🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Professional Google Workspace Administrator
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
PGWAGoogle CloudProfessionalComing Soon

Professional Google Workspace Administrator

The Professional Google Workspace Administrator (PGWA) certification validates expertise in deploying, configuring, securing, and operating Google Workspace at enterprise scale. The exam covers the full administrative lifecycle: tenant and domain management, organizational unit design, user and group provisioning with GCDS synchronization, Gmail routing and mail compliance rules including DLP and email authentication, Google Vault eDiscovery and retention, endpoint device management, SAML SSO federation, 2-Step Verification enforcement, Context-Aware Access policies, and operational monitoring with audit logs and the Alert Center. PGWA is the professional credential for IT administrators responsible for Google Workspace as the organization's primary collaboration and productivity platform.

120
Minutes
50
Questions
70/100
Passing Score
$200
Exam Cost
5
Languages

Who Should Take This

PGWA is designed for IT administrators and collaboration engineers who manage Google Workspace for medium-to-large organizations. Candidates typically handle day-to-day Workspace administration, design security and compliance policies, troubleshoot delivery and authentication issues, and integrate Workspace with identity providers and third-party systems. Substantial hands-on experience in the Google Admin console is assumed.

What's Covered

1Configuring Google Workspace domain and tenant settings, organizational unit hierarchy, service enablement, Marketplace app controls, data regions, and migration from other email platforms including Exchange coexistence.
2Provisioning and deprovisioning users, GCDS synchronization from LDAP directories, license management, Google Groups configuration, Calendar resources, Shared Drive administration, and delegated administrator role management.
3Google Drive sharing policies, Drive DLP rules, Google Vault retention and eDiscovery, and endpoint management for Android, iOS, Windows, and Chrome OS devices.
4Gmail routing including inbound gateways, outbound gateways, SMTP relay, split delivery, and dual delivery; Gmail compliance rules and DLP; spam and phishing configuration; SPF, DKIM, and DMARC authentication.
5Google Workspace Admin reports, audit logs, Alert Center, Reports API, and troubleshooting Gmail delivery failures, SSO errors, and GCDS synchronization issues.
6SAML SSO configuration as IdP and SP, 2-Step Verification enforcement, Context-Aware Access policies, OAuth application access controls, and API access management.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Select

Scoring Method

Pass/fail. Google does not publish a scaled score; an approximate passing threshold of 70% is widely reported.

Delivery Method

Kryterion testing center or online proctored

Prerequisites

None required. Hands-on Google Workspace administration experience recommended.

Recertification

3 years

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Domain 1: Managing Google Workspace
3 topics

Manage Google Workspace account settings and domain configuration

  • Identify Google Workspace organizational structure including primary and secondary domains, domain aliases, and the relationship between domains, organizational units, and user accounts in enterprise tenant management.
  • Configure Google Workspace domain settings including adding secondary domains, configuring domain aliases, verifying domain ownership via TXT or CNAME records, and managing MX record updates for mail routing.
  • Configure Google Workspace organizational unit hierarchy by creating, renaming, and nesting organizational units to reflect company structure and apply differentiated service policies to specific employee populations.
  • Analyze organizational unit design requirements and evaluate OU depth, inheritance behavior, and policy override tradeoffs to recommend a Workspace tenant structure that supports differential security policies and service availability.

Manage Google Workspace services and application settings

  • Configure Google Workspace core service enablement and access controls at the organizational unit level for Gmail, Drive, Calendar, Meet, Chat, Sites, and Vault to enforce service availability policies.
  • Configure Google Workspace Marketplace app access including allowing, blocking, and requiring specific third-party apps and managing OAuth app whitelisting to control which applications can access Workspace data.
  • Implement Google Workspace data regions settings to designate where covered data at rest is stored for primary storage in the United States, European Union, or no preference for compliance and data sovereignty requirements.
  • Evaluate Google Workspace service configuration policies by analyzing OU-level service settings, Marketplace app permissions, and data region settings to determine compliance posture and recommend configuration improvements.

