Previously, I’ve shown how to use Google Cloud Identity to create a Super Admin account for free and reroute all the emails going to it to another account. Today I will share two more tips for improving account management in Google Workspace.
Contractor and temporary Google accounts
Imagine you bring someone to help you with hiring. Someone as awesome as Nate. Nate needed a Google account on your domain to act on behalf of YeshID and login into the tools we use, like gem.com “The modern recruiting CRM.” So I set up a Google Workspace account for Nate. It’s easy and not too expensive.
When Nate was done with his gig, we wanted (and needed, for compliance reasons) to close his account. As we said in this post, we wanted to move fast and save money. But then I realized we could not access some of the things Nate set up. Not because he didn’t do a great job of transferring–Nate is great–but because some tools, like Gem–which is also great(!)–don’t support handing over access (yet).
Now I faced a dilemma: keep Nate’s account after ensuring he has no access (compliance) and pay for it monthly or delete it and maybe lose some of the work?
I found another option: convert it into a free Cloud Identity account, route all the emails to one of the employees–me in this case–and use it to sign into Gem just a like a regular Google account!
For a step-by-step explanation of how to do that, see the More secure and free section in my previous blog.
You now have a free account, sans Gmail but with email routing, that you can use to “Sign in with Google” to all the services until you no longer need it.
Note: this will not work on services that require explicit access to the account’s Gmail.
Account locked with enforced 2 Step Verification (2SV)
So, here’s a common scenario: you have enforced 2SV–sometimes called multi-factor authentication–company-wide. People have to use 2SV, but not right away. There’s a grace period so people can sign up without having their second means of authentication in the way. You create a new account and email a temporary password to an existing email account. The user registers. Most people, I found, skip setting the second factor because it’s annoying friction. They promise themselves they’ll do it later, and they are annoyed when you remind me to fix the squeaky door every six months…! Erm. I mean, setting 2SV.
But, unlike others who wait patiently for six months, the policy here is strict. If you don’t have your 2SV in time, you’ll be locked out. Now the admin has to waste time reenabling the account. Resetting the password won’t help – the password isn’t the problem. Generating backup codes doesn’t help either. Same deal: the account never enabled 2SV, so Google will not ask for the backup codes during the user’s login. Luckily, there’s a hidden solution that I really think shouldn’t be so hard to find.
- Go to admin.google.com
- Open Directory
- Open Users
- Click on the name of the locked account
- Click on the Security bar on the right
- Click “ADD SECURITY KEY”
- Attach your physical security key (e.g. Yubikey) to the account
- Generate backup codes for the account
- Send to the user
OK, I know this is annoying, but I think it’s better than many alternatives which might temporarily move you out of compliance.