The steps in this article do not apply if Google has enforced 2-Step Verification on the admin account in your organization. To check the enforcement status on your account, go to Track users’ enrollment and add the 2-Step verification enforcement column. For more details, go to About 2SV enforcement for admins.
When you enforce 2-Step Verification (2SV), you can specify an enrollment period when new users can sign in with just their passwords. This period gives new employees time to enroll before enforcement is applied to their accounts. To avoid account lockouts, put users in a configuration group where 2SV isn’t enforced until they can enroll.
Important: Google enforces 2SV for administrator accounts. For details, go to About 2SV enforcement for admins.
How users get locked out of their account
- If you change your organizational structure and move users from an organizational unit without enforcement to an organizational unit that enforces 2SV, users who aren’t enrolled in 2SV won’t be able to sign in to their accounts.
- If you enforce a different 2SV policy, you might lock users out of their accounts. For example, say you allow users to get verification codes by text message and then change the policy to require them to use a security key. Users who don’t comply with the new policy will be locked out of their accounts.
- If users remove their last-known second step on their account, such as a phone number, they get a warning. If they don't add a new second step, they could be locked out of their account. If a user needs to re-add their last-known second step, tell them to review Turn on 2-Step Verification.
Important: A 2SV policy set on a child organizational unit always takes precedence over a configuration group setting. To ensure the configuration group exemption works, verify that any child organizational unit the user is part of isn't enforcing 2SV.
Step 1: Create an Exempt from 2-Step Verification group
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Create the group in the Admin console or Google Cloud Directory Sync and add the users who aren’t required to use 2SV to the group. For the steps, go to Create a group in your organization.
Step 2: Turn off 2SV enforcement for the group
Before you begin: To apply the setting for certain users, put their accounts in a configuration group.
-
Sign in with a super administrator account to the Google Admin console.
If you aren’t using a super administrator account, you can’t complete these steps.
- (Optional) To apply the setting only to some users, at the side, select a configuration group.
- Check the Allow users to turn on 2-Step Verification box and select Enforcement
Off.
- Click Save.
Step 3: Ask users to turn on 2SV
Ask users to turn on 2SV for their account. If they don't turn it on (enroll) before you move them out of the configuration group, they'll be locked out of their account. Tell users to follow the steps in Turn on 2-Step Verification.
Step 4: Move enrolled users out of the group
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Reporting > User Reports > Security.
Requires having the Reports administrator privilege.
You can review which users are enrolled in 2SV. This data could be delayed up to 48 hours. To view real-time 2SV status for each user, go to Manage a user’s security settings
- When a member of the Exempt from 2-Step Verification group enrolls in 2SV, remove them from the Exempt from 2-Step Verification group and move them into the organizational unit where you're enforcing 2SV.