Manage Google Workspace migration and interoperability

  • Describe Google Workspace Migrate architecture and explain how it facilitates bulk migration of email, calendar, contacts, and files from on-premises Exchange, Lotus Notes, and other Google Workspace tenants.
  • Configure Google Workspace coexistence settings including calendar interoperability with Microsoft Exchange and free/busy sharing to support phased migrations where users operate across both platforms simultaneously.
  • Analyze migration scenarios and evaluate Workspace Migrate versus data import tools versus third-party migration services to recommend an appropriate migration approach based on data volume, mailbox count, and cutover timing requirements.
2Domain 2: Managing Users and Groups
3 topics

Manage user accounts and licenses

  • Identify Google Workspace user provisioning methods including manual creation, bulk CSV upload, Admin SDK Directory API automation, and Google Cloud Directory Sync from LDAP for different scale and automation requirements.
  • Provision and deprovision Google Workspace user accounts at scale using bulk CSV upload and Admin SDK automation including setting required profile attributes, OU assignment, and license assignment.
  • Configure Google Cloud Directory Sync to synchronize users and groups from on-premises LDAP directories or Active Directory to Google Workspace including sync rules, attribute mapping, and deletion policy configuration.
  • Manage Google Workspace license assignments by configuring license auto-assignment rules and manually assigning or revoking specific Workspace product and add-on licenses for users and organizational units.
  • Analyze user provisioning requirements and evaluate manual versus bulk versus GCDS versus API-based provisioning to recommend a lifecycle management strategy that scales with organizational growth and meets HR system integration needs.

Manage Google Groups and shared resources

  • Identify Google Groups types including email list groups, security groups, and dynamic groups and describe how group settings for membership, posting permissions, and access policies differ across group types.
  • Create and configure Google Groups with appropriate member types, posting restrictions, message moderation, external access settings, and group-level service configurations for email distribution and security access control.
  • Configure Calendar resources including meeting rooms, shared equipment, and building resources with feature availability settings, booking controls, and auto-acceptance policies for organizational facility management.
  • Configure Shared Drive settings including membership permissions, sharing outside organization, content manager controls, and migration settings to manage team-owned collaborative storage at organizational scale.
  • Analyze group and shared resource design requirements and evaluate group type selection, permission inheritance, and external access settings to recommend a collaboration structure that balances productivity and data protection.

Manage delegated administrator roles

  • Identify Google Workspace built-in administrator roles including Super Admin, Group Administrator, User Management Administrator, and Helpdesk Administrator and describe their permission scopes and appropriate use cases.
  • Create custom administrator roles with specific privilege combinations and assign them to users or groups with scoped access limited to specific organizational units to implement least-privilege admin delegation.
  • Evaluate administrator delegation requirements and determine appropriate custom role privilege combinations and OU scoping to implement a delegated administration model that satisfies regional IT team access requirements without over-provisioning.
3Domain 3: Configuring and Controlling Applications
3 topics

Configure Google Drive and sharing settings

  • Identify Google Drive sharing scope options including sharing within the organization, sharing to specific domains, sharing to anyone with the link, and sharing to external users and describe the data exposure implications of each.
  • Configure Google Drive sharing policies at the organizational unit level including external sharing restrictions, link sharing defaults, Drive SDK access controls, and add-on installation permissions.
  • Implement Google Workspace Drive DLP rules to detect and restrict sharing of sensitive content categories including credit card numbers, social security numbers, and custom pattern-matched data in Drive files and Shared Drives.
  • Evaluate Drive sharing policy configurations by analyzing sharing audit reports, DLP rule trigger frequency, and user sharing behavior patterns to identify data exfiltration risks and recommend policy tightening.

Configure Google Vault for eDiscovery and retention

  • Identify Google Vault capabilities including matters, holds, searches, exports, and retention rules and describe how each component supports legal hold, eDiscovery, and compliance data retention workflows.
  • Create Google Vault retention rules for Gmail, Drive, Groups, Chat, and Meet recordings to enforce minimum retention periods and automatic deletion schedules for compliance with regulatory data retention requirements.
  • Create Vault matters and litigation holds for specific users and organizational units, conduct targeted searches across email and Drive content, and export results in standard formats for legal review and regulatory production.
  • Evaluate Vault retention rule design for a given regulatory scenario and determine the appropriate retention policy structure including default versus custom rules, service scope, and interaction with litigation holds to satisfy compliance requirements.

Configure Google Workspace endpoint management

  • Identify Google Workspace endpoint management tiers including basic mobile management, advanced mobile management, and company-owned device management and describe their enrollment methods, capabilities, and policy enforcement differences.
  • Configure Google Workspace mobile device management policies including screen lock enforcement, encryption requirements, application management, remote wipe capabilities, and device approval settings for Android and iOS devices.
  • Configure Windows and Chrome OS device settings via Google Workspace endpoint management including Chrome browser policies, extension management, and Windows device configuration through Google Workspace MDM.
  • Evaluate endpoint management policy effectiveness by analyzing device compliance reports, unapproved device activity, and policy enforcement gaps to recommend changes that reduce endpoint-based data access risks.
4Domain 4: Configuring Mail Routing and Delivery
3 topics

