Set up 2-Step Verification

Avoid account lockouts when 2-Step Verification is enforced by your admin

The steps in this article do not apply if Google has enforced 2-Step Verification on the admin account in your organization. To check the enforcement status on your account, go to Track users’ enrollment and add the 2-Step verification enforcement column. For more details, go to Important: 2SV soon required for admin accounts.

When you enforce 2-Step Verification, you can specify an enrollment period during which new users can sign in with just their passwords. It gives new employees time to enroll before enforcement is applied to their accounts.

If you change your organizational structure, you might move users from an organizational unit without enforcement to an organizational unit that enforces 2-Step Verification. Users who aren’t enrolled in 2-Step Verification won’t be able to sign in to their accounts.

You might also decide to enforce a different 2-Step Verification policy. Instead of allowing any 2-Step Verification method, you might disable the option for users to get 2-Step Verification verification codes via text message or voice call, or require they use a security key. Users who don’t comply with the new policy will be locked out of their accounts.

To avoid account lockouts, put users in a configuration group where 2-Step Verification isn’t enforced until they can enroll.

Step 1: Create an exempt from 2-Step Verification group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Create the group in the Admin console or Google Cloud Directory Sync and add the users who aren’t required to use 2-Step Verification to the group. For the steps, go to Create a group in your organization.

Step 2: Turn off enforcement for the group

  1. In the Admin console, go to Menu and then Securityand thenAuthenticationand then2-step verification.

  2. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
  3. In the Groups section, enter the name of the configuration group that you created.
    If you don’t find your group, it might have been created in Google Groups. Configuration groups must be created in the Admin console, Directory API, or Google Cloud Directory Sync.
  4. Let users turn on 2-Step Verification and use any verification method, but don't require 2-Step Verification yet. Check the Allow users to turn on 2-Step Verification box and select Enforcementand thenOff.
  5. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

Step 3: Move enrolled users out of the group

  1. In the Admin console, go to Menu and then Reportingand thenUser Reportsand thenSecurity.

    You see which users are enrolled in 2-Step Verification. This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, go to Manage a user’s security settings

  2. When a member of the Exempt from 2-Step Verification group enrolls in 2-Step Verification, remove them from the group and move them into the appropriate organizational unit.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
4595248554657981708
true
Search Help Center
true
true
true
false
false