Evict consumer accounts
If you haven't been usingCloud Identity orGoogle Workspace,it's possible that your organization's employees have been using consumeraccounts to access Google services. Some of these consumer accounts might use acorporate email address such asalice@example.com as a primary or alternateemail address.
This document describes how you canevict, or get rid of, these types ofconsumer accounts by removing the corporate email address from them. Althoughthe consumer accounts will still exist, removing the corporate email addresshelps you mitigate a social engineering risk—as long as a consumer account has aseemingly trustworthy email address likealice@example.com, the owner of theaccount might be able to convince current employees or business partners togrant them access to resources they shouldn't be allowed to access.
Alternatively, bymigrating consumer accounts,you can keep these accounts and turn them intomanaged accounts.But there might be some accounts that you don't want to migrate, such as thefollowing:
- Consumer accounts that are used by former employees.
- Consumer accounts that are used by employees that are not supposed toaccess Google services.
- Consumer accounts for which you cannot recognize the owner.
Before you begin
To evict offending consumer accounts, you must satisfy the followingprerequisites:
- You haveidentified a suitable onboarding plan and have completed all prerequisites for consolidating your existing useraccounts.
- You have created aCloud Identity or Google Workspace account.
The primary or alternate email address of the consumer account must correspondto one of the domains that you have added to your Cloud Identity orGoogle Workspace account. Both primary and secondary domains qualify, butalias domains are not supported.
Process
Evicting unwanted consumer accounts works similarly tomigrating consumer accounts,but it is based on deliberately creating a conflicting account. The followingdiagram illustrates the process. Boxes on theAdministrator side denoteactions a Cloud Identity or Google Workspace administrator takes;rectangular boxes on theUser account owner side denote actions only theowner of a consumer account can perform.
Find unmanaged user accounts
You can use thetransfer tool for unmanaged users to find consumer accounts that use a primary email address that matches one ofthe verified domains of your Cloud Identity or Google Workspaceaccount.
Create a conflicting account
When you have identified a consumer account that you want to evict, do thefollowing:
Create a user account in Cloud Identity orGoogle Workspace that has the same corporate email address as theaccount you want to evict.
If the consumer account uses the corporate email address as the primaryemail address, the Admin Console warns you about an impending conflict.Because you are intentionally creating the conflicting account, selectCreate new user.
Because you don't want the managed user account to ever be used, assign arandom password.
Delete the user account that you just created.
By creating a conflicting account and immediately deleting it, you force theowner to rename that user account. But you avoid that owner being shown a ballotscreen that prompts them to choose between the managed and consumer account.
Rename the user account
For the owner of the evicted user account, the next time they sign in, they seethe following message:
As the screenshot suggests, they have three options for proceeding:
- Convert the user account into a Gmail account.
- Associate a different email address with the account.
- Postpone the rename. This causes the user account to use a temporary
gtempaccount.comemail address in the meantime.
All configuration and data that was created by using this consumer account isunaffected by the rename.
Best practices
We recommend the following best practices when you evict unwanted consumeraccounts:
- Ensure that affected users can no longer receive email on their(former) corporate email address. Otherwise, a user might be able to undothe rename and switch the primary email address back to the corporate emailaddress.
- Prevent other users from signing up for new consumer accounts byproactively provisioning user accounts to Cloud Identity or Google Workspace.
What's next
- Review how you canassess existing user accounts.
- Learn how toremove a corporate email address from a Gmail account.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-06-26 UTC.