Stay organized with collections
Save and categorize content based on your preferences.
Last reviewed 2024-07-11 UTC
If your organization isn't already using
Cloud Identity
or
Google Workspace,
some of your employees might be using
consumer accounts
to access Google services. A consumer account is owned and managed by the
individual who created the account. Your organization therefore
has no control
over the configuration, security, and lifecycle of these consumer accounts.
This document describes how to consolidate existing consumer accounts so that
you achieve the following results:
Your organization has full control over the configuration, security, and
lifecycle of user accounts.
If you
use an external IdP,
all user accounts have a matching identity in your external identity
provider (IdP) and can be used for single sign-on.
Before you begin
Before you consolidate your consumer accounts, make sure that you
identify a suitable onboarding plan
and complete the prerequisites for consolidating your existing user
accounts.
When you consolidate existing user accounts, you might need to collaborate
between multiple teams and stakeholders in your organization, including the
following:
Administrators of your external IdP, if you use one.
Administrators of your email system.
Users responsible for managing access to Google services used in your
organization, such as Google Marketing Platform, Google Ads, or Google Play.
For each class of existing consumer accounts that you need to
consolidate, create a test user account that uses a similar configuration.
When you assign email addresses to these test user accounts, choose email
addresses that match one of the domains of your staging account.
Perform the consolidation process by using the test user accounts and
your staging Google Workspace or Cloud Identity account.
Performing a test run lets you familiarize yourself with the process before
you apply it in your production environment. It also helps you identify
potential issues before you apply them to thousands of users.
Consolidation process
The consolidation process consists of the following streams:
Migrating consumer accounts to Cloud Identity or
Google Workspace.
Evicting consumer accounts that you don't want to keep.
Identifying and removing access for Gmail accounts.
Sanitizing Gmail accounts that use a corporate email address as an
alternate address.
Depending on the sets of existing accounts that
you have identified,
some of these streams might not apply to you.
The following flow chart illustrates the consolidation process. The streams,
indicated by parallel lines, are independent of one another so you can do them
in parallel.
The diagram shows this flow:
Identify a set of consumer accounts to migrate. If you have
a large number of consumer accounts, it's best to do the migration in
batches. Start with a small batch of approximately 10 users, and then make
your batches larger in subsequent migrations.
Announce to affected users your intent to transfer consumer accounts.
Make sure that users understand both the importance and consequences of
accepting or declining a transfer request.
Wait for most of the users (a quorum) to accept or decline transfer
requests, and resend transfer requests if necessary. You can see a user has
responded by looking at the
transfer tool for unmanaged users.
If you're using an external IdP, some of the migrated user accounts
might end up without a matching identity in the external IdP.
Reconcile these orphaned managed user accounts
to ensure that all managed user accounts have a matching identity in the
external IdP.
Search your
Identity and Access Management (IAM) policies
for Gmail accounts (search for *@gmail.com entries). Revoke
access to these accounts and provide affected users with managed user
accounts as replacements. In order to minimize impact on users, make sure
that these managed user accounts have the same or similar access to
resources as previous Gmail accounts.
If there are Gmail accounts that use a corporate email address as
their alternate email address,
sanitize these Gmail accounts.
Best practices
We recommend the following best practices when you are consolidating existing
user accounts:
If you are migrating from an external email system to
Google Workspace, remember that consumer accounts might use an email
address that is also subject to migration. To ensure that the owners of
these consumer accounts continue to receive email, don't change
DNS MX records
until after you migrate all affected consumer accounts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-07-11 UTC."],[[["\u003cp\u003eThis document outlines how to consolidate existing consumer accounts into managed user accounts within Cloud Identity or Google Workspace, providing your organization with full control over account configuration, security, and lifecycle.\u003c/p\u003e\n"],["\u003cp\u003eThe consolidation process involves migrating, evicting, or sanitizing consumer accounts, potentially handling Gmail accounts, and ensuring all managed accounts align with any existing external Identity Provider (IdP).\u003c/p\u003e\n"],["\u003cp\u003eA recommended practice is to first perform a test run of the consolidation process using a staging environment and test user accounts, before applying the process to a production environment with real users.\u003c/p\u003e\n"],["\u003cp\u003eThe consolidation process is structured into independent streams, allowing for parallel actions, such as migrating, evicting, and addressing Gmail accounts.\u003c/p\u003e\n"],["\u003cp\u003eIt's critical to communicate with users about the transfer of consumer accounts, including the implications of accepting or declining the transfer, and to reconcile any orphaned accounts post-migration.\u003c/p\u003e\n"]]],[],null,["# Overview of consolidating accounts\n\nIf your organization isn't already using\n[Cloud Identity](/identity)\nor\n[Google Workspace](https://gsuite.google.com/),\nsome of your employees might be using\n[consumer accounts](/architecture/identity/overview-google-authentication#consumer_account)\nto access Google services. A consumer account is owned and managed by the\nindividual who created the account. Your organization therefore\n[has no control](/architecture/identity/assessing-existing-user-accounts#consumer_accounts)\nover the configuration, security, and lifecycle of these consumer accounts.