Google Associate Google Workspace Administrator Exam Practice Test

Page: 1 / 14
Total 101 questions

Want more questions? Get Premium Access.
()

Question 1

Your organization has detected a significant rise in unauthorized access to applications from personal devices. This poses a critical security risk and could lead to data loss. To mitigate this risk, you must immediately restrict user access to these applications. What should you do?

ALimit apps access to company-issued devices by using context-aware access.

BEnable multi-factor authentication for application access.

CEnable data loss prevention rules.

DConfigure apps data access to Limited to only allow access to unrestricted services.

Answer : A

The problem states a 'significant rise in unauthorized access to applications from personal devices,' posing a 'critical security risk' and potential 'data loss.' The immediate goal is to 'immediately restrict user access to these applications' from personal devices.

Context-Aware Access (CAA) is specifically designed to control access to Google Workspace applications based on the 'context' of the user and their device. This includes whether the device is managed (company-issued) or unmanaged (personal), its security posture, IP address, and location. By configuring CAA policies, you can enforce that users can only access specific applications if they are using a company-issued device.

Here's why the other options are less effective or not the primary solution for this immediate restriction:

B . Enable multi-factor authentication for application access. MFA is a crucial security layer, but it authenticates the user, not the device. A disgruntled employee could still use their personal device with MFA enabled to download data if no device-based restriction is in place. It prevents unauthorized users but not authorized users on unauthorized devices.

C . Enable data loss prevention rules. DLP rules are excellent for preventing sensitive data from leaving the organization (e.g., by blocking sharing of files containing credit card numbers). However, they don't restrict access to applications based on the device type. An employee could still access and potentially download non-DLP-sensitive data from a personal device if only DLP is enabled. The immediate risk is access from personal devices, not just content-based data loss.

D . Configure apps data access to Limited to only allow access to unrestricted services. This option typically refers to allowing specific APIs or services to be accessed by third-party apps, or perhaps limiting access within a highly restricted environment. It's not a direct control mechanism for user access from personal vs. company-issued devices to core Google Workspace applications.

Reference from Google Workspace Administrator:

Protect your business with Context-Aware Access: This is the primary documentation for Context-Aware Access, explicitly mentioning its use case for 'Allow access to apps only from company-issued devices.'

About Context-Aware Access: Provides an overview of how CAA works and its capabilities, including controlling access based on device security status (e.g., managed vs. unmanaged).

Question 2

Your company is transitioning to Google Workspace from legacy communication and collaboration applications. User accounts are managed in Active Directory and synced to Google Workspace by using Google Cloud Directory Sync (GCDS). Your company is implementing a new security policy for all accounts that requires complex passwords. Passwords must be at least 20 characters long, contain 3 symbols, 4 numbers, and 2 capital letters.

You need to enforce the new password policy in Google Workspace. What should you do?

AShare the instructions for changing a Google account password with your users. Monitor password strength in the Google Admin console as users change their passwords.

BEnable strong password enforcement and require a minimum length of 20 characters at the top-level organizational unit.

CCreate a password policy in Active Directory. Install Password Sync on the global catalog servers for Active Directory and require a password change for your users.

DCreate a password policy in Active Directory. Enable password synchronization in GCDS.

Answer : D

Since user accounts are managed in Active Directory (AD) and synced to Google Workspace via Google Cloud Directory Sync (GCDS), the best approach to enforce the new password policy is to create the password policy within Active Directory and then enable password synchronization in GCDS. This ensures that the complex password requirements are enforced within AD, and when passwords are updated, they will be synchronized with Google Workspace, maintaining consistency across both systems.

Question 3

Your company recently installed a free email marketing platform from the Google Workspace Marketplace. The marketing team is unable to access customer contact information or send emails through the platform. You need to identify the cause of the problem. What should you do first?

AVerify that the email marketing platform's subscription is active and up-to-date.

BCheck the OAuth scopes that are granted to the email marketing platform and ensure the platform has access to Contacts and Gmail.

CConfirm that the 'Manage Third-Party App Access' setting in the Admin console is enabled.

DUse the security investigation tool to review Gmail logs.

Answer : B

When a third-party application from the Google Workspace Marketplace is installed, it requests specific permissions (OAuth scopes) to access Google Workspace data and services. If the marketing team is unable to access customer contact information or send emails, the most likely cause is that the installed email marketing platform was not granted the necessary OAuth scopes for Contacts and Gmail during the installation or approval process.

