
D. Create a content compliance rule to modify the newsletter subject line, adding a warning against external forwarding.
Show Answer
Correct Answer: B
Explanation:
A Gmail content compliance rule can inspect message content and recipients in real time. By targeting the newsletter and detecting external recipients, the rule can automatically reject or block externally forwarded messages while allowing internal sharing. The other options are either advisory only (A, D) or overly complex and inappropriate for enforcement (C).
Question 30
Your organization’s security team has published a list of vetted third-party apps and extensions that can be used by employees. All other apps are prohibited unless a business case is presented and approved. The Chrome Web Store policy applied at the top-level organization allows all apps and extensions with an admin blocklist. You need to disable any unapproved apps that have already been installed and prevent employees from installing unapproved apps. What should you do?
A. Change the Chrome Web Store allow/block mode setting to allow all apps, admin manages blocklist, In the App access control card, block any existing web app that is not on the security team’s vetted list.
B. Change the Chrome Web Store allow/block mode setting to block all apps, admin manages allowlist. Add the apps on the security team’s vetted list to the allowlist.
C. Disable Extensions and Chrome packaged apps as Allowed types of apps and extensions for the top-level organizational unit. Selectively enable the appropriate extension types for each suborganization
D. Disable the Chrome Web Store service for the top-level organizational unit. Enable the Chrome Web Store service for organizations that require Chrome apps and extensions.
Show Answer
Correct Answer: B
Explanation:
The requirement is to immediately disable any unapproved apps already installed and prevent future installation of unapproved apps. The most effective and policy-aligned approach is to switch to a block-all, admin-managed allowlist model and explicitly allow only the vetted apps. This automatically removes or disables non-approved apps and prevents new ones unless added to the allowlist. Other options either rely on reactive blocking, are overly broad, or disrupt Chrome Web Store access unnecessarily.
Question 11
Your organization has acquired another company that used another email provider. Employees from the newly acquired company need to be able to send and receive emails from two domain names-your organization’s domain name and their former company’s domain name. You need to identify the best approach. What should you do?
A. Add the acquired company’s domain name as a Secondary Domain, and create user accounts with the new domain name.
B. Add the acquired company's domain name as an alias domain.
C. Change the MX records of the old domain to point to the new domain.
D. Create a mail routing rule in the new domain to route messages addressed to the old domain.
Show Answer
Correct Answer: B
Explanation:
Adding the acquired company’s domain as an alias domain allows existing users to send and receive email using both domain names from a single mailbox and account. This provides seamless dual-domain email identity without creating separate users or relying on forwarding-only solutions, and is the recommended approach for unified email management after an acquisition.
Question 33
Your company operates several primary care clinics where employees routinely work with protected health information (PHI). You are in the process of transitioning the organization to Google Workspace from a legacy communication and collaboration system. After you sign the Business Associate Agreement (BAA), you need to ensure that data is handled in compliance with regulations when using Google Workspace. What should you do?
A. Implement a third-party backup service that is also compliant with Google Workspace core services.
B. Create a label for Google Drive content to help employees identify sensitive data.
C. Instruct the staff to not store any PHI in Google Workspace core services, including Google Drive, Docs, Sheets, and Keep.
D. Disable integrations with third-party apps and turn off non-core Google services.
Show Answer
Correct Answer: D
Explanation:
After signing a Business Associate Agreement (BAA), only Google Workspace core services are covered for HIPAA compliance. To ensure PHI is handled in compliance, you must restrict its use to those covered services. Disabling non-core Google services and blocking or disabling third-party app integrations ensures PHI is not stored or processed by services that are not governed by the BAA.
Question 25
You’ve noticed an increase in phishing emails that contain links to malicious files hosted on external Google Drives. These files often mimic legitimate documents and trick users into granting access to their accounts. You need to prevent users from accessing these malicious external Drive files, but allow them to access legitimate external files. What should you do? (Choose two.)
A. Enforce stricter password policies.
B. Conduct regular security awareness training to educate users.
C. Create a Drive trust rule that blocks all external domains except for a pre-approved list of trusted partners.
D. Deploy advanced malware detection software on all user devices to scan and block malicious files.
E. Implement two-factor authentication for all users.
Show Answer
Correct Answer: B, C
Explanation:
Blocking malicious external Drive files while still allowing legitimate ones is best achieved by combining user education and technical controls. Security awareness training helps users recognize phishing attempts and avoid granting access to fake documents. Creating a Drive trust rule that blocks all external domains except a pre-approved list directly prevents access to untrusted external Drive content while preserving access to known, legitimate partners. Other options do not specifically address external Drive file access.
Question 48
You work at a large organization that prohibits employees from using Google Sites. However, a task force comprised of three people from five different departments has recently been formed to work on a project assigned by the Office of the CIO. You need to allow the users in this task force to temporarily use Google Sites. You want to use the least disruptive and most efficient approach. What should you do?
A. Turn Google Sites access on for each of the 15 users in the task force.
B. Create a configuration group for the task force’s 15 users. Grant Google Sites access to the group.
C. Place the 15 task force users into a new organizational unit (OU). Turn on Google Sites access for the OU.
D. Create an access group for the task force’s 15 users. Grant Google Sites access to the group.
Show Answer
Correct Answer: D
Explanation:
To temporarily allow a small, cross‑department group to use a restricted service with minimal disruption, you should use an access group. Access groups are specifically designed to grant or restrict access to Google Workspace services (such as Google Sites) without changing organizational units or managing users individually. Configuration groups are used to customize service settings after access is already granted, not to enable the service itself. Therefore, creating an access group and granting Google Sites access is the most efficient and appropriate solution.
Question 41
Your company is undergoing a regulatory compliance audit. As part of the audit, you are required to demonstrate that you can preserve all electronic communications related to a specific project for a potential legal discovery process. You need to configure Google Vault to accomplish this goal. What should you do?
A. Use the security investigation report to show Vault log events.
B. Use the search and export functionality to identify all relevant communications within the project timeframe.
C. Create a matter and a hold on all project-related data sources such as Email, Chat, and Drive within Google Workspace.
D. Create a custom retention policy for the project data. Ensure that the policy covers the required retention period.
Show Answer
Correct Answer: C
Explanation:
For legal discovery and regulatory audits, the primary requirement is to preserve all relevant electronic communications so they cannot be deleted or altered. In Google Vault, this is achieved by creating a **matter** (which acts as a container for the case or audit) and applying **holds** to the relevant data sources such as Gmail, Chat, and Drive. Holds override retention rules and ensure data is preserved for discovery. Other options focus on reporting, searching, or retention policies, which do not by themselves guarantee preservation against deletion.
Question 15
Your company provides shared Chromebook workstations for employees to access sensitive company data. You must configure the devices to ensure no sensitive data is stored locally and that browsing data is cleared after each use. What should you do?
A. Force ephemeral mode in Chrome. Disable offline access for sensitive Workspace apps like Docs, Sheets, and Drive.
B. Enable the Manage Guest Session functionality, and set the maximum user session length.
C. Force ephemeral mode in Chrome. Allow offline access for all Workspace apps with strict expiration times.
D. Disable offline access for all Workspace apps. Enable incognito mode for Chrome browsing sessions.
Show Answer
Correct Answer: A
Explanation:
Ephemeral mode on ChromeOS ensures that all user data (including downloads, cache, and browsing data) is wiped when the user signs out, which is ideal for shared workstations. Disabling offline access for sensitive Workspace apps prevents local storage of company data. Together, these settings ensure no sensitive data persists on the device after each use.