Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Last reviewed 2024-07-11 UTC
Se sua organização ainda não usa o
Cloud Identity
ou o
Google Workspace,
alguns dos seus funcionários podem estar usando
contas pessoais
para acessar os serviços do Google. Uma conta pessoal é de propriedade da pessoa que a criou,
e gerenciada por ela. Portanto, sua organização
não tem controle
sobre a configuração, a segurança e o ciclo de vida dessas contas pessoais.
Neste documento, descrevemos como consolidar contas pessoais atuais para
alcançar os seguintes resultados:
Sua empresa tem controle total sobre a configuração, a segurança e o
ciclo de vida das contas de usuário.
Se você
usar um IdP externo,
todas as contas de usuário terão uma identidade correspondente no seu provedor de identidade
externo (IdP, na sigla em inglês) e poderão ser usadas para o logon único.
Para cada classe de contas pessoais atuais que você precisa
consolidar, crie uma conta de usuário de teste que use uma configuração semelhante.
Ao atribuir endereços de e-mail a essas contas de usuário de teste, escolha endereços
de e-mail que correspondam a um dos domínios da sua conta de teste.
Execute o processo de consolidação usando as contas de usuário de teste e
sua conta de teste do Google Workspace ou do Cloud Identity.
A execução de um teste permite que você se familiarize com o processo antes de
aplicá-lo no ambiente de produção. Ele também ajuda a identificar
possíveis problemas antes de aplicá-los a milhares de usuários.
Processo de consolidação
O processo de consolidação consiste nos seguintes fluxos:
Como migrar contas pessoais para o Cloud Identity ou
o Google Workspace.
Como remover contas pessoais que você não quer manter.
Como identificar e remover o acesso de contas do Gmail.
Como limpar as contas do Gmail que usam um endereço de e-mail corporativo como um
endereço alternativo.
Dependendo dos conjuntos de contas atuais que
você identificou,
alguns streams podem não se aplicar a você.
O diagrama de fluxo a seguir ilustra o processo de consolidação. Os streams,
indicados por linhas paralelas, são independentes entre si para que você possa fazer isso
em paralelo.
O diagrama mostra este fluxo:
Identifique um conjunto de contas pessoais para migrar. Se você tiver
um grande número de contas pessoais, é melhor fazer a migração em
lotes. Comece com um pequeno lote de aproximadamente 10 usuários e aumente
seus lotes em migrações subsequentes.
Anuncie aos usuários afetados sua intenção de transferir contas pessoais.
Certifique-se de que os usuários entendam a importância e as consequências de
aceitar ou recusar uma solicitação de transferência.
Aguarde a maioria dos usuários (um quorum) aceitar ou recusar solicitações
de transferência e reenvie as solicitações de transferência, se necessário. Para ver se um usuário
respondeu, consulte a
ferramenta de transferência de usuários não gerenciados.
Se você estiver usando um IdP externo, algumas das contas de usuário migradas
poderão acabar sem uma identidade correspondente no IdP externo.
Reconcilie essas contas de usuário gerenciadas órfãs
para garantir que todas as contas de usuário gerenciadas tenham uma identidade correspondente no
IdP externo.
Pesquise suas
políticas do Identity and Access Management (IAM)
para contas do Gmail (procure entradas *@gmail.com). Revogue
o acesso a essas contas e forneça aos usuários afetados as contas de usuário
gerenciadas como substituições. Para minimizar o impacto nos usuários, verifique se
essas contas de usuário gerenciadas têm acesso igual ou semelhante aos recursos das contas anteriores do Gmail.
Se houver contas do Gmail que usem um endereço de e-mail corporativo como
endereço de e-mail alternativo,
limpe essas contas do Gmail.
Práticas recomendadas
Indicamos as seguintes práticas recomendadas ao consolidar contas de usuário
atuais:
Se você estiver migrando de um sistema de e-mail externo para o
Google Workspace, lembre-se de que as contas pessoais podem usar um endereço
de e-mail que também está sujeito à migração. Para garantir que os proprietários dessas
contas pessoais continuem recebendo e-mails, não altere os
registros MX do DNS
antes de migrar todas as contas pessoais afetadas.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2024-07-11 UTC."],[[["\u003cp\u003eThis document outlines how to consolidate existing consumer accounts into managed user accounts within Cloud Identity or Google Workspace, providing your organization with full control over account configuration, security, and lifecycle.\u003c/p\u003e\n"],["\u003cp\u003eThe consolidation process involves migrating, evicting, or sanitizing consumer accounts, potentially handling Gmail accounts, and ensuring all managed accounts align with any existing external Identity Provider (IdP).\u003c/p\u003e\n"],["\u003cp\u003eA recommended practice is to first perform a test run of the consolidation process using a staging environment and test user accounts, before applying the process to a production environment with real users.\u003c/p\u003e\n"],["\u003cp\u003eThe consolidation process is structured into independent streams, allowing for parallel actions, such as migrating, evicting, and addressing Gmail accounts.\u003c/p\u003e\n"],["\u003cp\u003eIt's critical to communicate with users about the transfer of consumer accounts, including the implications of accepting or declining the transfer, and to reconcile any orphaned accounts post-migration.\u003c/p\u003e\n"]]],[],null,["# Overview of consolidating accounts\n\nIf your organization isn't already using\n[Cloud Identity](/identity)\nor\n[Google Workspace](https://gsuite.google.com/),\nsome of your employees might be using\n[consumer accounts](/architecture/identity/overview-google-authentication#consumer_account)\nto access Google services. A consumer account is owned and managed by the\nindividual who created the account. Your organization therefore\n[has no control](/architecture/identity/assessing-existing-user-accounts#consumer_accounts)\nover the configuration, security, and lifecycle of these consumer accounts.\n\nThis document describes how to consolidate existing consumer accounts so that\nyou achieve the following results:\n\n- Only [managed user accounts](/architecture/identity/overview-google-authentication#managed_user_account) are used to access Google services.