[PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
**Question 1. Which Google Workspace setting controls the minimum required password
length for all users in an organization?**
A) Password strength policy
B) Password length requirement
C) Two‑step verification enforcement
D) Account recovery options
Answer: B
Explanation: The Password length requirement defines the minimum number of characters a
password must contain and applies organization‑wide.
**Question 2. When configuring SSO with a third‑party IdP using SAML, which attribute must be
mapped to identify the user’s primary email address in Google Workspace?**
A) NameID
B) AssertionConsumerServiceURL
C) AudienceRestriction
D) RelayState
Answer: A
Explanation: The NameID attribute in the SAML assertion typically carries the user's primary
email, allowing Google Workspace to locate the correct account.
**Question 3. In Google Cloud Directory Sync (GCDS), which option determines whether newly
created LDAP groups are imported as Google Groups?**
A) Sync users only
B) Sync groups only
C) Sync users and groups
, [PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
D) Sync organizational units only
Answer: C
Explanation: Selecting “Sync users and groups” enables GCDS to import both user accounts and
group objects from LDAP into Google Workspace.
**Question 4. What is the primary purpose of an organizational unit (OU) in Google
Workspace?**
A) To create shared drives automatically
B) To apply policies and settings to a subset of users
C) To enable multi‑factor authentication for all users
D) To synchronize external directories
Answer: B
Explanation: OUs segment users so administrators can assign different security, service, and
device policies to each group.
**Question 5. Which of the following is NOT a supported identity provider protocol for Google
Workspace as a service provider?**
A) SAML 2.0
B) OpenID Connect
C) OAuth 2.0
D) LDAP
Answer: D
Explanation: Google Workspace supports SAML, OpenID Connect, and OAuth for federated
authentication, but LDAP is used for directory sync, not as an IdP protocol.
, [PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
**Question 6. When granting third‑party applications access via OAuth, which scope should be
used to allow read‑only access to a user’s Google Drive files?**
A) https://www.googleapis.com/auth/drive.file
B) https://www.googleapis.com/auth/drive.readonly
C) https://www.googleapis.com/auth/drive.appdata
D) https://www.googleapis.com/auth/drive.metadata.readonly
Answer: B
Explanation: The drive.readonly scope provides read‑only permissions to all files in the user’s
Drive.
**Question 7. Which Google Workspace Admin console feature lets you automate the
provisioning of new users from an HR system?**
A) Bulk user upload CSV
B) Cloud Identity Groups API
C) User provisioning via SCIM
D) Directory API batch requests
Answer: C
Explanation: SCIM (System for Cross‑Domain Identity Management) enables automated
provisioning and de‑provisioning of users from external HR systems.
**Question 8. A user is removed from the organization but still appears in the Global Address
List. Which step resolves this issue?**
A) Delete the user’s Google account manually
B) Wait for the 24‑hour sync window to expire
C) Re‑suspend the user and then delete the account
, [PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
D) Remove the user from all groups first
Answer: C
Explanation: Suspending before deletion ensures the account is fully removed from the
directory and the GAL.
**Question 9. How can an administrator enforce that all new Google Groups must require
manager approval before members can join?**
A) Set “Group join mode” to “Ask to join” in the group’s settings
B) Enable “External members must be approved” at the domain level
C) Configure “Group membership moderation” in the Admin console
D) Use a Google Apps Script to reject join requests automatically
Answer: C
Explanation: Group membership moderation allows managers to approve or deny membership
requests for new groups.
**Question 10. Which Google Workspace setting determines whether a user can create a new
Shared Drive?**
A) Access to Drive and Docs > Sharing settings > Create shared drives
B) Organizational unit > Services > Drive > Allow creation of shared drives
C) Admin roles > Drive admin > Create shared drives permission
D) User’s personal Drive settings > Enable shared drive creation
Answer: B
Explanation: The OU‑level service setting controls the ability to create Shared Drives for all users
within that OU.
