Google Workspace: Complete Visual Guide

Every product, admin concept, and security feature made easy to learn

10 Core Apps

11 Admin & Security

100% Visual

1. Google Workspace Overview

🏢 Plans Comparison

Plan	Storage	Meet Participants	Vault	Price (user/mo)
Business Starter	30 GB / user	100	,	$7
Business Standard	2 TB / user	150	,	$14
Business Plus	5 TB / user	500	✓	$22
Enterprise	As needed	1 000	✓	Contact Sales

All plans include custom domain email, Google Docs editors, and Admin Console. Enterprise adds advanced security controls, DLP, and S/MIME.

⭐ Key Features

EmailCustom domain ([email protected]) StorageGoogle Drive, cloud file storage CollaborationDocs, Sheets, Slides, real-time editing VideoGoogle Meet, HD video conferencing ChatSpaces, team messaging & threads AdminCentralized Admin Console, users, devices, security

🔀 Architecture

User

↓

Google Workspace

↓

Gmail

Drive

Meet

Calendar

Docs

Admin Console

2. Gmail

📧 Gmail Features

Custom DomainSend/receive as [email protected] Uptime SLA99.9% guaranteed availability Spam FilterML-powered, blocks 99.9% of spam/phishing Confidential ModeExpiring emails, revoke access, passcode-protected Smart ComposeAI-powered autocomplete & smart reply Mail DelegationGrant read/send access to assistants Send-As AliasSend from alternate addresses under one inbox

📬 Email Routing

Inbound Email

→

MX Records

→

Google Servers

→

Spam / Phishing Filter

→

Compliance Rules

→

Inbox

Admins can configure split delivery, dual delivery, and catch-all routing for migration scenarios.

🔒 Email Security

Control	Purpose
SPF	Authorizes which servers can send on behalf of your domain
DKIM	Cryptographic signature proves message wasn't altered in transit
DMARC	Policy telling receivers what to do when SPF/DKIM fail (reject, quarantine, none)
S/MIME	End-to-end email encryption with certificates (Enterprise)
TLS Enforcement	Require TLS for specific domains, reject plaintext delivery
Content Compliance	Scan messages for keywords, PII, attachments, block or quarantine

⚙️ Admin Mail Settings

Setting	Description
Default Routing	Route all inbound/outbound through a gateway or secondary MX
Content Compliance	Match patterns (regex/word lists) and quarantine or reject
Attachment Compliance	Block file types (.exe, .zip), size limits, DLP scan
Email Allowlist	Bypass spam filters for trusted senders / IPs
Objectionable Content	Block based on custom word lists
Append Footer	Add legal disclaimer to outbound messages

3. Google Calendar

📅 Calendar Features

SchedulingFind free/busy across org, suggest times Resource BookingReserve rooms, equipment, cars via calendar Working HoursSet hours & location (home / office) Out of OfficeAuto-decline new invites, show status Appointment SlotsBookable time blocks for external scheduling Calendar InteropFree/busy lookup with Exchange/O365

🔗 Sharing Levels

Level	What They See
Free/Busy	Only whether you're available or busy, no details
All Event Details	Event title, time, location, attendees
Make Changes	Edit events, RSVP on your behalf
Changes & Manage	Full control including sharing settings

🛡️ Admin Controls

External SharingControl whether users share calendars outside the org Video ConferencingAuto-add Google Meet to new events (default on/off) Resource ManagementBuildings, floors, rooms, features (video, whiteboard) Calendar InteropConfigure Exchange interop for hybrid environments

4. Google Drive

💾 Storage Architecture

My Drive (Personal)

Owned by individual user
Deleted when user is removed
User controls sharing
Counts against user's quota
Admin can transfer ownership

Shared Drives (Team)

Owned by the organization
Persists when members leave
Membership-based access
Counts against org pool
Manager role controls settings

👥 Sharing Permissions

Role	View	Comment	Edit	Move / Delete	Share
Viewer	✓	,	,	,	,
Commenter	✓	✓	,	,	,
Editor	✓	✓	✓	,	Optional
Owner	✓	✓	✓	✓	✓