Configure Gmail routing and delivery settings

  • Identify Gmail routing configuration types including inbound and outbound gateway routing, split delivery, dual delivery, and SMTP relay and describe their use cases for hybrid mail deployments and third-party gateway integration.
  • Configure Gmail inbound and outbound mail routing including default routing, non-Gmail mailbox routing, and recipient address maps to direct mail flow based on sender domain, recipient OU, or message attributes.
  • Configure Gmail SMTP relay service to allow authorized on-premises mail servers and printers to send email through Google infrastructure and configure allowed senders and TLS enforcement for outbound relay.
  • Configure Gmail split delivery to route mail for a domain to both Google Workspace users and non-Google mailboxes simultaneously, supporting phased migration scenarios where only a subset of users has been migrated.
  • Analyze Gmail routing configuration scenarios and evaluate the appropriate combination of inbound gateway, outbound gateway, SMTP relay, and split delivery settings for complex hybrid and multi-gateway mail architectures.

Configure Gmail compliance and DLP rules

  • Identify Gmail compliance rule types including content compliance, objectionable content, attachment compliance, secure transport, and email routing and describe how each rule type filters, modifies, or reroutes messages.
  • Create Gmail content compliance rules to scan message headers, body, and attachments for sensitive content patterns and trigger actions including quarantine, prepend subject, add BCC, and block delivery based on match conditions.
  • Implement Gmail DLP rules to detect and prevent sharing of sensitive information categories through email including financial data, personally identifiable information, and custom regex-matched content for regulatory compliance.
  • Configure Gmail secure transport compliance rules to enforce TLS encryption for inbound and outbound mail to and from specific partner domains and require certificate validation for sensitive communication channels.
  • Evaluate Gmail compliance rule effectiveness by analyzing quarantine queue volumes, DLP rule trigger reports, and false positive rates to recommend rule tuning that reduces data leakage risk without blocking legitimate mail flow.

Configure Gmail spam and phishing settings

  • Configure Gmail spam policy settings including allowed senders, blocked senders, approved senders for spam bypass, and enhanced pre-delivery message scanning settings to tune spam and phishing filtering behavior.
  • Implement Gmail email authentication validation settings including SPF, DKIM, and DMARC enforcement and configure DKIM signing key generation and DNS publication for outbound mail authentication.
  • Analyze email authentication configuration by reviewing DMARC aggregate reports and DKIM/SPF alignment results to troubleshoot delivery failures and recommend authentication record improvements that reduce spoofing exposure.
5Domain 5: Monitoring and Troubleshooting
2 topics

Monitor Google Workspace activity and usage

  • Identify Google Workspace reporting capabilities including Admin reports, Audit logs, Reports API, and Alert Center and describe which report type captures specific categories of administrator, user, login, and application activity.
  • Investigate user and administrator activity using Google Workspace audit logs including Login, Admin, Drive, Gmail, and Groups audit reports to identify security-relevant events and policy violations.
  • Configure Google Workspace Alert Center notification rules and email alerts for high-priority security events including suspicious login attempts, account compromises, phishing campaign detections, and external sharing policy violations.
  • Export Google Workspace audit log data to BigQuery using the Reports API for long-term retention and analysis of user activity trends, compliance reporting, and security investigation correlation queries.
  • Analyze Google Workspace security reporting data to identify anomalous login patterns, unusual Drive sharing activity, and admin privilege changes and recommend alerting and policy changes that reduce mean time to detect security incidents.

Troubleshoot Google Workspace issues

  • Troubleshoot Gmail delivery failures by analyzing message headers, Admin mail logs, postmaster tools data, and non-delivery report codes to diagnose routing misconfigurations, authentication failures, and reputation issues.
  • Troubleshoot Google Workspace SSO failures by analyzing SAML assertion attributes, certificate validity, entity IDs, and ACS URL configuration errors in the Admin console and identity provider logs.
  • Troubleshoot Google Cloud Directory Sync failures by analyzing GCDS sync reports, configuration manager logs, and attribute mapping errors to resolve user creation, update, and deletion synchronization issues.
  • Evaluate troubleshooting findings from Gmail delivery failures, SSO errors, and GCDS synchronization issues and recommend root cause remediation including configuration corrections, DNS record updates, and certificate renewals.
6Domain 6: Access and Authentication Security
3 topics

Implement Google Workspace SSO and identity federation

  • Identify Google Workspace SSO configuration options including third-party SAML-based SSO, Google as an identity provider for third-party apps, and OIDC integration and describe when each approach is appropriate.
  • Configure SAML-based SSO for Google Workspace using a third-party identity provider including IdP metadata upload, entity ID and ACS URL configuration, attribute mapping, and certificate-based signature verification.
  • Configure Google Workspace as a SAML identity provider for third-party service provider applications by creating SAML app definitions with correct entity IDs, ACS URLs, attribute statements, and group membership claims.
  • Evaluate SSO architecture decisions by comparing SAML versus OIDC federation, Google-managed versus customer-managed password policies, and the security tradeoffs of delegating authentication to external identity providers.