Here's why other options are less likely to be the first step:

A . Verify that the email marketing platform's subscription is active and up-to-date. While important for continued use, a 'free' platform from the Marketplace generally doesn't have a subscription that would prevent initial access to basic functions like contacts and sending emails unless it's a trial that expired, which isn't indicated as the primary problem. This would be a later troubleshooting step if scope issues are ruled out.

C . Confirm that the 'Manage Third-Party App Access' setting in the Admin console is enabled. This setting controls whether users can install any third-party apps from the Marketplace. If it were disabled, the app likely wouldn't have been installed in the first place. If it was enabled and then disabled, the app would stop working, but the specific problem points to data access, not app disablement.

D . Use the security investigation tool to review Gmail logs. The security investigation tool is excellent for reviewing security events, but it's more for post-incident analysis or suspicious activity. In this scenario, the problem is a lack of functionality for a newly installed app, not a security breach or misconfiguration that would necessarily show up in Gmail logs immediately as an access issue for the app itself. The OAuth scopes are the more direct and initial point of failure.

Reference from Google Workspace Administrator:

Manage third-party app access to data: Google Workspace administrators can control which third-party apps can access their organization's data. This includes reviewing and managing OAuth API access for configured apps.

Understanding OAuth scopes: When an application requests access to Google data, it does so by requesting specific 'scopes.' These scopes define the particular resources and operations that the application is allowed to perform. For an email marketing platform, scopes for https://www.googleapis.com/auth/contacts (or a more specific contact scope) and https://www.googleapis.com/auth/gmail.send (or a broader Gmail scope) would be crucial.

Controlling which third-party & internal apps can access Google Workspace data: This section in the Admin console specifically allows administrators to review 'Configured apps' and check their 'OAuth API access.' This is where you would see the scopes granted to the email marketing platform.

Question 4

An employee at your organization may be sharing confidential documents with unauthorized external parties. You must quickly determine if any sensitive information has been leaked. What should you do?

AReview the employee's Drive log events in the security investigation tool.

BAudit Drive access by using the Admin SDK Reports API.

CReview the employee's user log events within the security investigation tool.

DCreate a custom report of the user's external sharing by using the security dashboard.

Answer : A

To quickly determine if an employee has shared confidential documents externally, you should utilize the security investigation tool in the Google Admin console and specifically review the Drive log events associated with that employee's account. This tool provides a centralized place to audit user activity related to Google Drive, including sharing actions.

Here's why option A is the most direct and efficient first step:

A . Review the employee's Drive log events in the security investigation tool.

The security investigation tool allows administrators to examine various logs related to user activity and potential security incidents. By focusing on the Drive log events for the specific employee in question, you can quickly filter and review actions such as file sharing, permission changes, and external access. This will provide a direct view of whether the employee has indeed shared documents externally and to whom.

Associate Google Workspace Administrator topics guides or documents reference: The official Google Workspace Admin Help documentation on the 'Security investigation tool' (or similar titles) explains its capabilities. Specifically, the section on 'Investigating Drive log events' details how administrators can use filters to view file sharing activities, including external sharing, by specific users and timeframes. This tool is designed for precisely such scenarios where you need to quickly audit user actions related to data access and sharing.

B . Audit Drive access by using the Admin SDK Reports API.

While the Admin SDK Reports API can provide detailed information about Drive activity, using it requires programming skills and setting up custom scripts or applications. This is not the quickest way to investigate a potential immediate security concern. The security investigation tool offers a user-friendly interface for administrators to perform such investigations without needing to code.

Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin SDK documentation describes the Reports API and its capabilities. While powerful for custom reporting and automation, it's not the fastest method for a quick, ad-hoc security investigation compared to the built-in security investigation tool.

C . Review the employee's user log events within the security investigation tool.

The user log events in the security investigation tool cover a broader range of activities beyond just Google Drive, such as login attempts, password changes, and device management actions. While this might provide some context, it is less focused on file sharing activities compared to the Drive log events. To quickly determine if confidential documents were shared, filtering directly for Drive-related actions is more efficient.

Associate Google Workspace Administrator topics guides or documents reference: The documentation on the security investigation tool outlines the different log sources available, including user logs and Drive logs. For investigating file sharing, the Drive logs provide more specific and relevant information.

