Google Apps

Configure security and authentication

2-step verification

Enforcement

Next: Troubleshoot 2-step verification
Have all users and administrators enroll in 2-step verification or place them in an exception group using exception groups before enforcing the setting. This should be done for new users during account creation. Otherwise, they will be locked out of Google Apps.

Follow the instructions here to make 2-step verification mandatory:

  1. If you will require 2-step verification of all users in the domain or within an existing organizational unit (OU), you may skip this step. If you need to have a different 2-step verification setting for a select group of users within an organization, create an admin-managed group containing all such users.

    See Use exception groups for detailed instructions on creating custom groups.
     
  2. Do one of the following:
    Classic Admin console: On the Reports tab, select Additional reports.
    New Admin console: On the Dashboard, click Reports, then select Additional Reports.

  3. Click Download under 2-Step Verification Enrollment Report. Please note this report is available only if you allowed users to turn on 2-factor authentication as described in Setup.

  4. Examine the CSV file and ensure all users to be forced into 2-step verification are already enrolled in it, indicated by "true" in the enrolled_2-step_verification column, like so:
    account_name, enrolled_2-step_verification, enforced_2-step_verification 
"bart@example.com", true, false
  5. Do one of the following:
    Classic Admin console: On the Settings tab, select Security.
    New Admin console: On the dashboard, click Security > Basic settings > Enforce 2-step verification on users.

  6. Select the organization where you wish to make 2-step verification mandatory. Then select Turn on enforcement.
     
  7. To have a suborganization inherit the 2-step verification setting from its parent organization, click the Use inherited button that appears near the right margin when you hover over the Authentication pane.
     
  8. If you would like to exempt a group of users, select the group name (created in step 1) on the right-hand side keeping the organization selected on the left-hand side of the page and select Turn off enforcement. This will apply 2-step verification to all users in the selected organization except the users in the exception group.
     
  9. Save your changes.

    All users of the selected organization are now required to enter a secondary code from their mobile device.
Next: Troubleshoot 2-step verification

Related