Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
Multi-party approval protects against malicious actions in the Admin console by requiring that any sensitive settings changes—such as turning 2-Step Verification enforcement on or off—must be approved by another super admin. Once a super admin receives and approves the settings change request, the change is carried out automatically, without any further action needed from the requesting admin.
Multi-party approval is turned on by default for domains with 2 or more super admins. See instructions below on how to turn it on or off.
Once on, Multi-party approval applies to the following settings:
- 2-Step Verification
- Account recovery
- Advanced Protection
- Google session control
- Login challenges
- Passwordless (beta)
- SSO with third-party IdP
- Domain-wide delegation
Multi-party approval in Reseller domains
If Multi-party approval is turned on in a resold customer’s domain, and a reseller admin tries to update a sensitive setting, the request for approval is sent to the resold admins only, and only the resold admins can approve or decline the request.
How Multi-party approval works
In this example, Multi-party approval protects the sensitive action of changing 2-Step verification settings.
- A Workspace admin navigates to SecurityAuthentication2-Step verification settings, and attempts to turn enforcement from ON to OFF.
- A pop-up dialog notifies the admin that this action requires review from a Super admin. The requesting admin can optionally enter an explanatory message before sending the request for review.
Note: If there's already a pending request to change a setting that's waiting for approval, any new request is temporarily blocked until the pending request is resolved. The admin whose request is blocked can view the conflicting request.
- The requesting admin gets an email confirmation message that their request has for approval has been submitted.
- The approver Super admin receives the email request for approval. and opens a link to the Multi-party approval details page in the Admin console. The details page shows:
- Who's requesting the change
- The current setting (before change) and the proposed setting (after change)
- Options to approve or decline the request
- The approver reviews the request details, then either approves or rejects the request.
- If the request is approved, the change in 2-Step verification settings is carried out automatically, without further action needed from the requesting admin.
- If the approver takes no action, the request expires in 3 days.
- Requester gets an email when the request is approved or rejected, or if the request has expired with no action.
View request details, approve a request, cancel a request
Either the requester or the approver can view pending or past requests on the Multi-party approval list page. Clicking a request in the list displays a details page for that request. On the request details page, requesters can cancel a request, and approvers can approve or reject the request.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Go to SecurityAuthenticationMulti-party approval.
You can view all requests, or only your own requests. Request details include the request status, requester’s name, when the request was created, and the setting change being requested.
- To view details on a specific request, click in the Action column at left.
- The requester details page includes an option to cancel the request.
- The approver details page includes the options to approve or reject the request.
- Click Multi-party approval at left to return to the approval list page.
Turn Multi-party approval on or off
Use the multi-party approval setting in Admin console to turn the feature on or off for your domain.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Go to SecurityAuthenticationMulti-party approval settings.
- To turn multi-party approval on, check the Require multi-party approval for sensitive admin actions box. To turn off, uncheck the box.
- Click Save.
Note: If multi-party approval is turned off from an on state:
- Pending requests are active for the normal period of time, until they are approved, requested, or expire.
- New settings changes that involve sensitive actions will not create multi-party approval requests.