diff --git a/references/workspace/sso-providers.mdx b/references/workspace/sso-providers.mdx
index 3876f358..43493a7a 100644
--- a/references/workspace/sso-providers.mdx
+++ b/references/workspace/sso-providers.mdx
@@ -47,6 +47,38 @@ OAuth 2.0-based authentication using Google accounts. Ideal for organizations us
- **Included in**: Cloud Pro, Enterprise, Self-hosted
- **Setup guide**: [Google SSO configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash#google)
+#### Disable Google sign-in for your organization
+
+When Google SSO is enabled at the instance level, organization admins can opt out of Google sign-in for their domains — for example, to enforce sign-in through a dedicated identity provider (Okta, Azure AD, etc.) instead.
+
+To manage your organization's Google SSO policy:
+
+1. Go to **Settings** → **Organization** → **Authentication**.
+2. In the **Google** panel, toggle **Enable Google sign-in for this organization** off to hide the Google login button for users in your domains. Toggle it back on (or select **Reset to default**) to follow the instance default.
+3. Optional: expand **Advanced** to override the org's allowed email domains for this method, or to control whether email/password sign-in is shown alongside Google.
+
+
+ The opt-out applies only to users who belong to your organization. Users from other organizations on the same Lightdash instance are unaffected.
+
+
+You can also manage the policy through the API:
+
+```bash
+# Disable Google sign-in for your organization
+curl -X PUT https://{{ lightdash_domain }}/api/v1/org/sso/google \
+ -H "Authorization: Bearer " \
+ -H "Content-Type: application/json" \
+ -d '{ "enabled": false }'
+
+# Read the current policy (returns null when no explicit policy is set)
+curl https://{{ lightdash_domain }}/api/v1/org/sso/google \
+ -H "Authorization: Bearer "
+
+# Reset to the instance default
+curl -X DELETE https://{{ lightdash_domain }}/api/v1/org/sso/google \
+ -H "Authorization: Bearer "
+```
+
### Okta
OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.