diff --git a/README.md b/README.md
index 16be9db0..0097f91a 100644
--- a/README.md
+++ b/README.md
@@ -661,7 +661,7 @@ Once you have the client ID and secret keys generated, configure them using the
 
 For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth.
 
-You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`.
+You can also restrict logins to a single domain by adding `--env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'"`.
 
 #### Facebook
 
@@ -916,7 +916,7 @@ Below is the complete list of available options that can be used to customize yo
 | `OAUTH_CAS3_LOGOUT_URL` | CAS3 logout URL. Defaults to `/cas/logout` |
 | `OAUTH_GOOGLE_API_KEY` | Google App Client ID. No defaults. |
 | `OAUTH_GOOGLE_APP_SECRET` | Google App Client Secret. No defaults. |
-| `OAUTH_GOOGLE_RESTRICT_DOMAIN` | Google App restricted domain. No defaults. |
+| `OAUTH_GOOGLE_RESTRICT_DOMAIN` | List of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults. |
 | `OAUTH_FACEBOOK_API_KEY` | Facebook App API key. No defaults. |
 | `OAUTH_FACEBOOK_APP_SECRET` | Facebook App API secret. No defaults. |
 | `OAUTH_TWITTER_API_KEY` | Twitter App API key. No defaults. |
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 1583e28a..8f92efa1 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -380,7 +380,7 @@ production: &base
           label: 'Google',
           app_id: '{{OAUTH_GOOGLE_API_KEY}}',
           app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}',
-          args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: '{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}' } }
+          args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: [{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}] } }
       - { name: 'facebook',
           app_id: '{{OAUTH_FACEBOOK_API_KEY}}',
           app_secret: '{{OAUTH_FACEBOOK_APP_SECRET}}' }
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 48ec5259..6b6385e4 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -242,6 +242,12 @@ OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-}
 OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}
 OAUTH_GOOGLE_APP_SECRET=${OAUTH_GOOGLE_APP_SECRET:-}
 OAUTH_GOOGLE_APPROVAL_PROMPT=${OAUTH_GOOGLE_APPROVAL_PROMPT:-}
+OAUTH_GOOGLE_RESTRICT_DOMAIN=${OAUTH_GOOGLE_RESTRICT_DOMAIN:-}
+if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then # backward compatibility
+  if [[ ${OAUTH_GOOGLE_RESTRICT_DOMAIN} != "'"* ]]; then
+    OAUTH_GOOGLE_RESTRICT_DOMAIN="'${OAUTH_GOOGLE_RESTRICT_DOMAIN}'"
+  fi
+fi
 
 ### FACEBOOK
 OAUTH_FACEBOOK_API_KEY=${OAUTH_FACEBOOK_API_KEY:-}