Security best practices for administrator accounts

Follow these best practices to improve the security of your administrator accounts and by extension, of your business as a whole.

For more security best practices, see Security checklists.

Protect administrator accounts

Require 2-Step Verification for admin accounts

If someone manages to get the admin password, 2-Step Verification (2SV) helps protect the account from unauthorized access. It’s especially important for super admins to use 2SV because their accounts control access to all business and employee data in the organization.

Protect your business with 2-Step Verification

Use security keys for 2-Step Verification

There are several 2SV methods, including security keys, Google prompt, Google Authenticator, and backup codes. Security keys are small hardware devices that are used for second factor authentication. They help to resist phishing threats and are the most secure form of 2SV.

Protect your business with 2-Step Verification–Security keys

Don't share administrator accounts among users

Give each administrator their own identifiable admin account. Otherwise, if multiple people use the same administrator account to sign in to the Admin console, such as admin@example.com, you can’t tell which administrator is responsible for specific activities in the audit log.

Guard against targeted attacks

You can apply many of the recommendations in this article at once by enrolling super admin accounts and other sensitive accounts in the Advanced Protection Program.

Protect users with the Advanced Protection Program

Manage super administrator accounts

Set up multiple super admin accounts

Your organization should have more than one super administrator account, each managed by a separate individual (avoid sharing an admin account). If one account is lost or compromised, another super admin can perform critical tasks while the other account is recovered.

Don’t use a super admin account for daily activities

Give each super administrator 2 accounts: Their own super admin account and a separate account for daily activities. Users should only sign in to a super admin account to perform super admin tasks, such as setting up 2-Step Verification (2SV), managing billing and user licenses, or helping another admin recover their account.

Super administrators should use a separate, non-admin account for day-to-day activities.

For example, if Maria and James are super admins, they should each have one identifiable admin account and one user account, as follows:

  • admin-maria@example.com, maria@example.com
  • admin-james@example.com, james@example.com

Make sure you get important admin announcements

If you don't often sign in with your primary admin account, you might miss important mandatory service announcements from Google. To make sure you receive these announcements, set up a secondary email contact to send these announcements to an account that you use regularly.

Send billing and account notifications to another admin

Don’t stay signed in to a super admin account

Staying signed in to a super admin account when you aren’t doing specific administrative tasks can increase exposure to phishing attacks. Super admins should sign in as needed to do specific tasks and then sign out.

Use non-super admin accounts for daily admin tasks

Use the super admin account only when needed. Delegate administrator tasks to user accounts with limited admin roles. Use the least privilege approach, where each user has access to the resources and tools needed for their typical tasks. For example, you could grant an admin permissions to create user accounts and reset passwords, but not let them delete user accounts.

About administrator roles

Monitor activity on admin accounts

Set up admin email alerts

Monitor admin activity and track potential security risks by setting up admin email alerts for certain events, such as suspicious sign-in attempts, compromised mobile devices, or changes by another admin.

When you turn on an alert for an activity, you receive an email each time that activity happens.

Admin email alerts & system-defined rules

Review the Admin audit log

Use the Admin audit log to see a history of every task performed in the Google Admin console, which admin performed the task, the date, and the IP address where the admin signed in.

Activity from the super admin appears in the Event Description column as _SEED_ADMIN_ROLE, followed by the username.

Admin audit log

Prepare for admin account recovery

Add recovery options to admin accounts

Admins should add recovery options to their admin account.

If an admin forgets their password, they can click the Need help? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account.

Add account recovery information to your administrator account

Keep information on hand for password reset

If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can use the recovery wizard.

To verify identity, Google asks questions about the organization’s account:

  • The date the account was created.
  • Original secondary email address associated with the account (email used to sign up).
  • Google order number associated with the account (if applicable).
  • Number of user accounts created.
  • Billing address linked to the account.
  • Type of credit card used and its last 4 digits.

Google also asks the admin to verify the DNS ownership of the domain, so the admin needs to have the credentials to edit the domain DNS settings with their registrar.

Reset your administrator password–If email and phone options aren't available

Enroll a spare security key

Admins should enroll more than one security key for their admin account and store it in a safe place. If their primary security key is lost or stolen, they can still sign in to their account.

Add a security key to your account

Save backup codes ahead of time

If an admin loses their security key or phone (where they receive a 2SV verification code or Google prompt), they can use a backup code to sign in.

Admins should generate and print backup codes in case they’re needed. Keep backup codes in a secure location.

Generate and print backup codes

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false