D . Create a custom report of the user's external sharing by using the security dashboard.

The security dashboard provides an overview of your organization's security posture and includes pre-built reports and insights. While you can create custom reports, this process might take longer than directly investigating the Drive log events for the specific employee in the security investigation tool. The investigation tool is designed for targeted and immediate analysis of potential security incidents related to user actions.

Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin Help documentation on the 'Security dashboard' explains its features, which focus on overall security trends and insights. While it can be useful for identifying patterns, the security investigation tool is more suited for investigating specific user actions and potential data leaks on demand.

Therefore, the most efficient and direct way to quickly determine if the employee has shared confidential documents externally is to review the employee's Drive log events in the security investigation tool.

Question 5

Your company has just started using Search Ads 360. You need to limit access to Additional Google services for your entire organization by using the Admin console. Only the marketing team and a specific group of users from the web design team should have access. What should you do?

AEnable Search Ads 360 for both the marketing and web design team organizational units (OUs). Create a group to explicitly deny access to Search Ads 360. Assign the group to the web design users who should not have access.

BEnable Search Ads 360 at the top level of your organizational structure.

CEnable Search Ads 360 for the marketing organizational unit (OU). Create a sub-OU under the marketing OU. and move the web design team users who need access into this sub-OU.

DEnable Search Ads 360 for the marketing organizational unit (OU). Create a new group in the Admin console that includes the web design team users who need access. Enable Search Ads 360 for that group.
This approach leverages both organizational units and groups for access control. By enabling Search Ads 360 for the marketing OU, you grant access to all users within that department. Then, by creating a separate group containing the specific web design users who require access and enabling Search Ads 360 for that group, you provide them with the necessary permissions without granting access to the entire web design OU. This method allows for targeted access based on both departmental affiliation and specific user needs, aligning with the principle of least privilege.
Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin Help documentation on 'Turn services on or off for users' explains how to control access to Google services at both the organizational unit and group levels. It highlights the flexibility of using a combination of OUs and groups to achieve granular access control. Enabling a service for an OU applies it to all members of that OU, while enabling it for a group applies it only to the members of that specific group, regardless of their OU.
A . Enable Search Ads 360 for both the marketing and web design team organizational units (OUs). Create a group to explicitly deny access to Search Ads 360. Assign the group to the web design users who should not have access.
While you can deny service access using groups, it's generally more straightforward and less prone to errors to explicitly grant access only to those who need it. Enabling the service for the entire web design OU and then trying to revoke access for some users within it adds unnecessary complexity and potential for misconfiguration. Deny rules can also sometimes interact in unexpected ways with allow rules.
Associate Google Workspace Administrator topics guides or documents reference: While the Admin console allows for denying service access through groups, the documentation often emphasizes granting access to specific OUs or groups that require it as a more manageable and transparent approach.
B . Enable Search Ads 360 at the top level of your organizational structure.
Enabling Search Ads 360 at the top level would grant access to the service to every user in your organization. This directly contradicts the requirement to limit access to only the marketing team and a specific group within the web design team. This option provides the least control and violates the principle of least privilege.
Associate Google Workspace Administrator topics guides or documents reference: Google's best practices for service control emphasize granting access only to those who need it, typically by applying settings at the OU or group level, not organization-wide unless the service is intended for everyone.
C . Enable Search Ads 360 for the marketing organizational unit (OU). Create a sub-OU under the marketing OU. and move the web design team users who need access into this sub-OU.
Creating a sub-OU under the marketing OU for users from the web design team who need access is a less logical organizational structure. It mixes users from different departments within the same branch of the OU hierarchy, which can complicate future policy management and reporting. It's generally better to keep users within their respective departmental OUs and use groups for cross-departmental service access.
Associate Google Workspace Administrator topics guides or documents reference: Google's guidance on OU structure recommends organizing users based on their functional role or department within the organization for logical policy management and reporting. Creating sub-OUs based on service access needs rather than organizational structure is not a typical recommendation.
Therefore, the most appropriate and manageable solution is to enable Search Ads 360 for the marketing OU and create a separate group containing the specific web design users who need access, then enable the service for that group as well.

Answer : D, D

To limit access to Search Ads 360 to only the marketing team and a specific group of users from the web design team, the most effective and Google-recommended approach is to enable the service for the marketing organizational unit (OU) and then create a separate group containing the specific web design users who need access, enabling the service for that group as well. This allows for granular control and avoids granting access to the entire web design OU.