Implement 2-Step Verification and advanced authentication policies

  • Identify Google Workspace 2-Step Verification enforcement options including allowing all methods, requiring hardware security keys, and configuring grace periods and describe how enforcement policies are applied to organizational units.
  • Configure Google Workspace 2-Step Verification enforcement policies to require 2SV for all users or specific OUs, set enrollment grace periods, and allow or restrict specific second factor types including security keys and authenticator apps.
  • Implement Google Workspace Context-Aware Access policies to restrict Workspace app access based on user identity, device security posture, location, and IP address using access levels and access bindings.
  • Evaluate authentication policy configurations by analyzing 2SV enrollment rates, Context-Aware Access denials, and login audit data to identify gaps in authentication enforcement and recommend policy improvements.

Manage OAuth and third-party application access

  • Configure Google Workspace less secure app access and API controls to block or allow basic authentication methods and restrict which connected applications can access Workspace data through OAuth consent.
  • Audit and manage third-party OAuth application access by reviewing connected apps, revoking access tokens for suspicious or unauthorized applications, and implementing domain-wide delegation controls.
  • Evaluate OAuth application access risk by analyzing scope permissions, access patterns, and token usage in connected apps reports to identify overly permissive applications and recommend access policy restrictions.

Hands-On Labs

18 labs ~272 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$118,000
Average Salary

Related Job Roles

Google Workspace AdministratorCollaboration Platform EngineerEnterprise IT AdministratorCloud Messaging Engineer

Industry Recognition

The Professional Google Workspace Administrator certification validates deep operational expertise in managing Google Workspace at enterprise scale and is recognized as the credential of record for organizations standardizing on Google Workspace for collaboration, productivity, and compliance.

Scope

Included Topics

  • All domains and task statements in the Google Workspace Administrator professional certification exam guide: Domain 1 Managing Google Workspace (~20%), Domain 2 Managing Users and Groups (~20%), Domain 3 Configuring and Controlling Applications (~16%), Domain 4 Configuring Mail Routing and Delivery (~16%), Domain 5 Monitoring and Troubleshooting (~16%), and Domain 6 Access and Authentication (~12%).
  • Professional-level Google Workspace administration including domain management, tenant configuration, organizational unit hierarchies, user and group lifecycle management, SSO and SAML configuration, 2-Step Verification enforcement, context-aware access, device management with endpoint management, MDM policies, Gmail routing and delivery rules, mail filtering, Google Vault for eDiscovery and legal hold, DLP policies for Drive and Gmail, data regions, Reports and Alert Center monitoring, Admin SDK, Google Apps Script automation, and Workspace Migrate.
  • Key Google Workspace services and admin capabilities: Google Admin console, Admin SDK, Directory API, Google Workspace Migrate, Gmail, Google Drive, Google Meet, Google Chat, Google Vault, Google Endpoint Management (MDM), Context-Aware Access, Google Groups, Organizational Units, SAML SSO, OAuth app management, Marketplace apps, third-party app access controls, Calendar resources, Shared Drives, Data Loss Prevention, Google Workspace Alerts Center, Google Workspace Reports, Activity Dashboard, and Audit logs.

Not Covered

  • Google Cloud Platform (GCP) infrastructure administration including Compute Engine, GKE, VPC networking, Cloud Storage IAM, and other GCP compute and networking services that are outside Google Workspace scope.
  • Deep Google Cloud Identity Platform and Firebase Authentication configuration beyond Workspace SSO and admin-managed identity settings.
  • Advanced Workspace developer API programming and client library code that exceeds administrator-level automation and configuration tasks.
  • Current Google Workspace subscription pricing details and promotional bundles that change over time.
  • Third-party email security platform configurations for non-Google MTA appliances, anti-spam gateways not integrated through Workspace routing, and standalone MDM solutions not connected through Google endpoint management.

Official Exam Page

Learn more at Google Cloud

Visit

PGWA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

Google, Google Cloud, Google Workspace, and Google Cloud Platform are trademarks of Google LLC. Google does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.