Sanitizing Gmail accounts

This document describes how to sanitize existing Gmail accounts by deliberately removing any corporate email addresses from them. If your company hasn't been using Cloud Identity or G Suite, it's possible that some of your employees have been using Gmail accounts to access Google services. Some of these Gmail accounts might use a corporate email address such as alice@example.com as an alternate email address.

Consider sanitizing a Gmail account if either of the following conditions is true:

  • You want the owner of the Gmail account to switch to a managed user account.
  • You want the Gmail account to stop using a corporate email address as an alternate address. This might be because the account belongs to a former employee or because you don't recognize the owner of the account.

Removing the corporate email address from a Gmail account can mitigate a social engineering risk: if a Gmail account uses a seemingly trustworthy email address like alice@example.com as an alternate address, then the owner of the account might be able to convince employees or business partners to grant them access to resources they shouldn't be allowed to access.

Before you begin

To sanitize a Gmail account, you must meet all of the following prerequisites:

Each Gmail account that you plan to sanitize must meet the following criteria:

  • One of the alternate email addresses of the Gmail account corresponds to one of the domains that you've added to your Cloud Identity or G Suite account. Both primary and secondary domains qualify, but alias domains are not supported.

Process

Sanitizing Gmail accounts works like migrating consumer accounts, but it is based on the idea that you deliberately create a conflicting account.

The following diagram illustrates the process. Rectangular boxes on the Administrator side denote actions that a Cloud Identity or G Suite administrator takes; rectangular boxes on the User account owner side denote actions that only the owner of a consumer account can perform.

The sanitizing process.

The sequence of steps differs slightly depending on whether you want the owner of the Gmail account to switch to a managed user account or whether you simply want the account to give up its corporate email address.

Encouraging a switch to a managed account

If you want a user to switch to a managed account, create a user account for that user in Cloud Identity or G Suite. For the primary email address, use the email address that's used as an alternate email address by the Gmail account. For example, if the Gmail user bob@gmail.com has specified bob@example.com as an alternate email address, use bob@example.com as the primary email address for the Cloud Identity or G Suite user.

The owner of the affected account has two ways to sign in—by using the Gmail address or by using the corporate email address. If the owner signs in by using the Gmail address, they see the following message, indicating that the corporate email address has been disassociated from the user account:

Message that your account has changed.

The account owner sees this message only once. If the owner instead signs in by using the corporate email address, they see a ballot screen:

Ballot screen.

If they select Organizational G Suite account, they must authenticate using the credentials of the newly created user account in Cloud Identity or G Suite. If they use an external IdP, this process involves single sign-on. Because the user account in Cloud Identity or G Suite is new, none of the Gmail account's data is transferred.

If they select Individual Google account, they continue with their Gmail account, but they see the following message indicating that the corporate email address is being disassociated from the user account:

Address gets disassociated.

After confirming, they are shown another message:

Message showing that the primary address has changed.

Forcing an account to give up its corporate email address

You can force an account to give up its corporate email address as follows:

  1. Create a user account in Cloud Identity or G Suite that has the corresponding corporate email address. Because you don't want the managed user account to ever be used, assign a random password.
  2. Delete the user account that you just created.

By creating a conflicting account and immediately deleting the managed account, you leave the consumer account in a state where the owner has to rename the account.

The owner of the affected account has two ways to sign in—by using the Gmail address or by using the corporate email address:

  • If the owner signs in by using the Gmail address, they see the following message, indicating that the corporate email address has been disassociated from the user account:

    Corporate email address has been disassociated from the user account.

  • If they instead sign in by using the corporate email address, they see the following message:

    Message after signing in with corporate email address.

    After confirming, they are shown another message:

    New primary address.

    All configuration and data that was created by using this consumer account is unaffected by the renaming process. But for subsequent attempts to sign in, the user must use the Gmail address because the corporate address is no longer associated with the user account.

Best practices

We recommend the following best practices when you are sanitizing Gmail accounts:

What's next