Set up 2-Step Verification

Avoid account lockouts when 2-Step Verification is enforced

When you enforce 2-Step Verification, you can specify an enrollment period during which new users can sign in with just their passwords. It gives new employees time to enroll before enforcement is applied to their accounts.

If you change your organizational structure, you might move users from an organizational unit without enforcement to an organizational unit that enforces 2-Step Verification. Users who aren’t enrolled in 2-Step Verification won’t be able to sign in to their accounts.

You might also decide to enforce a different 2-Step Verification policy. Instead of allowing any 2-Step Verification method, you might disable the option for users to get 2-Step Verification verification codes via text message or voice call, or require they use a security key. Users who don’t comply with the new policy will be locked out of their accounts.

You’ll need to put these users into an exception group where 2-Step Verification isn’t enforced until they can enroll.

Step 1: Create an exempt from 2-Step Verification exception group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Create the group in the Admin console or Google Cloud Directory Sync. 
  3. Add the users who aren’t required to use 2-Step Verification to the group.  

Step 2: Turn off enforcement for the exception group

  1. From the Admin console Home page, go to Securityand then2-Step Verification.

  2. On the left, select your top-level organization.
  3. In the Groups section, enter the name of exception group you created.
  4. Let users turn on 2-Step Verification and use any verification method, but don't require 2-Step Verification yet. Check Allow users to turn on 2-Step Verification and select Enforcement > Off.

Step 3: Move enrolled users out of the exception group

  1. From the Admin console Home page, go to Reports.
  2. On the left, click Users > Security to see which users are enrolled in 2-Step Verification.
    This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, see Manage a user’s security settings.
  3. When a member of the Exempt from 2-Step Verification exception group enrolls in 2-Step Verification, remove them from the exception group and move them into the appropriate organization.
Was this helpful?
How can we improve it?