External user added to Google Workspace group
Description
AlphaSOC detected a group membership change via ADD_GROUP_MEMBER where the
user and group email domains differ. This flags external users being added to
internal groups. Adding external members can be a legitimate collaboration
action but may also grant external accounts access to internal resources if not
properly scoped.
Impact
External group members can access group resources, internal emails, and shared drives depending on group permissions. Unreviewed external membership increases risk of data exposure, accidental sharing, and unauthorized access to internal resources.
Severity
| Severity | Condition |
|---|---|
Low | External user added to Google Workspace group |
Investigation and Remediation
Inspect the audit event to identify the external member, the target group, and the actor who added the member. Confirm the business justification and whether the group’s permissions are appropriate for external collaborators. If the addition is unauthorized, remove the external member, review recent group activity and shared resources, and tighten group membership policies. Consider using separate external collaboration groups and approval workflows for external access.
Known False Positives
- Approved external contractors, partners, or federated accounts intentionally added for collaboration.