Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
Multi-party approval protects against malicious actions in the Admin console by requiring that any sensitive settings changes—such as turning 2-Step Verification enforcement on or off—must be approved by another super admin. Once a super admin receives and approves the settings change request, the change is carried out automatically, without any further action needed from the requesting admin.
Multi-party approval is turned on by default for domains with 2 or more super admins. See instructions below on how to turn it on or off.
Once on, Multi-party approval applies to the following settings:
- 2-Step Verification
- Account recovery
- Advanced Protection
- Google session control
- Login challenges
- Passwordless (beta)
How Multi-party approval works
In this example, Multi-party approval protects the sensitive action of changing 2-Step verification settings.
- A Workspace admin navigates to Security
Authentication
- A pop-up dialog notifies the admin that this action requires review from a Super admin. The requesting admin can optionally enter an explanatory message before sending the request for review.
Note: If there's already a pending request to change a setting that's waiting for approval, any new request is temporarily blocked until the pending request is resolved. The admin whose request is blocked can view the conflicting request.
- The requesting admin gets an email confirmation message that their request has for approval has been submitted.
- The approver Super admin receives the email request for approval. and opens a link to the Multi-party approval details page in the Admin console. The details page shows:
- Who's requesting the change
- The current setting (before change) and the proposed setting (after change)
- Options to approve or decline the request
- The approver reviews the request details, then either approves or rejects the request.
- If the request is approved, the change in 2-Step verification settings is carried out automatically, without further action needed from the requesting admin.
- If the approver takes no action, the request expires in 3 days.
- Requester gets an email when the request is approved or rejected, or if the request has expired with no action.
AuthenticationView request details, approve a request, cancel a request
Either the requester or the approver can view pending or past requests on the Multi-party approval list page. Clicking a request in the list displays a details page for that request. On the request details page, requesters can cancel a request, and approvers can approve or reject the request.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Go to Security
You can view all requests, or only your own requests. Request details include the request status, requester’s name, when the request was created, and the setting change being requested.
- To view details on a specific request, click in the Action column at left.
- The requester details page includes an option to cancel the request.
- The approver details page includes the options to approve or reject the request.
- Click Multi-party approval at left to return to the approval list page.
Turn Multi-party approval on or off
Use the multi-party approval setting in Admin console to turn the feature on or off for your domain.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Go to Security
- To turn multi-party approval on, check the Require multi-party approval for sensitive admin actions box. To turn off, uncheck the box.
- Click Save.
Note: If multi-party approval is turned off from an on state:
- Pending requests are active for the normal period of time, until they are approved, requested, or expire.
- New settings changes that involve sensitive actions will not create multi-party approval requests.
