Evicting consumer accounts

If you haven't been using Cloud Identity or Google Workspace, it's possible that your organization's employees have been using consumer accounts to access Google services. Some of these consumer accounts might use a corporate email address such as alice@example.com as a primary or alternate email address.

This document describes how you can evict, or get rid of, these types of consumer accounts by removing the corporate email address from them. Although the consumer accounts will still exist, removing the corporate email address helps you mitigate a social engineering risk—as long as a consumer account has a seemingly trustworthy email address like alice@example.com, the owner of the account might be able to convince current employees or business partners to grant them access to resources they should not be allowed to access.

Alternatively, by migrating consumer accounts, you can keep these accounts and turn them into managed accounts. But there might be some accounts that you don't want to migrate, such as the following:

  • Consumer accounts that are used by former employees.
  • Consumer accounts that are used by employees that are not supposed to access Google services.
  • Consumer accounts for which you cannot recognize the owner.

Before you begin

To evict offending consumer accounts, you must satisfy the following prerequisites:

The primary or alternate email address of the consumer account must correspond to one of the domains that you have added to your Cloud Identity or Google Workspace account. Both primary and secondary domains qualify, but alias domains are not supported.

Process

Evicting unwanted consumer accounts works similarly to migrating consumer accounts, but it is based on deliberately creating a conflicting account. The following diagram illustrates the process. Boxes on the Administrator side denote actions a Cloud Identity or Google Workspace administrator takes; rectangular boxes on the User account owner side denote actions only the owner of a consumer account can perform.

Process for evicting unwanted consumer accounts.

Finding unmanaged user accounts

You can use the transfer tool for unmanaged users to find consumer accounts that use a primary email address that matches one of the verified domains of your Cloud Identity or Google Workspace account.

Creating a conflicting account

When you have identified a consumer account that you want to evict, do the following:

  1. Create a user account in Cloud Identity or Google Workspace that has the same corporate email address as the account you want to evict.

    If the consumer account uses the corporate email address as the primary email address, the Admin Console warns you about an impending conflict. Because you are intentionally creating the conflicting account, select Create new user.

    Warning that user already exists.

    Because you don't want the managed user account to ever be used, assign a random password.

  2. Delete the user account that you just created.

By creating a conflicting account and immediately deleting it, you force the owner to rename that user account. But you avoid that owner being shown a ballot screen that prompts them to choose between the managed and consumer account.

Renaming the user account

For the owner of the evicted user account, the next time they sign in, they see the following message:

Evicted owner sees the message that their account has changed.

As the screenshot suggests, they have three options for proceeding:

  • Convert the user account into a Gmail account.
  • Associate a different email address with the account.
  • Postpone the rename. This causes the user account to use a temporary gtempaccount.com email address in the meantime.

All configuration and data that was created by using this consumer account is unaffected by the rename.

Best practices

We recommend the following best practices when you evict unwanted consumer accounts:

What's next