When deploying Google Workspace, one of the challenges is selectively allowing access to the core Google Workspace applications (Gmail/Drive/Docs, etc.), in a traditional large enterprise setting where access to Google services would typically be blocked. This traditionally required network infrastructure changes to be made where a proxy server would inspect the traffic and inject a header.
Google Chrome has made this easier with Chrome Browser Cloud Management, where you can apply device-level policies directly from Google Workspace Admin Console.
First step is to enroll Chrome Browsers. Depending on how you are managing your devices today, the steps may vary. Once enrolled, it is highly recommended that you set up a separate organizational unit for devices, so you can keep your user and device level policies separate.
The menu item that allows you to block access to consumer accounts is Sign-in to secondary accounts, which is misleading because when you select Allow users to only sign into the G Suite domains set below, the policy that gets pushed is AllowedDomainsForApps.
You can then choose to include any of your Google Workspace domains to allow sign-in, but block sign-ins to any other accounts. When the users try to access accounts that do not belong to the domains explicitly listed, they will be presented with this error message. I have included two other links below for reference.
