This document describes how to sanitize existing Gmail accounts by
deliberately removing any corporate email addresses from them. If your company
hasn't been using
it's possible that some of your employees have been using Gmail
accounts to access Google services. Some of these Gmail accounts might
use a corporate email address such as
firstname.lastname@example.org as an
alternate email address.
Consider sanitizing a Gmail account if either of the following conditions is true:
- You want the owner of the Gmail account to switch to a managed user account.
- You want the Gmail account to stop using a corporate email address as an alternate address. This might be because the account belongs to a former employee or because you don't recognize the owner of the account.
Removing the corporate email address from a Gmail account can mitigate
a social engineering risk: if a Gmail account uses a seemingly
trustworthy email address
email@example.com as an alternate address, then the owner of the account
might be able to convince employees or business partners to grant them access to
resources they shouldn't be allowed to access.
Before you begin
To sanitize a Gmail account, you must meet all of the following prerequisites:
- You have identified a suitable onboarding plan and have completed all activities that your plan defines as prerequisites for consolidating your existing user accounts.
- You have created a Cloud Identity or Google Workspace account.
Each Gmail account that you plan to sanitize must meet the following criteria:
- One of the alternate email addresses of the Gmail account corresponds to one of the domains that you've added to your Cloud Identity or Google Workspace account. Both primary and secondary domains qualify, but alias domains are not supported.
Sanitizing Gmail accounts works like migrating consumer accounts, but it is based on the idea that you deliberately create a conflicting account.
The following diagram illustrates the process. Rectangular boxes on the Administrator side denote actions that a Cloud Identity or Google Workspace administrator takes; rectangular boxes on the User account owner side denote actions that only the owner of a consumer account can perform.
The sequence of steps differs slightly depending on whether you want the owner of the Gmail account to switch to a managed user account or whether you simply want the account to give up its corporate email address.
Encouraging a switch to a managed account
If you want a user to switch to a managed account, create a user account for
that user in Cloud Identity or Google Workspace. For the primary
email address, use the email address that's used as an alternate email address
by the Gmail account. For example, if the Gmail user
firstname.lastname@example.org as an alternate email address, use
email@example.com as the primary email address for the Cloud Identity or
Google Workspace user.
The owner of the affected account has two ways to sign in—by using the Gmail address or by using the corporate email address. If the owner signs in by using the Gmail address, they see the following message, indicating that the corporate email address has been disassociated from the user account:
The account owner sees this message only once. If the owner instead signs in by using the corporate email address, they see a ballot screen:
If they select Organizational Google Workspace account, they must authenticate using the credentials of the newly created user account in Cloud Identity or Google Workspace. If they use an external IdP, this process involves single sign-on. Because the user account in Cloud Identity or Google Workspace is new, none of the Gmail account's data is transferred.
If they select Individual Google account, they continue with their Gmail account, but they see the following message indicating that the corporate email address is being disassociated from the user account:
After confirming, they are shown another message:
Forcing an account to give up its corporate email address
You can force an account to give up its corporate email address as follows:
- Create a user account in Cloud Identity or Google Workspace that has the corresponding corporate email address. Because you don't want the managed user account to ever be used, assign a random password.
- Delete the user account that you just created.
By creating a conflicting account and immediately deleting the managed account, you leave the consumer account in a state where the owner has to rename the account.
The owner of the affected account has two ways to sign in—by using the Gmail address or by using the corporate email address:
If the owner signs in by using the Gmail address, they see the following message, indicating that the corporate email address has been disassociated from the user account:
If they instead sign in by using the corporate email address, they see the following message:
After confirming, they are shown another message:
All configuration and data that was created by using this consumer account is unaffected by the renaming process. But for subsequent attempts to sign in, the user must use the Gmail address because the corporate address is no longer associated with the user account.
We recommend the following best practices when you are sanitizing Gmail accounts:
- Prevent other users from assigning a corporate email address to their Gmail accounts by proactively provisioning user accounts to Cloud Identity or Google Workspace.
Prevent new Gmail accounts from being granted access to Google Cloud resources by using an organizational policy to restrict identities by domain.
Prevent Gmail accounts from being given access to Google Marketing Platform by using a policy that restricts members by domain.