Google supports two types of user accounts,managed user accounts andconsumer user accounts.Managed user accounts are under the full control of aCloud Identity orGoogle Workspace administrator. In contrast, consumer accounts are fully owned and managed by thepeople who created them.

A core tenet of identity management is to have a single place to manageidentities across your organization:

• If youuse Google as your identity provider (IdP),then Cloud Identity or Google Workspace should be the singleplace to manage identities. Employees should rely exclusively on useraccounts that you manage in Cloud Identity or Google Workspace.

• If youuse an external IdP,then that provider should be the single place to manage identities. Theexternal IdP needs to provision and manage user accounts inCloud Identity or Google Workspace, and employees should relyexclusively on these managed user accounts when they use Google services.

If employees use consumer user accounts, then the premise of having a singleplace to manage identities is compromised: consumer accounts aren't managed byCloud Identity, Google Workspace, or your external IdP. Therefore,you must identify the consumer user accounts that you want to convert to managedaccounts, as explained in theauthentication overview.

To convert consumer accounts to managed accounts using the transfer tool,described later in this document, you must have a Cloud Identity orGoogle Workspace identity with a Super Admin role.

This document helps you to understand and assess the following:

• Which existing user accounts that your organization's employees might beusing and how to identify those accounts.
• Which risks might be associated with these existing user accounts.

Example scenario

To illustrate the different sets of user accounts that employees might be using,this document uses an example scenario for a company namedExample Organization. Example Organization has six employees and formeremployees who have all been using Google services such as Google Google Docsand Google Ads. Example Organization now intends to consolidate theiridentity management and establish their external IdP as the single place tomanage identities. Each employee has an identity in the external IdP, and thatidentity matches the employee's email address.

There are two consumer user accounts, Carol and Chuck, that use anexample.com email address:

• Carol created a consumer account using her corporate email address(carol@example.com).
• Chuck, a former employee, created a consumer account using hiscorporate email address (chuck@example.com).

Two employees, Glen and Grace, decided to use Gmail accounts:

• Glen signed up for a Gmail account (glen@gmail.com), which heuses to access private and corporate documents and other Google services.
• Grace also uses a Gmail account (grace@gmail.com), but she addedher corporate email address,grace@example.com, as an alternate emailaddress.

Finally, two employees, Mary and Mike, are already usingCloud Identity:

• Mary has a Cloud Identity user account (mary@example.com).
• Mike is the administrator of the Cloud Identity account andcreated a user (admin@example.com) for himself.

The following diagram illustrates the different sets of user accounts:

To establish the external IdP as the single place to manage identities, you mustlink the identities of the existing Google user accounts to theidentities in the external IdP. The following diagram therefore adds an accountset that depicts the identities in the external IdP.

Recall that if employees want to establish an external IdP as the single placeto manage identities, they must rely exclusively on managed user accounts, andthat the external IdP must control those user accounts.

In this scenario, only Mary meets these requirements. She uses a Cloud Identityuser, which is a managed user account, and her user account's identity matchesher identity in the external IdP. All other employees either use consumeraccounts, or the identity of their accounts doesn't match their identity in theexternal IdP. The risks and implications of not meeting the requirements aredifferent for each of these users. Each user represents a different set of useraccounts that might require further investigation.

User account sets to investigate

The following sections examine potentially problematic sets of user accounts.

Consumer accounts

This set of user accounts consists of accounts for which either of thefollowing is true:

• They were created by employees using theSign up feature offered bymany Google services.
• They use a corporate email address as their identity.

In the example scenario, this description fits Carol and Chuck.

A consumer account that's used for business purposes and that uses a corporateemail address can pose a risk to your business, such as the following:

• You cannot control the lifecycle of the consumer account. An employeewho leaves the company might continue to use the user account to accesscorporate resources or to generate corporate expenses.

  Even if you revoke access to all resources, the account might still pose asocial engineering risk. Because the user account uses a seeminglytrustworthy identity likechuck@example.com, the former employee might beable to convince current employees or business partners to grant access toresources again.

  Similarly, a former employee might use the user account to performactivities that aren't in line with your organization's policies, whichcould put your company's reputation at risk.

• You cannot enforce security policies like MFA verification or passwordcomplexity rules on the account.

• You cannot restrict whichgeographic location Google Docs and Google Drive data is stored in, which might be a compliance risk.

• You cannot restrict which Google services can be accessed by using thisuser account.

If ExampleOrganization decides touse Google as their IdP,then the best way for them to deal with consumer accounts is to eithermigrate them to Cloud Identity or Google Workspace or toevict them by forcing the owners to rename the user account.

If ExampleOrganization decides touse an external IdP,they need to further distinguish between the following:

• Consumer accounts that have a matching identity in the external IdP.
• Consumer accounts that don't have a matching identity in the external IdP.

The following two sections look at these two subclasses in detail.

Consumer accounts with a matching identity in the external IdP

This set of user accounts consists of accounts that match all of thefollowing:

• They were created by employees.
• They use a corporate email address as the primary email address.
• Their identity matches an identity in the external IdP.

In the example scenario, this description fits Carol.

The fact that these consumer accounts have a matching identity in your externalIdP suggests that these user accounts belong to current employees and should beretained. You should therefore considermigrating these accounts to Cloud Identity or Google Workspace.

You can identify consumer accounts that have matching identity in the externalIdP as follows:

1. Add all domains to Cloud Identity or Google Workspace that you suspect mighthave been used for consumer account signups. In particular, the list ofdomains in Cloud Identity or Google Workspace should includeall domains that your email system supports.
2. Use thetransfer tool for unmanaged users to identify consumer accounts that use an email address that matches one ofthe domains you've added to Cloud Identity orGoogle Workspace. The tool also lets youexport the list of affected users as a CSV file.
3. Compare the list of consumer accounts with the identities in yourexternal IdP, and find consumer accounts that have a counterpart.