Here's why option D is the correct solution and why the others are less ideal:

Question 6

Your company is streamlining workflows by creating custom applications for tasks like filing expense reports or requesting time off. You need to identify a Google Workspace solution to develop these applications. Your development team has only basic coding knowledge. What should you do?

AEnable Gemini for Workspace. Direct users to use generative Al across Gmail and Drive to simplify the submission of expense reports.

BDirect employees to use Google Forms to collect data and create basic workflows.

CEnable AppSheet for your organization.

DEnable AppScript for your organization and allow employees to build add-ons to existing Workspace solutions.

Answer : C

The core requirement is to create custom applications for workflows like expense reports and time off, with a development team that has 'only basic coding knowledge.' This strongly points to a 'no-code' or 'low-code' platform.

AppSheet is Google's no-code development platform, designed specifically for users (often referred to as 'citizen developers') with basic or no coding knowledge to build custom mobile and web applications directly from data sources like Google Sheets, Forms, or other databases. It's ideal for automating business processes and creating custom workflows without traditional programming.

Here's why the other options are less suitable:

A . Enable Gemini for Workspace. Direct users to use generative AI across Gmail and Drive to simplify the submission of expense reports. Gemini for Workspace (Google's AI assistant) can help with tasks like drafting emails, summarizing documents, and generating content within existing Workspace apps. While it can 'simplify' aspects, it is not a platform for developing custom applications with structured workflows and data capture for tasks like full expense report submission or time-off requests. It enhances existing tools, it doesn't build new ones.

B . Direct employees to use Google Forms to collect data and create basic workflows. Google Forms is excellent for data collection and can be used for very simple workflows (e.g., collecting time-off requests). However, it lacks the robust functionality needed for complex custom applications, such as managing approvals, displaying data in different views, offline access, or integrating with other systems, without significant manual effort or custom scripting. The term 'custom applications' suggests something more sophisticated than just a form.

D . Enable AppScript for your organization and allow employees to build add-ons to existing Workspace solutions. Google Apps Script allows for powerful automation and the creation of custom add-ons for Google Workspace applications (Gmail, Sheets, Docs). However, Apps Script requires knowledge of JavaScript. While it's relatively 'basic coding' compared to full-stack development, it's still coding. The question emphasizes 'only basic coding knowledge' and the need for a solution to develop applications, implying a more visual or declarative approach than coding from scratch. AppSheet is generally considered easier for those with 'basic coding knowledge' or even no coding knowledge, making it a better fit for rapid application development by non-developers.

Reference from Google Workspace Administrator:

AppSheet: No-code App Development | Google Cloud: This is the primary resource for AppSheet, explicitly stating its purpose for 'no-code app development' and enabling 'everyone in your organization to build and extend applications without coding.' It highlights use cases for automating business processes like order approvals (similar to expense reports/time off).

Google AppSheet | Build apps with no code: Further reiterates that AppSheet helps 'build powerful applications and automations that boost productivity. No coding required.' It also mentions integration with Google Workspace, including Google Sheets and Forms as data sources.

Quick start: Build your first app and automation using Google Forms - AppSheet Help: This resource demonstrates how AppSheet can take data from Google Forms and build an app with automation (e.g., email notifications for approvals), showcasing its capability for workflows like expense reports.

Question 7

Your company wants to enable single sign-on (SSO) for its employees to access a newly acquired cloud-based marketing platform. The marketing platform vendor has confirmed SAML 2.0 compatibility and provided the necessary metadat

a. You need to streamline user access and centralize authentication through Google Workspace. What should you do?

ARequest an API key from the marketing platform vendor for SAML integration.

BEnable two-factor authentication for all users to enhance security before implementing SSO.

CInstruct employees to log in to the marketing platform using the Sign In with Google functionality.

DCreate a new SAML application in the Google Admin console.

Answer : D

To enable single sign-on (SSO) through Google Workspace, you need to create a new SAML application in the Google Admin console. This allows users to authenticate centrally through Google Workspace when accessing the marketing platform, leveraging SAML 2.0 compatibility. You can then upload the metadata provided by the marketing platform vendor to complete the integration. This approach ensures streamlined access and centralized authentication for your employees.