Unmanaged Google accounts created within a company domain
As an organization that uses Google Workspace or is considering moving to Google Workspace you might come across a scenario where users had created consumer Google accounts using their organization’s email address [email protected] to access Google Services such as Google Drive to collaborate on files and folders shared with them or use other services such as YouTube or Google Photos.
These accounts identify as consumer accounts and are managed by the users that created them. These accounts may contain confidential data that the organization may want to maintain access and have control over these unmanaged accounts currently outside their control. We will walk you through:
What is the difference between Managed and Unmanaged Google Accounts
Managed user account: A managed user account is an account belonging to a domain-verified customer. A managed user account is under the full control of a Google Workspace or Cloud Identity administrator, and it can be managed in the Google Admin console.
Unmanaged accounts: Unmanaged accounts are sometimes referred to as personal accounts, or consumer accounts, because the individual signed up for Google consumer services using their company domain in their email address. This happens when a user creates a custom Google Account/Identity, to use some Google Consumer side applications but using the company’s domain, say example.com over gmail.com. For Example, a user may create a Google Account [email protected] to use the Google account to access/use Google Drive, Google Ads, Youtube etc instead of using a Gmail account say [email protected].These accounts may have been created long before your organization started moving to Google Workspace.
The existence of unmanaged accounts is rated as a conflict with your actual managed Google Workspace users and Cloud Identity; both when signing in and also sharing access to vast resources within Google Solutions. If an admin creates a managed Google Account using the same account name as existing unmanaged user account, this results in a conflicting account. If there’s a conflict like this, the super administrators can resolve such conflicting accounts by using the Transfer tool for unmanaged users within the Google Workspace admin console.
Why you need to transfer unmanaged accounts
If your employees use unmanaged accounts for business purposes and use a corporate email address,this can pose multiple risks to your business, including the following:
- You can’t control the lifecycle of an unmanaged user account. An employee who leaves the company might continue to use the unmanaged account to access corporate resources or to generate corporate expenses.
- Even if you revoke access to all resources, the unmanaged account might still pose a social engineering risk. Because the user account uses a seemingly trustworthy identity with your company’s domain name, the former employee might be able to convince current employees or business partners to grant access to resources again—for example, a sensitive Drive file.
- A former employee with an unmanaged account might use the user account to perform activities that aren’t in line with your organization’s policies, which could put your company’s reputation at risk.
- You can’t enforce security policies like 2-step verification or password complexity rules.
- You can’t restrict which geographic location Docs and Drive data is stored in, which might be a compliance risk.
- You can’t restrict which Google services can be accessed by an unmanaged user account.
What will happen if a user accepts the transfer?
If a user accepts the transfer, the account is surfaced in Cloud Identity or Google Workspace. The account is now considered a managed account, and all data associated with the original consumer account is transferred to the managed account. The Personal (unmanaged) Google accounts that are transferred to Google Workspace managed user accounts:
- Can’t be changed back to a personal account.
- Are added to the root organizational unit. After the account is transferred, you can move the user to another organizational unit.
- Are assigned a Cloud Identity Free license.
- The data within the account is transferred with the account and as a Google Workspace administrator you can access and delete the data
- As an administrator you can restrict access to different Google Services.
What happens if a users does not transfer the account?
Two accounts can’t have the same email address, so if a user with a conflicting account doesn’t transfer their unmanaged account, they’ll need to rename it next time they sign in. To require users to rename their account, you first need to add users to your managed Google Workspace account using the email address that they used for their personal account. Then, the next time the user signs in to their personal account, they’re asked to change the email address associated with that account. They have the following options:
- Rename their unmanaged account with a new Gmail address.
- Rename their unmanaged account with a non-Gmail address that the user already owns. They can use this option only when the non-Gmail address isn’t already used as a Google account email address.
- Sign in with a temporary username that Google provides (for example, jane%[email protected]). With this option, users are prompted to rename the account every time they sign in. The prompts stop after the user selects a permanent solution (new Gmail or non-Gmail address).
- Users have full control over renaming their personal accounts—administrators don’t participate in this process.
How To Find and Transfer Unmanaged accounts
When you add and verify a domain in Cloud Identity or Google Workspace, any consumer account that uses an email address within this domain becomes an unmanaged account. For the user, this has no impact; they can sign in and access their data as normal. For example, if you add example.com, the account [email protected] is identified as an unmanaged account while [email protected] is not unless you also add corp.example.com to the Cloud Identity or Google Workspace account.
The existence of unmanaged accounts is surfaced to you as the Cloud Identity or Google Workspace administrator. To view the list of user accounts that are unmanaged0:
- Login as an admin to your Google Workspace admin console and navigate to your home page.
- On the far right under Tools click on Transfer tool for unmanaged users. Note: It can take up to 24 hours for a new account name to take effect.
- All unmanaged user accounts are displayed within the list of users, with the Request Status listed as Not yet invited, indicating that no transfer request has been sent to the user.
- To initiate a transfer of the unmanaged user accounts, select a user account from the list and click on Email transfer request.
- The user receives an email similar to the below email. Meanwhile, the account request status switches to Invited under your Google Admin console.
- The affected user will need to click on the Transfer account link within the email and follow the steps to sign in and complete the transfer of the account.
- By clicking Next the user accepts the terms of service and completes the transfer of the account to be a managed account within your Google Workspace tenancy.
- Once the user has accepted the transfer request you should be able to see the user account within your Google Workspace list of users.
- Alternatively, the user might follow up on the email, but decline the transfer. This causes the user request status to be listed as Declined in the transfer tool. If you suspect that declining was unintentional, you can repeat the above steps by sending another request.
- If a user declines a transfer request, as an admin you may choose to create a conflicting account, this way you begin the eviction process of the unmanaged account. To initiate the eviction, creating a new user account with the same email address as the unmanaged account, Google automatically indicates to you that there already exists a user account with the same email address.
Click on the radio button next to create a new user and then click continue.
For the owner of the evicted account, the next time they sign in, they will be asked to choose which account they want to sign in as per the screenshot below:
Since their account was a personal account the user will enter their current password and before accessing their preferred Google services, they will get the following notification/prompt to rename their account:
The user will have three options for proceeding:
- Convert the user account into a Gmail account with a new Gmail address. This will allow the user to get Gmail but with a different email address of their choice as long as its available and retains the data within the account .i.e. [email protected]
- Associate a different email address with a non-Google email address. This allows the user to use a non-Gmail account with another domain they own while retaining access to the data.
- Postpone the rename. This causes the user account to use a temporary gtempaccount.com email address in the meantime i.e. Jean%[email protected]