If your organization isn't already using Cloud Identity or Google Workspace, some of your employees might be using consumer accounts to access Google services. A consumer account is owned and managed by the individual who created the account. Your organization therefore has no control over the configuration, security, and lifecycle of these consumer accounts.
This document describes how to consolidate existing consumer accounts so that you achieve the following results:
- Only managed user accounts are used to access Google services.
- Your organization has full control over the configuration, security, and lifecycle of user accounts.
- If you use an external IdP, all user accounts have a matching identity in your external identity provider (IdP) and can be used for single sign-on.
Before you begin
Before you consolidate your consumer accounts, make sure that you identify a suitable onboarding plan and complete the prerequisites for consolidating your existing user accounts.
When you consolidate existing user accounts, you might need to collaborate between multiple teams and stakeholders in your organization, including the following:
- Administrators of your external IdP, if you use one.
- Administrators of your email system.
- Users responsible for managing access to Google services used in your organization, such as Google Marketing Platform, Google Ads, or Google Play.
If you use separate Cloud Identity or Google Workspace organizations for staging and production, we recommend that you perform a test run of the consolidation process first:
- For each class of existing consumer accounts that you need to consolidate, create a test user account that uses a similar configuration. When you assign email addresses to these test user accounts, choose email addresses that match one of the domains of your staging account.
- Perform the consolidation process by using the test user accounts and your staging Google Workspace or Cloud Identity account.
Performing a test run lets you familiarize yourself with the process before you apply it in your production environment. It also helps you identify potential issues before you apply them to thousands of users.
The consolidation process consists of the following streams:
- Migrating consumer accounts to Cloud Identity or Google Workspace.
- Evicting consumer accounts that you don't want to keep.
- Identifying and removing access for Gmail accounts.
- Sanitizing Gmail accounts that use a corporate email address as an alternate address.
Depending on the sets of existing accounts that you have identified, some of these streams might not apply to you.
The following flow chart illustrates the consolidation process. The streams, indicated by parallel lines, are independent of one another so you can do them in parallel.
The diagram shows this flow:
- Identify a set of consumer accounts to migrate. If you have a large number of consumer accounts, it's best to do the migration in batches. Start with a small batch of approximately 10 users, and then make your batches larger in subsequent migrations.
Announce to affected users your intent to transfer consumer accounts. Make sure that users understand both the importance and consequences of accepting or declining a transfer request.
For an example of what an announcement email message might look like, see Advance communication for user account migration.
Migrate the selected consumer accounts by using the transfer tool for unmanaged users. This process is described in more detail in Migrating consumer accounts.
Wait for most of the users (a quorum) to accept or decline transfer requests, and resend transfer requests if necessary. You can see a user has responded by looking at the transfer tool for unmanaged users.
If you're using an external IdP, some of the migrated user accounts might end up without a matching identity in the external IdP. Reconcile these orphaned managed user accounts to ensure that all managed user accounts have a matching identity in the external IdP.
Evict all consumer accounts that you don't want to migrate.
Search your Identity and Access Management (IAM) policies for Gmail accounts (search for
*@gmail.comentries). Revoke access to these accounts and provide affected users with managed user accounts as replacements. In order to minimize impact on users, make sure that these managed user accounts have the same or similar access to resources as previous Gmail accounts.
If there are Gmail accounts that use a corporate email address as their alternate email address, sanitize these Gmail accounts.
We recommend the following best practices when you are consolidating existing user accounts:
- If you are migrating from an external email system to Google Workspace, remember that consumer accounts might use an email address that is also subject to migration. To ensure that the owners of these consumer accounts continue to receive email, don't change DNS MX records until after you migrate all affected consumer accounts.
- After you complete the consolidation, consider provisioning all users and limiting authentication by single sign-on to block new consumer account sign-ups.
- Find out how to migrate consumer accounts and how to evict unwanted consumer accounts.
- Learn how you can sanitize Gmail accounts.
- See how to reconcile orphaned managed user accounts.