📊 Storage & Sync

Starter30 GB pooled per user Standard2 TB pooled per user Plus5 TB pooled per user EnterpriseAs much as needed (with reasonable use)

Sync Option	How It Works
Drive for Desktop	Stream files on demand, appears as a local drive letter
Mirror Mode	Full offline copy of selected folders, syncs both ways
Web / Mobile	Browser & app access, mark files as offline for mobile

🛡️ Drive Security

DLP on DriveScan files for PII/sensitive data, block external sharing Classification LabelsPublic, Internal, Confidential, Restricted, drive labels Link SharingOff, Org-only, Anyone with link, admin sets default External SharingAllowlist specific domains or block all external sharing IRMDisable download, print, copy for viewers Target AudiencesPre-defined groups for safe link sharing

5. Docs, Sheets & Slides

✏️ Real-Time Collaboration

Simultaneous EditingMultiple users edit at the same time, cursors visible Suggesting ModeTrack-changes style, author accepts or rejects Version HistoryFull revision timeline, restore any version Comments & RepliesThreaded discussions on any selection @MentionsTag people, files, or calendar events inline Action ItemsAssign tasks from comments, tracked in checklist

📄 Docs vs Sheets vs Slides

Product	Use Case	Replaces
Docs	Documents, proposals, meeting notes	Word
Sheets	Spreadsheets, budgets, data analysis	Excel
Slides	Presentations, pitch decks, training	PowerPoint
Forms	Surveys, quizzes, data collection	,
Drawings	Simple diagrams, flowcharts	Visio (basic)

🔌 Extensibility

Connected SheetsQuery BigQuery datasets directly in Sheets, billions of rows Apps ScriptServer-side JavaScript, automate, extend, integrate Add-onsMarketplace extensions, mail merge, diagrams, signatures TemplatesOrg-wide branded templates for docs, sheets, slides Offline ModeEdit without internet, syncs when reconnected

🏗️ Enterprise Features

Comparison ModeCompare two documents side-by-side, highlights diffs Linked ObjectsEmbed live Sheets charts in Docs/Slides, auto-update Building BlocksVoting chips, trackers, dropdown chips in Docs Document ApprovalsRequest approval workflow, approve/reject directly in Docs eSignatureNative electronic signature requests in Docs

6. Google Meet

🎥 Features by Plan

Feature	Starter	Standard	Plus	Enterprise
Max Participants	100	150	500	1 000
Meeting Length	24 hrs	24 hrs	24 hrs	24 hrs
Recording	,	✓	✓	✓
Breakout Rooms	,	✓	✓	✓
Q&A & Polls	,	✓	✓	✓
Attendance Tracking	,	,	✓	✓
Noise Cancellation	✓	✓	✓	✓
Live Streaming	,	,	,	✓ (100K viewers)
Translated Captions	,	,	✓	✓

🌐 Meet Architecture

User (Browser / App)

→

Meet Client

→

Google Edge Network

→

Media Server

→

Other Participants

Companion ModeJoin from a second device for in-room + remote hybrid Live StreamingBroadcast to up to 100K viewers in domain (Enterprise) Translated CaptionsReal-time caption translation across languages

🔐 Meet Security

Control	Description
Encryption	All media encrypted in transit (DTLS-SRTP) between client and Google
Meeting Codes	10-character codes + phone PINs, expire after event ends
Host Controls	Mute all, remove participants, lock meeting, disable chat
Lobby / Knocking	External participants must request entry, host approves
Abuse Reporting	Report abusive users, triggers admin review
Admin Controls	Disable recording, restrict who can create meetings, auto-admit policy

7. Google Chat & Spaces

💬 Chat Features

1:1 ChatDirect messages between two people Group ChatUnthreaded group conversation, quick discussions Spaces (Threaded)Persistent rooms with topics and threads File SharingShare Drive files inline, preview without leaving Chat Task IntegrationCreate tasks from messages, tracked in Google Tasks Bots / WebhooksAutomated messages, slash commands, interactive cards

