When you enforce 2-Step Verification, you can specify an enrollment period during which new users can sign in with just their passwords. It gives new employees time to enroll before enforcement is applied to their accounts.
If you change your organizational structure, you might move users from an organizational unit without enforcement to an organizational unit that enforces 2-Step Verification. Users who aren’t enrolled in 2-Step Verification won’t be able to sign in to their accounts.
You might also decide to enforce a different 2-Step Verification policy. Instead of allowing any 2-Step Verification method, you might disable the option for users to get 2-Step Verification verification codes via text message or voice call, or require they use a security key. Users who don’t comply with the new policy will be locked out of their accounts.
To avoid account lockouts, put users in a configuration group where 2-Step Verification isn’t enforced until they can enroll.
Step 1: Create an exempt from 2-Step Verification group
- Create the group in the Admin console or Google Cloud Directory Sync and add the users who aren’t required to use 2-Step Verification to the group. For the steps, go to Create a group in your organization.
Step 2: Turn off enforcement for the group
In the Admin console, go to Menu SecurityAuthentication2-step verification.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
- In the Groups section, enter the name of the configuration group that you created.
If you don’t find your group, it might have been created in Google Groups. Configuration groups must be created in the Admin console, Directory API, or Google Cloud Directory Sync.
- Let users turn on 2-Step Verification and use any verification method, but don't require 2-Step Verification yet. Check the Allow users to turn on 2-Step Verification box and select EnforcementOff.
- Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.
Step 3: Move enrolled users out of the group
In the Admin console, go to Menu ReportingUser ReportsSecurity.
You see which users are enrolled in 2-Step Verification. This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, go to Manage a user’s security settings
- When a member of the Exempt from 2-Step Verification group enrolls in 2-Step Verification, remove them from the group and move them into the appropriate organizational unit.