\n\nThis document describes how to consolidate existing consumer accounts so that\nyou achieve the following results:\n\n- Only [managed user accounts](/architecture/identity/overview-google-authentication#managed_user_account) are used to access Google services.\n- Your organization has full control over the configuration, security, and lifecycle of user accounts.\n- If you [use an external IdP](/architecture/identity/reference-architectures#using_an_external_idp), all user accounts have a matching identity in your external identity provider (IdP) and can be used for single sign-on.\n\nBefore you begin\n----------------\n\nBefore you consolidate your consumer accounts, make sure that you\n[identify a suitable onboarding plan](/architecture/identity/assessing-onboarding-plans)\nand complete the prerequisites for consolidating your existing user\naccounts.\n\nWhen you consolidate existing user accounts, you might need to collaborate\nbetween multiple teams and stakeholders in your organization, including the\nfollowing:\n\n- Administrators of your external IdP, if you use one.\n- Administrators of your email system.\n- Users responsible for managing access to Google services used in your organization, such as Google Marketing Platform, Google Ads, or Google Play.\n\nIf you use\n[separate Cloud Identity or Google Workspace organizations for staging and production](/architecture/identity/best-practices-for-planning#use_a_separate_staging_organization),\nwe recommend that you perform a test run of the consolidation process first:\n\n- For each class of existing consumer accounts that you need to consolidate, create a test user account that uses a similar configuration. When you assign email addresses to these test user accounts, choose email addresses that match one of the domains of your staging account.\n- Perform the consolidation process by using the test user accounts and your staging Google Workspace or Cloud Identity account.\n\nPerforming a test run lets you familiarize yourself with the process before\nyou apply it in your production environment. It also helps you identify\npotential issues before you apply them to thousands of users.\n\nConsolidation process\n---------------------\n\nThe consolidation process consists of the following streams:\n\n- Migrating consumer accounts to Cloud Identity or Google Workspace.\n- Evicting consumer accounts that you don't want to keep.\n- Identifying and removing access for Gmail accounts.\n- Sanitizing Gmail accounts that use a corporate email address as an alternate address.\n\nDepending on the sets of existing accounts that\n[you have identified](/architecture/identity/assessing-existing-user-accounts),\nsome of these streams might not apply to you.\n\nThe following flow chart illustrates the consolidation process. The streams,\nindicated by parallel lines, are independent of one another so you can do them\nin parallel.\n\nThe diagram shows this flow:\n\n1. Identify a set of consumer accounts to migrate. If you have a large number of consumer accounts, it's best to do the migration in batches. Start with a small batch of approximately 10 users, and then make your batches larger in subsequent migrations.\n2. Announce to affected users your intent to transfer consumer accounts.\n Make sure that users understand both the importance and consequences of\n accepting or declining a transfer request.\n\n For an example of what an announcement email message might look like, see\n [Advance communication for user account migration](/architecture/identity/example-announcement).\n3. Migrate the selected consumer accounts by using the\n [transfer tool for unmanaged users](https://admin.google.com/ac/unmanaged).\n This process is described in more detail in\n [Migrating consumer accounts](/architecture/identity/migrating-consumer-accounts).\n\n4. Wait for most of the users (a *quorum* ) to accept or decline transfer\n requests, and resend transfer requests if necessary. You can see a user has\n responded by looking at the\n [transfer tool for unmanaged users](https://admin.google.com/ac/unmanaged).\n\n5. If you're using an external IdP, some of the migrated user accounts\n might end up without a matching identity in the external IdP.\n [Reconcile these orphaned managed user accounts](/architecture/identity/reconciling-orphaned-managed-user-accounts)\n to ensure that all managed user accounts have a matching identity in the\n external IdP.\n\n6. [Evict all consumer accounts](/architecture/identity/evicting-consumer-accounts)\n that you don't want to migrate.\n\n7. Search your\n [Identity and Access Management (IAM) policies](/iam/docs/overview#cloud-iam-policy)\n for Gmail accounts (search for `*@gmail.com` entries). Revoke\n access to these accounts and provide affected users with managed user\n accounts as replacements. In order to minimize impact on users, make sure\n that these managed user accounts have the same or similar access to\n resources as previous Gmail accounts.\n\n8. If there are Gmail accounts that use a corporate email address as\n their alternate email address,\n [sanitize these Gmail accounts](/architecture/identity/sanitizing-gmail-accounts).\n\nBest practices\n--------------\n\nWe recommend the following best practices when you are consolidating existing\nuser accounts:\n\n- If you are migrating from an external email system to Google Workspace, remember that consumer accounts might use an email address that is also subject to migration. To ensure that the owners of these consumer accounts continue to receive email, don't change [DNS MX records](https://support.google.com/a/answer/174125) until after you migrate all affected consumer accounts.\n- After you complete the consolidation, consider [provisioning all users and limiting authentication by single sign-on](/architecture/identity/best-practices-for-federating) to block new consumer account sign-ups.\n\nWhat's next\n-----------\n\n- Find out how to [migrate consumer accounts](/architecture/identity/migrating-consumer-accounts) and how to [evict unwanted consumer accounts](/architecture/identity/evicting-consumer-accounts).\n- Learn how you can [sanitize Gmail accounts](/architecture/identity/sanitizing-gmail-accounts).\n- See how to [reconcile orphaned managed user accounts](/architecture/identity/reconciling-orphaned-managed-user-accounts)."]]