🆚 Spaces vs Group Chat

Spaces

Threaded conversations
Named, discoverable in org
Persistent, long-lived topics
Shared files & tasks tabs
Can add/remove members
Supports bots & apps

Group Chat

Flat / unthreaded messages
No name, based on members
Quick ad-hoc discussions
No shared files tab
Fixed member list
Simpler, lightweight

🤖 Chat Bots & Webhooks

Integration	Description
Incoming Webhooks	Push notifications from external services into a Space
Chat API	REST API, create messages, manage spaces, read conversations
Apps Script Bots	Server-side JS, respond to commands, interactive cards
Dialogflow	NLU-powered conversational bots with intent matching

⚙️ Admin Settings

Chat HistoryOn (always save), Off (24h expiry), or User's Choice External ChatAllow/block chat with users outside the organization Space ManagementAdmins can view, manage, and export Space content App AllowlistControl which Chat bots/apps users can install

8. Google Forms

📝 Google Forms

Form BuilderDrag-and-drop, multiple choice, dropdown, grid, short/long answer QuizzesAuto-grading with point values, answer keys, feedback per question Branching LogicGo to section based on answer, conditional flows File UploadsRespondents can upload files (stored in Drive) Response ValidationRegex, number ranges, required fields, custom error messages Sheets IntegrationResponses auto-populate a linked Google Sheet in real-time NotificationsEmail alerts on each response or summary digests Add-onsTimer, advanced branching, conditional email, form limiter

Create Form

→

Share Link / Embed

→

Collect Responses

→

Analyze in Sheets

9. Google Sites

🌐 Google Sites

BuilderDrag-and-drop WYSIWYG editor, no code required Custom DomainsPublish to your own domain via DNS CNAME EmbedsGoogle Maps, Sheets, Docs, Slides, YouTube, Calendar, Forms Published / DraftPreview changes before publishing, version history included Access ControlPublic, org-only, or specific people / groups can view Intranet UsePerfect for team portals, project hubs, knowledge bases ResponsiveMobile-friendly layouts auto-generated

Create Site

→

Add Pages & Content

→

Embed Workspace Content

→

Publish & Share

10. AppSheet

📱 AppSheet, No-Code App Builder

No-Code PlatformBuild apps without writing code, visual editor Data SourcesGoogle Sheets, SQL databases, REST APIs, Excel, Salesforce Mobile AppsNative mobile experience, iOS & Android AutomationBots, triggered workflows (email, update data, call API) Offline SupportWorks offline, syncs when connectivity returns Enterprise DeployAdmin-managed deployment, SSO, data governance policies

Data Source (Sheets / SQL / REST)

→

AppSheet Engine

→

Mobile / Web App

→

End Users

11. Admin Console

🖥️ Admin Console Architecture

Super Admin

↓

Users

Groups

Devices

Apps

Security

Billing

Reports

👤 Admin Roles

Role	Scope
Super Admin	Full access to all settings, users, billing, security
Groups Admin	Create/manage groups, add/remove members
User Mgmt Admin	Add/suspend/delete users, reset passwords
Help Desk Admin	Reset passwords, view user profiles (no delete)
Services Admin	Configure service settings (Gmail, Drive, Meet, etc.)
Custom Roles	Fine-grained privileges, pick specific permissions

🏗️ Key Admin Settings

Organizational UnitsHierarchical OUs, apply policies per department/team Manual ProvisioningAdd users one by one in Admin Console CSV UploadBulk-add users via spreadsheet Admin SDK APIProgrammatic user CRUD, automate onboarding GCDSGoogle Cloud Directory Sync, sync from LDAP/AD Password PoliciesMin length, strength, expiration, disallow reuse 2-Step EnforcementRequire 2FA for all users or specific OUs

🔄 Directory Sync (GCDS)

LDAP / Active Directory

→

GCDS Agent

→

Google Cloud Directory

→

Admin Console (Users, Groups, OUs)

GCDS runs on-prem, reads LDAP, and pushes changes to Google. One-way sync (LDAP → Google). Does not sync passwords, use GSPS or SSO for that.