Consumer accounts without a matching identity in the external IdP

This set of user accounts consists of accounts that match all of thefollowing:

• They were created by employees.
• They use a corporate email address as their identity.
• Their identity doesnot match any identity in the external IdP.

In the example scenario, this description fits Chuck.

There can be several causes for consumer accounts without a matching identityin the external IdP, including the following:

• The employee who created the account might have left the company, sothe corresponding identity no longer exists in the external IdP.

• There might be a mismatch between the email address used for theconsumer account sign-up and the identity known in the external IdP.Mismatches like these can occur if your email system allows variations inemail addresses such as the following:

  • Using alternate domains. For example,johndoe@example.org andjohndoe@example.com might be aliases for the same mailbox, but theuser might only be known asjohndoe@example.com in your IdP.
  • Using alternate handles. For examplejohndoe@example.com andjohn.doe@example.com might also refer to the same mailbox, but yourIdP might recognize only one spelling.
  • Using different casing. For example, the variantsjohndoe@example.com andJohnDoe@example.com might not be recognizedas the same user.

You can handle consumer accounts that don't have a matching identity in theexternal IdP in the following ways:

• You canmigrate the consumer account to Cloud Identity or Google Workspace and thenreconcile any mismatches caused by alternate domains, handles, or casing.

• If you think the user account is illegitimate or shouldn't be usedanymore, you canevict the consumer account by forcing the owner to rename it.

You can identify consumer accounts without a matching identity in the externalIdP as follows:

1. Add all domains to Cloud Identity or Google Workspace that you suspect mighthave been used for consumer account signups. In particular, the list ofdomains in Cloud Identity or Google Workspace should includeall domains that your email system supports as aliases.
2. Use thetransfer tool for unmanaged users to identify consumer accounts that use an email address that matches one ofthe domains you've added to Cloud Identity orGoogle Workspace. The tool also lets youexport the list of affected users as a CSV file.
3. Compare the list of consumer accounts with the identities in yourexternal IdP and find consumer accounts that lack a counterpart.

Managed accounts without a matching identity in the external IdP

This set of user accounts consists of accounts that match all of thefollowing:

• They were manually created by a Cloud Identity orGoogle Workspace administrator.
• Their identity doesn't match any identity in the external IdP.

In the example scenario, this description fits Mike, who used the identityadmin@example.com for his managed account.

The potential causes for managed accounts without a matching identity in theexternal IdP are similar to those for consumer accounts without a matchingidentity in the external IdP:

• The employee for whom the account was created might have left thecompany, so the corresponding identity no longer exists in the external IdP.
• The corporate email address that matches the identity in the externalIdP might have beenset as an alternate email address or alias rather than as the primary email address.
• The email address that's used for the user account inCloud Identity or Google Workspace might not match theidentity known in the external IdP. Neither Cloud Identity norGoogle Workspace verifies that the email address used as the identityexists. A mismatch can therefore not only occur because of alternatedomains, alternate handles, or different casing, but also because of a typoor other human error.

Regardless of their cause, managed accounts without a matching identity in theexternal IdP are a risk because they can become subject toinadvertent reuse and name squatting.We recommend that youreconcile these accounts.

You can identify consumer accounts without a matching identity in the externalIdP as follows:

1. Using theAdmin Console or theDirectory API,export the list of user accounts in Cloud Identity orGoogle Workspace.
2. Compare the list of accounts with the identities in your external IdPand find accounts that lack a counterpart.

Gmail accounts used for corporate purposes

This set of user accounts consists of accounts that match the following:

• They were created by employees.
• They use agmail.com email address as their identity.
• Their identities don't match any identity in the external IdP.

In the example scenario, this description fits Grace and Glen.

Gmail accounts that are used for corporate purposes are subject to similarrisks asconsumer accounts without matching identity in external IdP:

• You cannot control the lifecycle of the consumer account. An employeewho leaves the company might continue to use the user account to accesscorporate resources or to generate corporate expenses.
• You cannot enforce security policies like MFA verification or passwordcomplexity rules on the account.

The best way to deal with Gmail accounts is therefore to revoke access forthose user accounts to all corporate resources and provide affected employeeswith new managed user accounts as replacements.

Because Gmail accounts usegmail.com as their domain, there is no clearaffiliation with your organization. The lack of a clear affiliation implies thatthere is no systematic way—other than scrubbing existing access controlpolicies—to identify Gmail accounts that have been used for corporatepurposes.

Gmail accounts with a corporate email address as alternate email

This set of user accounts consists of accounts that match all of thefollowing:

• They were created by employees.
• They use agmail.com email address as their identity.
• They use a corporate email addressas an alternate email address.
• Their identities don't match any identity in the external IdP.

In the example scenario, this description fits Grace.

From a risk perspective, Gmail accounts that use a corporate email address asan alternate email address are equivalent toconsumer accounts without a matching identity in the external IdP.Because these accounts use a seemingly trustworthy corporate email address astheir second identity, they are subject to the risk of social engineering.

If you want to maintain the access rights and some of the data associated withthe Gmail account, you can ask the ownerto remove Gmail from the user account so that you can thenmigrate them to Cloud Identity or Google Workspace.

The best way to handle Gmail accounts that use a corporate email address as analternate email address is tosanitize them.When you sanitize an account, you force the owner to give up the corporate emailaddress by creating a managed user account with that same corporate emailaddress. Additionally, we recommend that you revoke access to all corporateresources and provide the affected employees with the new managed user accountsas replacements.

What's next

• Learn more aboutthe different types of user accounts on Google Cloud.
• Find out how themigration process for consumer accounts works.
• Reviewbest practices for federating Google Cloud with an external identity provider.