Set up 2-Step Verification

Avoid account lockouts when 2-Step Verification is enforced

When you enforce 2-Step Verification (2SV), you can specify an enrollment period during which new users can sign in with just their passwords. It gives new employees time to enroll before enforcement is applied to their accounts.

If you’re changing your organizational structure, you might be moving users from an organizational unit without enforcement to an organizational unit that enforces 2SV. Users who aren’t enrolled in 2SV won’t be able to sign in to their accounts.

You might also decide to enforce a different 2SV policy. Instead of allowing any 2SV method, you might disable the option for users to get 2SV verification codes via text message or voice call, or require they use a security key. Users who don’t comply with the new policy will be locked out of their accounts.

You’ll need to put these users into an exception group where 2SV isn’t enforced until they can enroll.

Step 1: Create an exempt from 2SV exception group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. Follow the instructions in Create a group in the admin console to create a group in your top-level organization called (for example) “Exempt from 2SV enforcement.”

    Note: If you use Google Cloud Directory Sync (GCDS) to synchronize your Microsoft® Active Directory® groups, create the group in Active Directory, add your users to this group, run GCDS to sync the group, and skip the next step.
  3. Add the users who aren’t required to use 2SV to the group. See Edit a group.

Step 2: Turn off enforcement for the exception group

  1. From the Admin console Home page, go to Securityand then2-Step Verification.

  2. Under 2-step verification, click Go to advanced settings to enforce 2-step verification.
  3. On the left, select your top-level organization.
  4. In the Group Filters section, click Select and find the group you created (Exempt from 2SV).
  5. Click Done.
  6. Select Turn off enforcement and click Save.

Step 3: Make sure enforcement is on for administrator groups

  1. In the Group Filters section, click No admin groups selected.

  2. Select Turn on enforcement now and click Save.

Step 4: Move enrolled users out of the exception group

  1. From the Admin console Home page, go to Reports.
  2. On the left, click Users > Security to see which users are enrolled in 2SV.
    This data could be delayed up to 48 hours. To view real-time 2SV status for each user, see Manage a user’s security settings.
  3. When a member of the Exempt from 2SV exception group enrolls in 2SV, remove them from the exception group and move them into the appropriate organization.


Was this helpful?
How can we improve it?