Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
Multi-party approval protects against malicious actions in the Google Admin console by requiring any sensitive settings changes to be approved by either a super administrator or an admin with privileges to both perform the protected action and delegate privileges for reviewing Multi-party approval for that action.
Before you begin
Multi-party approval settings
You can turn Multi-party approval on or off for these Admin console settings:
- 2-Step Verification
- Account recovery
- Advanced Protection
- Google session control
- Login challenges
- Passwordless (beta)
- SSO with third-party IdP
- Domain-wide delegation
- Context-Aware Access
- Calendar third party archiving
- Calendar sharing
- Calendar general settings
For instructions about turning Multi-party approval on or off, go to Turn Multi-party approval on or off on this page.
Note: Apps and services can also access certain Admin console settings through APIs. Separate Multi-party approvals protect sensitive actions performed through public API calls.
Multi-party approval in reseller domains
If Multi-party approval is turned on in a resold customer’s domain, and a reseller admin tries to update a sensitive setting, the request for approval is sent to the resold admins only, and only the resold admins can approve, deny, or view the request.
Step 1: Assign admin privileges to review Multi-party approval requests
Super administrators can grant other admins the privileges that are necessary to review and approve Multi-party approval requests.
- Create a custom admin role that includes the Multi-party approval privileges you want admins to have.
Tip: Some Admin console actions require being a super administrator (for example, turning 2SV on or off). If Multi-party approval is turned on for one of these actions, you will need a second super admin to review associated Multi-party approval requests. For details about creating a new super admin, go to Make a user a super admin. - Assign the custom administrator role that you created in step 1 to one or more admins.
For details about how to assign an admin to a specific role, go to Assign specific admin roles. - Save the role configuration you assigned in step 2.
Step 2: Turn Multi-party approval on or off
You must be signed in as a super administrator for this task.
Use Multi-party approval settings in the Admin console to turn the feature on or off for your organization, for individual Admin console security settings, and for public APIs that can access security settings.
-
Sign in with a super administrator account to the Google Admin console.
If you aren’t using a super administrator account, you can’t complete these steps.
- In the Admin console, go to Menu
Security > Authentication > Multi-party approval settings.
- To turn Multi-party approval on or off for your organization, click Multi-party approval settings, check or uncheck the Require multi party approval for sensitive actions box, and then click Save.
Note: If you turn Multi-party approval for your organization off from an on state:
- Pending requests remain active for the normal period of time until they are approved, denied, canceled, or expire.
- New settings changes that involve sensitive admin actions do not create Multi-party approval requests, even if Multi-party approval is turned on for that individual setting.
- To turn Multi-party approval on or off for one or more individual settings, click Multi-party approval for security settings, check or uncheck the box associated with each setting that you want to turn Multi-party approval on or off for, and then click Save.
Note: If Multi-party approval is turned on for an individual setting, changes made to the setting in the Admin console only create a Multi-party approval request when Multi-party approval is also turned on for the organization.
- To turn Multi-party approval on or off for public APIs that can access security settings, click Multi-party approval for API access to security settings, check or uncheck the SSO with third-party IDPs box, and then click Save.
Step 3: View, approve, or cancel a request
Either the requester or the approver can view pending or past requests on the Multi-party approval page. Clicking a request in the Requests submitted tab displays a details page for that request. On the request details page, requesters can cancel their request, and approvers can approve or deny the request.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- In the Admin console, go to Menu Security
Authentication
Multi-party approval.
You can view requests that you created, as well as requests from others that you became authorized to review by having privileges both to perform the same Admin console action and to review Multi-party approval requests. Request details include the request status, the requester’s name, the date the request was created, the setting change being requested, and the request’s expiration date. - To view details on a specific request, click its link in the Action column at the left.
- The requester details page includes an option to cancel the request.
- The approver details page includes options to approve or deny the request.
- Click Multi-party approval at the left to return to the approval list page.
Privileges for sensitive Admin console actions and change request reviews
To view requests for Multi-party approval of sensitive Admin console actions, you must have either the action-level privilege listed in the table below or the Can review Multi-Party Approvals for all sensitive actions privilege.
Admin console action | Role or privilege needed to perform the action | Role or privilege needed to review a Multi-party approval request for the action |
---|---|---|
2-Step Verification | Super admin role | Super admin role |
Account Recovery Settings | Super admin role | Super admin role |
Google session control | Security > Control security settings read and write | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review Security actions |
Advanced Protection Program | Security > Control security settings read and write | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review Security actions |
Login Challenges | Security > Control security settings read and write | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review Security actions |
Passwordless | Security > Control security settings read and write | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review Security actions |
Domain-wide delegation | Super admin role | Super admin role |
SSO with third-party IDPs | Security > Control security settings read and write or Security > Control inbound sso settings read and write | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review Security actions |
Context-Aware Access | Services > Data Security > Access Level Management | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review Security actions |
Calendar Third Party Archiving | Third Party Archiving > Manage Third Party Archiving Settings | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review calendar actions |
Calendar Sharing | Calendar > All Settings > Manage settings | Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review calendar actions |
Calendar General Settings |
Calendar > All Settings > Manage settings |
Multi Party Approval > Can review Multi-party Approvals for all sensitive actions or Multi Party Approval > Review calendar actions |
More about Multi-party approval roles & privileges
- Only super admins can give other admins Multi-party approval privileges and update Multi-party approval settings in the Admin console.
- Admins who have submitted one or more requests for approval can view their requests in the Admin console.
- Super admins can view the privileges associated with the Multi-party approval Admin role.
- Admins can review requests submitted by other admins if they have privileges to review Multi-party approval requests and to change the settings that are under review. The review privilege alone is not enough.
How Multi-party approval works
In this example, Multi-party approval protects the sensitive action of changing 2SV settings.
- A Workspace super admin navigates to Security
Authentication
2-Step verification settings and attempts to turn enforcement from On to Off.
- A pop-up box notifies the super admin that this action requires approval from another admin. The requester can optionally enter an explanatory message before sending the request for approval.
Note: If there's already a pending request to approve a settings change, any new request is temporarily blocked until the pending request is resolved. The admin whose request is blocked can view the conflicting request. - The requesting super admin gets an email confirming that their request for approval has been submitted.
- The approver admin receives an emailed request for approval and opens a link to the Multi-party approval page in the Admin console, which shows details about:
- Who's requesting the change
- The current setting (before change) and the proposed setting (after change)
- Options to approve or deny the request
Note: If group-based role assignment is how an admin gains the privilege to perform a sensitive action or review Multi-party approval requests, they will not receive review requests via email. Admins can access the Multi-party approval page where all requests that they are authorized to review are listed.
- The approver admin reviews the request details, then either approves or denies the request.
- If the request is approved, the 2SV settings change is carried out without further action needed from the requesting admin.
- If the approver admin takes no action, the request expires in 3 days.
- The original requester gets an email when the request is approved or denied, or if the request has expired with no action.