Collaboration Engineer Certification Exam
Preparation
**Question 1. Which Google Workspace setting controls the minimum required password
length for all users in an organization?**
A) Password strength policy
B) Password length requirement
C) Two‑step verification enforcement
D) Account recovery options
Answer: B
Explanation: The Password length requirement defines the minimum number of characters a
password must contain and applies organization‑wide.
**Question 2. When configuring SSO with a third‑party IdP using SAML, which attribute must be
mapped to identify the user’s primary email address in Google Workspace?**
A) NameID
B) AssertionConsumerServiceURL
C) AudienceRestriction
D) RelayState
Answer: A
Explanation: The NameID attribute in the SAML assertion typically carries the user's primary
email, allowing Google Workspace to locate the correct account.
**Question 3. In Google Cloud Directory Sync (GCDS), which option determines whether newly
created LDAP groups are imported as Google Groups?**
A) Sync users only
B) Sync groups only
C) Sync users and groups
, [PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
D) Sync organizational units only
Answer: C
Explanation: Selecting “Sync users and groups” enables GCDS to import both user accounts and
group objects from LDAP into Google Workspace.
**Question 4. What is the primary purpose of an organizational unit (OU) in Google
Workspace?**
A) To create shared drives automatically
B) To apply policies and settings to a subset of users
C) To enable multi‑factor authentication for all users
D) To synchronize external directories
Answer: B
Explanation: OUs segment users so administrators can assign different security, service, and
device policies to each group.
**Question 5. Which of the following is NOT a supported identity provider protocol for Google
Workspace as a service provider?**
A) SAML 2.0
B) OpenID Connect
C) OAuth 2.0
D) LDAP
Answer: D
Explanation: Google Workspace supports SAML, OpenID Connect, and OAuth for federated
authentication, but LDAP is used for directory sync, not as an IdP protocol.
, [PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
**Question 6. When granting third‑party applications access via OAuth, which scope should be
used to allow read‑only access to a user’s Google Drive files?**
A) https://www.googleapis.com/auth/drive.file
B) https://www.googleapis.com/auth/drive.readonly
C) https://www.googleapis.com/auth/drive.appdata
D) https://www.googleapis.com/auth/drive.metadata.readonly
Answer: B
Explanation: The drive.readonly scope provides read‑only permissions to all files in the user’s
Drive.
**Question 7. Which Google Workspace Admin console feature lets you automate the
provisioning of new users from an HR system?**
A) Bulk user upload CSV
B) Cloud Identity Groups API
C) User provisioning via SCIM
D) Directory API batch requests
Answer: C
Explanation: SCIM (System for Cross‑Domain Identity Management) enables automated
provisioning and de‑provisioning of users from external HR systems.
**Question 8. A user is removed from the organization but still appears in the Global Address
List. Which step resolves this issue?**
A) Delete the user’s Google account manually
B) Wait for the 24‑hour sync window to expire
C) Re‑suspend the user and then delete the account
, [PCE] Google Cloud Certified Professional
Collaboration Engineer Certification Exam
Preparation
D) Remove the user from all groups first
Answer: C
Explanation: Suspending before deletion ensures the account is fully removed from the
directory and the GAL.
**Question 9. How can an administrator enforce that all new Google Groups must require
manager approval before members can join?**
A) Set “Group join mode” to “Ask to join” in the group’s settings
B) Enable “External members must be approved” at the domain level
C) Configure “Group membership moderation” in the Admin console
D) Use a Google Apps Script to reject join requests automatically
Answer: C
Explanation: Group membership moderation allows managers to approve or deny membership
requests for new groups.
**Question 10. Which Google Workspace setting determines whether a user can create a new
Shared Drive?**
A) Access to Drive and Docs > Sharing settings > Create shared drives
B) Organizational unit > Services > Drive > Allow creation of shared drives
C) Admin roles > Drive admin > Create shared drives permission
D) User’s personal Drive settings > Enable shared drive creation
Answer: B
Explanation: The OU‑level service setting controls the ability to create Shared Drives for all users
within that OU.
