Preparing your G Suite or Cloud Identity account

This document describes how you can create a Cloud Identity or G Suite account and how you can prepare it for a production deployment.

Before you begin

To prepare your Cloud Identity or G Suite account, you must do the following:

For each Cloud Identity or G Suite account that you must create, make sure of the following:

To complete the sign-up process for a new Cloud Identity or G Suite account, you also need the following information:

  • A contact phone number and email address. Google uses this phone number and address to contact you in case of problems with your account.
  • An email address for the first super-admin user account. The email address must use the primary DNS domain and must not be used by an existing consumer account.

    If you plan to set up federation later, select an email address that maps to a user in your external identity provider (IdP).

Creating a new Cloud Identity or G Suite account might require collaboration between multiple teams and stakeholders in your organization. These might include the following:

  • DNS administrators. To verify primary and secondary DNS domains, you need administrative access to both DNS zones.
  • If you use an external IdP, the administrators of your external IdP.
  • Future administrators of the Google Cloud organization.

Process for preparing an account

The following flowchart illustrates the process of preparing your Cloud Identity or G Suite account. As the two sides of the diagram indicate, the process might require collaboration between different teams.

Preparing your Cloud Identity or G Suite account.

  1. Sign up for Cloud Identity or G Suite. During the sign-up process, you must provide a contact phone number and email address, the primary domain that you want to use, and the username for the first super-admin user account.

  2. Verify the ownership of your primary domain by creating either a TXT or CNAME record in the corresponding DNS zone of your DNS server.

  3. Add any secondary domains to the Cloud Identity or G Suite account.

  4. Verify ownership of the secondary domains by creating either TXT or CNAME records in the corresponding DNS zones of your DNS server.

  5. Protect your account by configuring security settings.

  6. Create a default configuration for user accounts.

Securing access to your account

During the sign-up process, you create a first user in your Cloud Identity or G Suite account. This user account is assigned super-admin privileges and has full access to the Cloud Identity or G Suite account.

You need super-admin privileges in order to complete the initial configuration of your Cloud Identity or G Suite account. After you've completed the initial configuration, occurrences where you need super-admin privileges will be rare—but to ensure business continuity, it's important that you and other authorized personnel maintain super-admin access to the Cloud Identity or G Suite account:

To ensure this access, do the following:

For details on how to keep super-admin users secure, see Super administrator account best practices. And to make sure your account is properly secured, follow our Security checklist for medium and large businesses.

Configuring default settings for user accounts

Cloud Identity and G Suite support a number of settings that help you keep user accounts secure:

To minimize administrative effort, it's best to configure these settings so that they are applied by default to new users. You can configure default settings on the following levels:

  1. Global: A global setting applies to all users but has the lowest priority.
  2. Organizational unit (OU): A setting configured for an OU applies to all users in the OU and to descendant OUs, and it overrides a global setting.
  3. Group: A setting configured by group applies to all members of the group and overrides OU and global settings.

Creating an OU structure

By creating a structure of organizational units, you can segment the user accounts of your Cloud Identity or G Suite account into discrete sets to make them easier to manage.

If you use Cloud Identity in combination with an external IdP, creating custom organizational units might not be necessary. Instead, you can use a combination of global and group-specific settings:

  • Keep all user accounts in the default OU.
  • To control who is allowed to access certain Google services, create dedicated groups such as Google Cloud Users and Google Ads Users in your external IdP. Provision these groups to Cloud Identity and apply the right default settings to them. You can then control access by modifying group memberships in your external IdP.

If some or all of your users use G Suite, you are likely to require a custom OU structure because some of the G Suite–specific settings cannot be applied by group. If you use an external IdP, it's best to keep the OU structure simple, as follows:

  • Create a basic OU structure that lets you automatically assign licenses, choose a geographic location for your data, and control supplemental data storage. For all other settings, we recommend that you apply settings by group.
  • Configure your external IdP so that new users are automatically assigned to the right OU.
  • Create dedicated groups such as Google Cloud Users and Google Ads Users in your external IdP. Provision these groups to G Suite and apply the right default settings to them. You can then control access by modifying group memberships in your external IdP.

Impact of the default OU on account migration

If you have identified existing consumer accounts that you plan to migrate to Cloud Identity or G Suite, the default OU plays a special role. If you migrate a consumer account to Cloud Identity or G Suite, that account is always placed into the default OU and not part of any groups.

To migrate a consumer account, you have to initiate an account transfer. This transfer has to be approved by the owner of the consumer account. As an administrator, you have limited control when the owner might give consent and you can therefore complete the transfer.

When the transfer is complete, all settings applied to the default OU take effect on the migrated user account. Make sure that these settings grant a base level of access to Google services so that the associated employee's ability to work is not impeded.

Best practices

When you are preparing your Cloud Identity or G Suite account, follow these best practices:

What's next