\n- Your organization has full control over the configuration, security, and lifecycle of user accounts.\n- If you [use an external IdP](/architecture/identity/reference-architectures#using_an_external_idp), all user accounts have a matching identity in your external identity provider (IdP) and can be used for single sign-on.\n\nBefore you begin\n----------------\n\nBefore you consolidate your consumer accounts, make sure that you\n[identify a suitable onboarding plan](/architecture/identity/assessing-onboarding-plans)\nand complete the prerequisites for consolidating your existing user\naccounts.\n\nWhen you consolidate existing user accounts, you might need to collaborate\nbetween multiple teams and stakeholders in your organization, including the\nfollowing:\n\n- Administrators of your external IdP, if you use one.\n- Administrators of your email system.\n- Users responsible for managing access to Google services used in your organization, such as Google Marketing Platform, Google Ads, or Google Play.\n\nIf you use\n[separate Cloud Identity or Google Workspace organizations for staging and production](/architecture/identity/best-practices-for-planning#use_a_separate_staging_organization),\nwe recommend that you perform a test run of the consolidation process first:\n\n- For each class of existing consumer accounts that you need to consolidate, create a test user account that uses a similar configuration. When you assign email addresses to these test user accounts, choose email addresses that match one of the domains of your staging account.\n- Perform the consolidation process by using the test user accounts and your staging Google Workspace or Cloud Identity account.\n\nPerforming a test run lets you familiarize yourself with the process before\nyou apply it in your production environment. It also helps you identify\npotential issues before you apply them to thousands of users.\n\nConsolidation process\n---------------------\n\nThe consolidation process consists of the following streams:\n\n- Migrating consumer accounts to Cloud Identity or Google Workspace.\n- Evicting consumer accounts that you don't want to keep.\n- Identifying and removing access for Gmail accounts.\n- Sanitizing Gmail accounts that use a corporate email address as an alternate address.\n\nDepending on the sets of existing accounts that\n[you have identified](/architecture/identity/assessing-existing-user-accounts),\nsome of these streams might not apply to you.\n\nThe following flow chart illustrates the consolidation process. The streams,\nindicated by parallel lines, are independent of one another so you can do them\nin parallel.\n\nThe diagram shows this flow:\n\n1. Identify a set of consumer accounts to migrate. If you have a large number of consumer accounts, it's best to do the migration in batches. Start with a small batch of approximately 10 users, and then make your batches larger in subsequent migrations.\n2. Announce to affected users your intent to transfer consumer accounts.\n Make sure that users understand both the importance and consequences of\n accepting or declining a transfer request.\n\n For an example of what an announcement email message might look like, see\n [Advance communication for user account migration](/architecture/identity/example-announcement).\n3. Migrate the selected consumer accounts by using the\n [transfer tool for unmanaged users](https://admin.google.com/ac/unmanaged).\n This process is described in more detail in\n [Migrating consumer accounts](/architecture/identity/migrating-consumer-accounts).\n\n4. Wait for most of the users (a *quorum* ) to accept or decline transfer\n requests, and resend transfer requests if necessary. You can see a user has\n responded by looking at the\n [transfer tool for unmanaged users](https://admin.google.com/ac/unmanaged).\n\n5. If you're using an external IdP, some of the migrated user accounts\n might end up without a matching identity in the external IdP.\n [Reconcile these orphaned managed user accounts](/architecture/identity/reconciling-orphaned-managed-user-accounts)\n to ensure that all managed user accounts have a matching identity in the\n external IdP.\n\n6. [Evict all consumer accounts](/architecture/identity/evicting-consumer-accounts)\n that you don't want to migrate.\n\n7. Search your\n [Identity and Access Management (IAM) policies](/iam/docs/overview#cloud-iam-policy)\n for Gmail accounts (search for `*@gmail.com` entries). Revoke\n access to these accounts and provide affected users with managed user\n accounts as replacements. In order to minimize impact on users, make sure\n that these managed user accounts have the same or similar access to\n resources as previous Gmail accounts.\n\n8. If there are Gmail accounts that use a corporate email address as\n their alternate email address,\n [sanitize these Gmail accounts](/architecture/identity/sanitizing-gmail-accounts).\n\nBest practices\n--------------\n\nWe recommend the following best practices when you are consolidating existing\nuser accounts:\n\n- If you are migrating from an external email system to Google Workspace, remember that consumer accounts might use an email address that is also subject to migration. To ensure that the owners of these consumer accounts continue to receive email, don't change [DNS MX records](https://support.google.com/a/answer/174125) until after you migrate all affected consumer accounts.\n- After you complete the consolidation, consider [provisioning all users and limiting authentication by single sign-on](/architecture/identity/best-practices-for-federating) to block new consumer account sign-ups.\n\nWhat's next\n-----------\n\n- Find out how to [migrate consumer accounts](/architecture/identity/migrating-consumer-accounts) and how to [evict unwanted consumer accounts](/architecture/identity/evicting-consumer-accounts).\n- Learn how you can [sanitize Gmail accounts](/architecture/identity/sanitizing-gmail-accounts).\n- See how to [reconcile orphaned managed user accounts](/architecture/identity/reconciling-orphaned-managed-user-accounts)."]]