12. Identity & Access

🔑 SSO Flow

User

→

Service Provider

→

Redirect to Google IdP

→

SAML / OIDC Auth

→

Token Issued

→

Access Granted

Google can act as both Identity Provider (IdP) for third-party apps, or Service Provider (SP) when using an external IdP (Okta, Azure AD).

🛂 Authentication Methods

Method	Description
Password	Standard username + password
2-Step: SMS	Verification code sent via text message
2-Step: TOTP	Time-based code from Google Authenticator / similar
2-Step: Security Key	FIDO2 hardware key, phishing resistant
2-Step: Phone Prompt	Tap "Yes" on trusted mobile device
SSO (SAML 2.0)	Federated login via external IdP
SSO (OIDC)	OpenID Connect token-based auth
Secure LDAP	LDAP apps authenticate against Google directory
Context-Aware	Conditional access based on signal (IP, device, geo)

🔐 Advanced Authentication

FIDO2 / WebAuthnPhishing-proof, cryptographic challenge/response Titan Security KeyGoogle's hardware security key, USB-A, USB-C, NFC PasskeysPasswordless auth, biometric or device PIN

Context-Aware Access Signals

Signal	Example
IP Address	Allow only from corporate IP ranges
Device State	Require encrypted, managed, up-to-date OS
Geolocation	Block logins from countries you don't operate in
Device OS	Require ChromeOS or managed Windows

🆔 Cloud Identity

Cloud Identity Free

Identity & device management
No Workspace apps
SSO & directory sync
Basic endpoint management
Free, unlimited users

Cloud Identity Premium

Everything in Free +
Advanced endpoint (MDM)
Context-Aware Access
Security Center (BeyondCorp)
$7.20 / user / month

13. Security Center

🛡️ Security Dashboard

Phishing Attempts

Malware Detections

Suspicious Logins

↓

Recommendations

Investigation Tool

Audit Logs

Security Center is available on Enterprise plans. Provides unified view of threats, actionable recommendations, and a powerful investigation tool to query events across all Workspace services.

💚 Security Health

2-Step Adoption% of users with 2FA enabled, target: 100% External SharingFiles shared outside org, monitor exposure Mobile SecurityUnmanaged devices accessing data, enforce MDM OAuth AppsThird-party apps with access to user data, review & restrict Email AuthSPF, DKIM, DMARC adoption across domains

🚨 Alert Center

Alert Type	Trigger
Phishing	User-reported phishing or Google-detected phishing spike
Suspicious Login	Login from new device, unusual location, or leaked password
DLP Violation	Sensitive data shared or downloaded outside policy
Government Attack	State-sponsored attack warning from Google Threat Analysis
Admin Action	Critical admin changes (delete user, change Super Admin, etc.)

14. Google Vault

🏛️ eDiscovery Flow

1. Define Scope (users, dates, terms)

→

2. Search

→

3. Preview Results

→

4. Export (mbox, PST, etc.)

→

5. Legal Hold

Legal holds preserve data indefinitely, even if the user deletes it or retention rules would have purged it.

📦 Vault Features

Retention RulesDefault (org-wide) + custom rules per OU, group, or date Legal HoldsPreserve specific users' data for litigation, override retention Search ScopeGmail, Drive, Chat, Meet recordings, Groups, Voice Export Formatsmbox (email), PST, PDF, native format (Drive files) Audit LogsTrack who searched, previewed, or exported what

⏱️ Retention Policies

Default Retention

Applies to entire org
One rule per service
e.g. Keep Gmail 7 years
Purge after expiry

Custom Retention

Per OU, group, or date range
Overrides default if longer
e.g. Legal dept: keep 10 yrs
Multiple rules can coexist

15. Data Loss Prevention (DLP)

🚫 DLP Flow

Content Created / Shared

→

DLP Rules Engine

→

Detectors (PII, CC#, SSN, Regex)

→

Action: Block / Warn / Audit

DLP rules run on Gmail (outbound), Drive (sharing), and Chat messages. Powered by the same Cloud DLP detectors used in GCP.

