This document describes how tosanitize existing Gmail accounts bydeliberately removing any corporate email addresses from them. If your companyhasn't been usingCloud Identity orGoogle Workspace,it's possible that some of your employees have been using Gmailaccounts to access Google services. Some of these Gmail accounts mightuse a corporate email address such asalice@example.com as analternate email address.

Consider sanitizing a Gmail account if either of the followingconditions is true:

• You want the owner of the Gmail account to switch to amanaged user account.
• You want the Gmail account to stop using a corporate email addressas analternate address. This might be because the account belongs to a formeremployee or because you don't recognize the owner of the account.

Removing the corporate email address from a Gmail account can mitigatea social engineering risk: if a Gmail account uses a seeminglytrustworthy email addresslikealice@example.com as an alternate address, then the owner of the accountmight be able to convince employees or business partners to grant them access toresources they shouldn't be allowed to access.

Before you begin

To sanitize a Gmail account, you must meet all of the followingprerequisites:

• You haveidentified a suitable onboarding plan and have completed all activities that your plan defines as prerequisitesfor consolidating your existing user accounts.
• You have created aCloud Identity or Google Workspace account.

Each Gmail account that you plan to sanitize must meet the followingcriteria:

• One of thealternate email addresses of the Gmail account corresponds to one of the domains that you'veadded toyour Cloud Identity or Google Workspace account. Both primaryand secondary domains qualify, but alias domains are not supported.

Note: Thetransfer tool for unmanaged users doesn't find Gmail users, regardless of the alternate email addressesthey use.

Process

Sanitizing Gmail accounts works likemigrating consumer accounts,but it is based on the idea that you deliberately create a conflictingaccount.

The following diagram illustrates the process. Rectangular boxes on theAdministrator side denote actions that a Cloud Identity orGoogle Workspace administrator takes; rectangular boxes on theUseraccount owner side denote actions that only the owner of a consumer accountcan perform.

The sequence of steps differs slightly depending on whether you want the ownerof the Gmail account to switch to a managed user account or whether yousimply want the account to give up its corporate email address.

Encourage a switch to a managed account

If you want a user to switch to a managed account, create a user account forthat user in Cloud Identity or Google Workspace. For the primaryemail address, use the email address that's used as an alternate email addressby the Gmail account. For example, if the Gmail userbob@gmail.comhas specifiedbob@example.com as an alternate email address, usebob@example.com as the primary email address for the Cloud Identity orGoogle Workspace user.

The owner of the affected account has two ways to sign in—by using theGmail address or by using the corporate email address. If the ownersigns in by using the Gmail address, they see the following message,indicating that the corporate email address has been disassociated from the useraccount:

The account owner sees this message only once. If the owner instead signs in byusing the corporate email address, they see a ballot screen:

If they selectOrganizational Google Workspace account, theymust authenticate using the credentials of the newly created user accountin Cloud Identity or Google Workspace. If they usean external IdP,this process involves single sign-on. Because the user account inCloud Identity or Google Workspace is new, none of the Gmailaccount's data is transferred.

If they selectIndividual Google account, they continue with theirGmail account, but they see the following message indicating that thecorporate email address is being disassociated from the user account:

After confirming, they are shown another message:

Force an account to give up its corporate email address

You can force an account to give up its corporate email address as follows:

1. Create a user account in Cloud Identity orGoogle Workspace that has the corresponding corporate email address.Because you don't want the managed user account to ever be used, assign arandom password.
2. Delete the user account that you just created.

By creating a conflicting account and immediately deleting the managed account,you leave the consumer account in a state where the owner has to rename theaccount.

The owner of the affected account has two ways to sign in—by using the Gmailaddress or by using the corporate email address:

• If the owner signs in by using the Gmail address, they see thefollowing message, indicating that the corporate email address has beendisassociated from the user account:

  

• If they instead sign in by using the corporate email address, they seethe following message:

  

  After confirming, they are shown another message:

  

  All configuration and data that was created by using this consumer accountis unaffected by the renaming process. But for subsequent attempts to signin, the user must use the Gmail address because the corporateaddress is no longer associated with the user account.

Best practices

We recommend the following best practices when you are sanitizing Gmailaccounts:

• Prevent other users from assigning a corporate email address to theirGmail accounts byproactively provisioning user accounts to Cloud Identity or Google Workspace.

• Prevent new Gmail accounts from being granted access toGoogle Cloud resources by using an organizational policy torestrict identities by domain.

• Prevent Gmail accounts from being given access to Google Marketing Platform byusing apolicy that restricts sharing by domain.

What's next

• Review how you canassess existing user accounts.
• Learn how toevict unwanted consumer accounts.