Before you begin
To prepare your Cloud Identity or Google Workspace account, you must do the following:
- Select a target architecture for your production deployment based on our reference architectures.
- Identify whether you need one or more additional Cloud Identity or Google Workspace accounts for production or staging purposes. For details on identifying the right number of accounts to use, see Best practices for planning accounts and organizations.
- Identify a suitable onboarding plan and have completed all the activities that your plan defines as prerequisites for consolidating your existing user accounts.
For each Cloud Identity or Google Workspace account that you must create, make sure of the following:
- You have selected the DNS domain name to use as the primary domain name. This domain name determines the name of the associated Google Cloud organization. You can use a neutral domain name as the primary domain name.
- You have selected any secondary DNS domain names that you want to add to the account. Make sure that you don't exceed a total of 600 domains per account.
To complete the sign-up process for a new Cloud Identity or Google Workspace account, you also need the following information:
- A contact phone number and email address. Google uses this phone number and address to contact you in case of problems with your account.
An email address for the first super-admin user account. The email address must use the primary DNS domain and must not be used by an existing consumer account.
If you plan to set up federation later, select an email address that maps to a user in your external identity provider (IdP).
Creating a new Cloud Identity or Google Workspace account might require collaboration between multiple teams and stakeholders in your organization. These might include the following:
- DNS administrators. To verify primary and secondary DNS domains, you need administrative access to both DNS zones.
- If you use an external IdP, the administrators of your external IdP.
- Future administrators of the Google Cloud organization.
Process for preparing an account
The following flowchart illustrates the process of preparing your Cloud Identity or Google Workspace account. As the two sides of the diagram indicate, the process might require collaboration between different teams.
Sign up for Cloud Identity or Google Workspace. During the sign-up process, you must provide a contact phone number and email address, the primary domain that you want to use, and the username for the first super-admin user account.
Verify the ownership of your primary domain by creating either a TXT or CNAME record in the corresponding DNS zone of your DNS server.
Add any secondary domains to the Cloud Identity or Google Workspace account.
Verify ownership of the secondary domains by creating either TXT or CNAME records in the corresponding DNS zones of your DNS server.
Protect your account by configuring security settings.
Create a default configuration for user accounts.
Securing access to your account
During the sign-up process, you create a first user in your Cloud Identity or Google Workspace account. This user account is assigned super-admin privileges and has full access to the Cloud Identity or Google Workspace account.
You need super-admin privileges in order to complete the initial configuration of your Cloud Identity or Google Workspace account. After you've completed the initial configuration, occurrences where you need super-admin privileges will be rare—but to ensure business continuity, it's important that you and other authorized personnel maintain super-admin access to the Cloud Identity or Google Workspace account:
To ensure this access, do the following:
- Select a group of administrators that should have super-admin access to the Cloud Identity or Google Workspace account. It's best to keep the number of users small.
- Create a set of dedicated super-admin user accounts for each administrator.
- Enforce Google 2-step authentication for these users and require them to create backup codes so that they maintain access even if they lose their phone or USB key.
- Instruct administrators to use the super-admin accounts only when necessary, and discourage everyday use of those accounts.
For details on how to keep super-admin users secure, see Super administrator account best practices. And to make sure your account is properly secured, follow our Security checklist for medium and large businesses.
Configuring default settings for user accounts
Cloud Identity and Google Workspace support a number of settings that help you keep user accounts secure:
- Enforcing 2-step verification.
- Controlling who can access Google Workspace and Google services.
- Allowing or disallowing access to apps that are less secure.
- Assigning licenses for Cloud Identity Premium or Google Workspace.
- Choosing a geographic location for your data and controlling supplemental data storage (Google Workspace only).
To minimize administrative effort, it's best to configure these settings so that they are applied by default to new users. You can configure default settings on the following levels:
- Global: A global setting applies to all users but has the lowest priority.
- Organizational unit (OU): A setting configured for an OU applies to all users in the OU and to descendant OUs, and it overrides a global setting.
- Group: A setting configured by group applies to all members of the group and overrides OU and global settings.
Creating an OU structure
By creating a structure of organizational units, you can segment the user accounts of your Cloud Identity or Google Workspace account into discrete sets to make them easier to manage.
If you use Cloud Identity in combination with an external IdP, creating custom organizational units might not be necessary. Instead, you can use a combination of global and group-specific settings:
- Keep all user accounts in the default OU.
- To control who is allowed to access certain Google services, create
dedicated groups such as
Google Cloud Users and Google Ads Usersin your external IdP. Provision these groups to Cloud Identity and apply the right default settings to them. You can then control access by modifying group memberships in your external IdP.
If some or all of your users use Google Workspace, you are likely to require a custom OU structure because some of the Google Workspace–specific settings cannot be applied by group. If you use an external IdP, it's best to keep the OU structure simple, as follows:
- Create a basic OU structure that lets you automatically assign licenses, choose a geographic location for your data, and control supplemental data storage. For all other settings, we recommend that you apply settings by group.
- Configure your external IdP so that new users are automatically assigned to the right OU.
- Create dedicated groups such as
Google Cloud Users and Google Ads Usersin your external IdP. Provision these groups to Google Workspace and apply the right default settings to them. You can then control access by modifying group memberships in your external IdP.
Impact of the default OU on account migration
If you have identified existing consumer accounts that you plan to migrate to Cloud Identity or Google Workspace, the default OU plays a special role. If you migrate a consumer account to Cloud Identity or Google Workspace, that account is always placed into the default OU and not part of any groups.
To migrate a consumer account, you have to initiate an account transfer. This transfer has to be approved by the owner of the consumer account. As an administrator, you have limited control when the owner might give consent and you can therefore complete the transfer.
When the transfer is complete, all settings applied to the default OU take effect on the migrated user account. Make sure that these settings grant a base level of access to Google services so that the associated employee's ability to work is not impeded.
When you are preparing your Cloud Identity or Google Workspace account, follow these best practices:
- If you use an external IdP, then ensure that the users in Cloud Identity or Google Workspace are a subset of the identities in your external IdP.
- Consider shortening the default session length and session length used by Google Cloud. When you use an external IdP, make sure that you align the session length with your IdP.
- Export audit logs to BigQuery to retain them beyond the default retention period.
- To help keep your account safe, periodically review our security checklist for medium and large businesses.
- Read about how to consolidate your existing user accounts.