🔍 Built-in Detectors

Detector	What It Finds
Credit Card	Visa, MC, Amex, Discover patterns + Luhn check
SSN	US Social Security Numbers (XXX-XX-XXXX)
Passport	Passport numbers for 40+ countries
Tax ID	Employer Identification Numbers, VAT IDs
Custom Regex	Your own patterns, employee IDs, project codes
Word Lists	Match specific terms, "confidential", "internal only"

⚡ DLP Actions & Scope

Action	Behavior
Block	Prevent sharing / sending, user cannot override
Warn	User sees warning, can acknowledge and proceed
Audit Only	Log the event, no user-visible action (shadow mode)
Quarantine	Hold message/file for admin review before delivery

GmailScan outbound messages and attachments DriveScan on upload, share, or download ChatScan messages in real-time

16. Mobile Device Management

📱 Endpoint Management

Basic Management

Require screen lock
Remote account wipe
Device inventory
No agent required
All plans

Advanced Management

Managed app deployment
Work profiles (Android)
Full device wipe
Compliance policies
Plus / Enterprise plans

🔄 MDM Enrollment Flow

Device

→

Enroll (MDM profile)

→

Policies Applied

→

Compliant ✓ → Access

Device

→

Enroll

→

Policies Applied

→

Non-compliant ✗ → Block

💻 Supported Platforms

Platform	Management Model
Android	Work profile (BYOD) or fully managed (company-owned)
iOS / iPadOS	Managed device via MDM profile, supervised optional
Windows	Endpoint verification, device trust signals
macOS	Endpoint verification, certificate-based trust
ChromeOS	Fully managed via Chrome Enterprise, most integrated

🏢 BYOD vs Company-Owned

BYODWork profile separates personal & work data, user keeps device Company-OwnedFull device management, wipe on departure, kiosk mode App ManagementPush managed apps, block unmanaged, auto-update policies Remote WipeAccount wipe (remove work data) or full device wipe

17. Google Groups

👥 Google Groups

Group Types

Type	Use Case
Email List	Distribution list, send to one address, reach many
Collaborative Inbox	Shared inbox, assign, track, resolve conversations
Web Forum	Discussion board, threaded topics
Q&A	Questions with "best answer" marking

Roles & Access

OwnerFull control, settings, members, delete group ManagerManage members, approve messages MemberSend/receive messages, participate

Access Settings

PublicAnyone on the internet can find & join Org-onlyVisible to organization members only RestrictedInvite-only, hidden from directory

Groups Are Used For

Email Distribution

→

Drive / Calendar Permissions

→

Google Cloud IAM

→

Shared Drive Access

18. Shared Drives

📁 My Drive vs Shared Drives

Attribute	My Drive	Shared Drive
Ownership	Individual user	Organization
On User Deletion	Data deleted (unless transferred)	Data persists, org retains
Membership	N/A, personal	Explicit members with roles
Sharing	Owner controls per file/folder	Inherited from Shared Drive settings
Storage Quota	Counts against user	Counts against org pool
Nested Folders	Unlimited depth	Supported (improved in recent updates)

🔑 Shared Drive Access Levels

Role	View	Comment	Edit	Move/Delete	Manage Members
Viewer	✓	,	,	,	,
Commenter	✓	✓	,	,	,
Contributor	✓	✓	✓	,	,
Content Manager	✓	✓	✓	✓	,
Manager	✓	✓	✓	✓	✓

✅ Best Practices

Team ContentUse Shared Drives for team-owned docs, not My Drive OffboardingData stays when employees leave, no transfer needed Admin TransferSuper Admins can migrate My Drive files → Shared Drive External MembersOptional, allow external collaborators per Shared Drive Folder StructurePlan structure early, consistent naming, clear hierarchy

