It's possible that some of your employees are using unmanaged accounts that access Google services. Unmanaged accounts are users who independently created a Google account using one of your organization's domains. It's common for this to happen, but not ideal for managing your users and keeping their work data secure. Additionally, some unmanaged accounts result in conflicting account names. Attempting to create a managed account with the same name as an unmanaged account triggers such a conflict.
As a Google Workspace super administrator, you can specify how to handle conflict accounts during user provisioning. You can invite unmanaged users to convert their accounts to managed accounts within your domain, unilaterally replace conflicting accounts with managed ones, or manually manage conflicting accounts. You choose a default option for handling unmanaged accounts using the Conflicting accounts management setting. The selected option applies when user accounts are created using the Admin SDK Directory API.
The Transfer tool for unmanaged users enables you to see what unmanaged user accounts exist, and then invite those unmanaged users to convert their accounts to managed accounts within your domain. Once the user accepts this request, their account and data can be managed within the Admin console. You can use the transfer tool to resolve the conflict by migrating the unmanaged account.
Set the option for handling unmanaged user accounts
Note: The selected option applies to user accounts created using the Admin SDK Directory API that specify the resolveConflictAccount=true
parameter.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu AccountAccount settingsConflicting accounts management.
- In the conflicting accounts management section, choose an option:
- Automatically invite users to transfer conflicting unmanaged accounts to managed ones—Default setting
Set a daily follow-up email duration. If users decline or don’t accept invitations within the follow-up period, choose an option:- Replace their conflicting accounts with managed one
- Don’t replace their conflicting account
- Replace conflicting unmanaged accounts with managed ones
- Don’t replace conflicting unmanaged accounts with managed ones
- Automatically invite users to transfer conflicting unmanaged accounts to managed ones—Default setting
- Click Save.
Migrate unmanaged user accounts
For instructions about how to check the status of unmanaged users or manually migrate them, see the following articles:
- Before using the transfer tool
- Use the transfer tool to migrate unmanaged users
- Use CSV to migrate unmanaged users
Note: You can't transfer consumer (unmanaged) users to a managed Google Workspace account if those users are members of a family group.
Managed & unmanaged accounts & conflicting account names
Managed user account
A managed user account is an account belonging to a domain-verified customer. A managed user account is under the full control of a Google Workspace or Cloud Identity administrator, and it can be managed in the Google Admin console.
Unmanaged user account
An unmanaged user account is fully owned and managed by the individual who created it. Unmanaged user accounts don’t belong to domain-verified customers, and they’re not controlled by Google Workspace or Cloud Identity administrators. Your organization has no control over the configuration, security, and life cycle of these accounts.
Unmanaged accounts are sometimes referred to as personal accounts, or consumer accounts, because the individual signed up for Google consumer services using their company domain in their email address.
Conflicting account
If an admin creates a managed Google Account using the same account name as an existing unmanaged user account, this results in a conflicting account. If there’s a conflict like this, super administrators can resolve such conflicting accounts by using the Transfer tool for unmanaged users.
Why you need to transfer unmanaged accounts
If your employees use unmanaged accounts, then the premise of having a single place to manage user identities is compromised. Unmanaged accounts aren't managed by Google Workspace or Cloud Identity. Therefore, you can use the transfer tool to identify unmanaged user accounts that you want to convert to managed accounts, and migrate the unmanaged user accounts to managed accounts.
An unmanaged account that’s used for business and that uses a corporate email address can pose multiple risks to your business, including the following:
- You can’t control the life cycle of an unmanaged user account. An employee who leaves the company might continue to use the unmanaged account to access corporate resources or to generate corporate expenses.
- Even if you revoke access to all resources, the unmanaged account might still pose a social engineering risk. Because the user account uses a seemingly trustworthy identity with your company’s domain name, the former employee might be able to convince current employees or business partners to grant access to resources again—for example, a sensitive Drive file.
- A former employee with an unmanaged account might use the user account to perform activities that aren't in line with your organization's policies, which could put your company's reputation at risk.
- You can’t enforce security policies like 2-step verification or password complexity rules.
- You can’t restrict which geographic location Docs and Drive data is stored in, which might be a compliance risk.
- You can’t restrict which Google services can be accessed by an unmanaged user account.