Google supports two types of user accounts, managed user accounts and consumer user accounts. Managed user accounts are under the full control of a Cloud Identity or Google Workspace administrator. In contrast, consumer accounts are fully owned and managed by the people who created them. Show
A core tenet of identity management is to have a single place to manage identities across your organization:
If employees use consumer user accounts, then the premise of having a single place to manage identities is compromised: consumer accounts aren't managed by Cloud Identity, Google Workspace, or your external IdP. Therefore, you must identify the consumer user accounts that you want to convert to managed accounts, as explained in the authentication overview. This document helps you to understand and assess the following:
Example scenarioTo illustrate the different sets of user accounts that employees might be using, this document uses an example scenario for a company named Example Organization. Example Organization has six employees and former employees who have all been using Google services such as Google Docs and Google Ads. Example Organization now intends to consolidate their identity management and establish their external IdP as the single place to manage identities. Each employee has an identity in the external IdP, and that identity matches the employee's email address. There are two consumer user accounts, Carol and Chuck, that use an
Two employees, Glen and Grace, decided to use Gmail accounts:
Finally, two employees, Mary and Mike, are already using Cloud Identity:
The following diagram illustrates the different sets of user accounts: To establish the external IdP as the single place to manage identities, you must link the identities of the existing Google user accounts to the identities in the external IdP. The following diagram therefore adds an account set that depicts the identities in the external IdP. Recall that if employees want to establish an external IdP as the single place to manage identities, they must rely exclusively on managed user accounts, and that the external IdP must control those user accounts. Currently, only Mary meets these requirements. She uses a Cloud Identity user, which is a managed user account, and her user account's identity matches her identity in the external IdP. All other employees either use consumer accounts, or the identity of their accounts doesn't match their identity in the external IdP. The risks and implications of not meeting the requirements are different for each of these users. Each user represents a different set of user accounts that might require further investigation. User account sets to investigateThe following sections examine potentially problematic sets of user accounts. Consumer accountsThis set of user accounts consists of accounts for which either of the following is true:
In the example scenario, this description fits Carol and Chuck. A consumer account that's used for business purposes and that uses a corporate email address can pose a risk to your business, such as the following:
If ExampleOrganization decides to use Google as their IdP, then the best way for them to deal with consumer accounts is to either migrate them to Cloud Identity or Google Workspace or to evict them by forcing the owners to rename the user account. If ExampleOrganization decides to use an external IdP, they need to further distinguish between the following:
The following two sections look at these two subclasses in detail. Consumer accounts with a matching identity in the external IdPThis set of user accounts consists of accounts that match all of the following:
In the example scenario, this description fits Carol. The fact that these consumer accounts have a matching identity in your external IdP suggests that these user accounts belong to current employees and should be retained. You should therefore consider migrating these accounts to Cloud Identity or Google Workspace. You can identify consumer accounts that have matching identity in the external IdP as follows:
Consumer accounts without a matching identity in the external IdPThis set of user accounts consists of accounts that match all of the following:
In the example scenario, this description fits Chuck. There can be several causes for consumer accounts without a matching identity in the external IdP, including the following:
You can handle consumer accounts that don't have a matching identity in the external IdP in the following ways:
You can identify consumer accounts without a matching identity in the external IdP as follows:
Managed accounts without a matching identity in the external IdPThis set of user accounts consists of accounts that match all of the following:
In the example scenario, this description fits Mike, who used the identity The potential causes for managed accounts without a matching identity in the external IdP are similar to those for consumer accounts without a matching identity in the external IdP:
Regardless of their cause, managed accounts without a matching identity in the external IdP are a risk because they can become subject to inadvertent reuse and name squatting. We recommend that you reconcile these accounts. You can identify consumer accounts without a matching identity in the external IdP as follows:
Gmail accounts used for corporate purposesThis set of user accounts consists of accounts that match the following:
In the example scenario, this description fits Grace and Glen. Gmail accounts that are used for corporate purposes are subject to similar risks as consumer accounts without matching identity in external IdP:
The best way to deal with Gmail accounts is therefore to revoke access for those user accounts to all corporate resources and provide affected employees with new managed user accounts as replacements. Because Gmail accounts use Gmail accounts with a corporate email address as alternate emailThis set of user accounts consists of accounts that match all of the following:
In the example scenario, this description fits Grace. From a risk perspective, Gmail accounts that use a corporate email address as an alternate email address are equivalent to consumer accounts without a matching identity in the external IdP. Because these accounts use a seemingly trustworthy corporate email address as their second identity, they are subject to the risk of social engineering. If you want to maintain the access rights and some of the data associated with the Gmail account, you can ask the owner to remove Gmail from the user account so that you can then migrate them to Cloud Identity or Google Workspace. The best way to handle Gmail accounts that use a corporate email address as an alternate email address is to sanitize them. When you sanitize an account, you force the owner to give up the corporate email address by creating a managed user account with that same corporate email address. Additionally, we recommend that you revoke access to all corporate resources and provide the affected employees with the new managed user accounts as replacements. What's next
Can you verify a Google Account without a phone number?It is no longer possible to create a new Gmail account without verifying a mobile phone number. If you don't have access to a phone number that can receive either text messages or phone calls, you can either gain access to a temporary phone number, or use a friend or family member's phone for the verification process.
How can I recover my Google Account without phone number?How to Recover Gmail Password without Phone Number and Recovery Email?. Go to Google Recovery Account.. Enter Your Email.. Select 'Try another way to sign in'. Click on 'Try another way'. Click on 'Try another way' Again.. Wait for Next 48 Hours.. Check Your Email for the Recovery Link.. How can I get my verification code for Gmail without phone?If you've lost access to your primary phone, you can verify it's you with: Another phone signed in to your Google Account. Another phone number you've added in the 2-Step Verification section of your Google Account. A backup code you previously saved.
How can I recover my old Gmail account without verification code?Follow the steps to recover your Google Account or Gmail. You'll be asked some questions to confirm it's your account. Answer the questions as best as you can. ... . Reset your password when prompted. Choose a strong password that you haven't already used with this account. Learn how to create a strong password.. |