19. APIs & Automation

⚡ Google Workspace APIs

API	What It Does	Use Case
Gmail API	Read, send, label, search email programmatically	Email automation, CRM sync
Drive API	CRUD files/folders, manage permissions, upload/download	Document management, backups
Calendar API	Create/update events, check availability, manage resources	Scheduling bots, room booking
Admin SDK	User/group/device management, reporting, audit logs	Automated onboarding/offboarding
Sheets API	Read/write cells, format, create sheets programmatically	Dashboards, data pipelines
Chat API	Send messages, manage spaces, interactive bot cards	Alert bots, workflow notifications

Apps Script & Marketplace

Apps ScriptServer-side JavaScript, triggers, custom menus, web apps, add-ons TriggersTime-driven (cron), on form submit, on edit, on open Add-onsExtend Docs/Sheets/Slides/Gmail/Calendar with custom UI panels MarketplaceThird-party apps, admin approves → domain-wide install OAuth ConsentAdmin can restrict OAuth scopes, block risky app access

20. Workspace + GCP Integration

🔗 Integration Architecture

Google Workspace
Gmail, Drive, Meet, Docs

↔

Cloud Identity
Unified Directory

↔

Google Cloud (GCP)
IAM, Projects, Billing

🤝 Shared Features

Cloud IdentityUnified user directory, same account for Workspace & GCP SSOSingle sign-on between Workspace apps and GCP Console Groups for IAMGoogle Groups grant GCP IAM roles, manage access at scale Audit → Cloud LoggingExport Workspace audit logs to Cloud Logging & BigQuery DLPWorkspace DLP powered by Cloud DLP API, shared detectors Connected SheetsQuery BigQuery from Google Sheets, billions of rows, no SQL needed

🔒 Enterprise Data Controls

Data ResidencyChoose where primary data is stored (US, Europe, global) Assured WorkloadsCompliance framework, FedRAMP, ITAR, CJIS, IL4 CMEKCustomer-Managed Encryption Keys, you control the key in Cloud KMS CSEClient-Side Encryption, encrypt before Google sees it (Drive, Docs, Meet, Calendar) Access TransparencyLogs when Google staff access your data (and why) Access ApprovalRequire your explicit approval before Google support accesses data

21. Quick Reference

📋 Google Workspace, Full Reference

Product	Category	Key Feature	Admin Setting
Gmail	Communication	Custom domain email, 99.9% SLA	Routing, compliance, SPF/DKIM/DMARC
Calendar	Scheduling	Resource booking, appointment slots	External sharing, video defaults
Drive	Storage	My Drive + Shared Drives, real-time sync	Sharing policies, DLP, storage quotas
Docs / Sheets / Slides	Collaboration	Real-time co-editing, version history	Offline access, external sharing
Meet	Video	HD video, recording, breakout rooms	Recording policy, auto-admit, streaming
Chat & Spaces	Messaging	Threaded Spaces, bots, webhooks	History, external chat, app allowlist
Forms	Data Collection	Quizzes, branching, Sheets integration	External response settings
Sites	Web Publishing	Drag-and-drop intranet builder	Sharing & publishing permissions
AppSheet	No-Code Apps	Build mobile apps from Sheets / SQL	Enterprise deployment, data governance
Admin Console	Admin	Centralized user, device, app management	OUs, roles, provisioning, password policy
Cloud Identity	Identity	SSO, directory, device management	SAML/OIDC, 2FA enforcement, LDAP
Security Center	Security	Threat dashboard, investigation tool	Recommendations, alert center
Vault	Compliance	eDiscovery, legal holds, retention	Retention rules, export policies
DLP	Security	PII detection, block/warn/audit actions	Rules, detectors, scope (Gmail/Drive/Chat)
Endpoint Mgmt	Devices	MDM, work profiles, remote wipe	Basic vs advanced, BYOD vs company-owned
Groups	Collaboration	Email lists, collaborative inbox, IAM	Access settings, external membership
Shared Drives	Storage	Org-owned team storage, persistent	Sharing, external members, migration
APIs & Apps Script	Automation	REST APIs, triggers, add-ons, bots	OAuth scopes, marketplace allowlist