User reports: Security

View your users' account settings and exposure to security risks

As your organization's administrator, you can monitor your users' exposure to data compromise by opening a security report. Under User Reports, the Security report provides a comprehensive view of how people share and access data and whether they take appropriate security precautions. For example, you can review who installs external apps, shares numerous files, skips 2-Step Verification, and uses security keys.

Step 1: Open the security report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenUser Reportsand thenSecurity.

Step 2: Review the data

The Security report is based on the following user data.

Note: Depending on your Google Workspace edition, you might not have access to some of the activity reports.

Expand section  |  Collapse all & go to top

General
Report column Description
External apps

Number of third-party applications authorized to access the user's data

Note: To view application names for each user and revoke the access of external apps, go to View user security settings and revoke access

2-Step Verification enrollment

Lists if a user is enrolled in 2-Step Verification.

Note: This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, go to View user security settings and revoke access.

2-Step Verification enforcement Lists if a user is required to be enrolled in 2-Step Verification
Password length compliance

Whether the user is compliant or non-compliant with password-length requirements. For instructions on setting password requirements, go to Enforce and monitor users' password requirements.

Note: If 'Unknown' appears, the user's password may have been set using a hash method. See When password policies don't apply.

Password strength

Whether the user has a strong or weak password based on the password requirements set by an administrator. For instructions on setting password requirements, go to Enforce and monitor users' password requirements.

Note: If 'Unknown' appears, the user's password might have been set using a hash method. See When password policies don't apply.

User account status

User’s account status (Active, Blocked, or Suspended)

  • A blocked user has violated the Terms of Service. Our system automatically suspends the user and marks them as Abusive. For more information, you can contact support.
  • A suspended user has an account that has been temporarily disabled by an administrator. As an administrator, you can suspend a user temporarily without deleting the domain profile or associated information, such as documents and presentations. Suspended users can't sign in until an administrator restores a suspended user.

Note: The Active user account status includes soft-deleted users.

Admin status User's administrative access (Super admin, Administrator, or None)
Less secure apps access Whether the user can block or allow less secure app access to their own accounts (Allowed or Denied​)
Security keys enrolled Total number of security keys enrolled by the users of this domain
Gmail
Report column Description
Gmail (POP) - last used time Last time the user used a Post Office Protocol (POP) access Gmail
Gmail (IMAP) - last used time Last time the user used Internet Message Access Protocol (IMAP) mail server access Gmail
Gmail (Web) - last used time Last time the user used web-based Gmail. Note that this timestamp is not synced with the Last Login timestamp
Drive

The new metrics definitions include “added”. This definition differs from previous metrics because it counts when “addition” events occur. Addition type events include creating a file, uploading, untrashing, or ownership transfer. This activity gets reported regardless of the final state of the item. Multiple addition events to the same file do not give a cumulative total. The report only reflects the daily change to the total.

Report column Description
External shares Number of external file sharing events performed by the user
Internal shares Number of internal file sharing events performed by the user
Public Number of file sharing events performed by users in the domain that are made publicly available
Anyone with link Number of file sharing events performed by users in the domain that are available to anyone with the link
Anyone in domain with link shares Number of file sharing events performed by users in the domain that are shared with anyone in the domain with the link
Anyone in domain shares Number of file sharing events performed by users in the domain that are visible to anyone in the domain
Outside domain Number of file sharing events performed by users in the domain shared explicitly with individuals or groups outside the domain
Within domain shares Number of file sharing events performed by users in the domain shared explicitly with a user or group in the domain
Private shares Number of Drive files that are not shared at all

 

Note: All the metrics for the above activities capture the daily change in number of their respective fields.

Step 3: Customize the data in the report

  1. Open your report as described above.
  2. Click Settings 
  3. (Optional) To add columns to the chart, next to Add new column, click the Down arrow  and select options from the list.
  4. (Optional) To remove an item from the chart, next to that item, click Remove .
  5. (Optional) To rearrange columns, drag and drop an item to a new position.
  6. Click Save.

Step 4: Filter data and export the report

Expand section  |  Collapse all & go to top

Filter by user or activity

You can narrow your report to show users or specific events. For example, you can create a filter to find all users who are using 2-Step Verification. Or you can create a filter to list people who share numerous external links.

  1. Open the report as described in Step 1 above.
  2. At the top of the report, click Add a filter.
  3. Click one of the filters from the list, enter the criteria, and click Apply.
Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your report as described above.
  2. At the top of the report, click Organizational unitand thenselect a unit from the list.
  3. Click Apply.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Filter by group

 

You can also filter the data in your report by group. Before a group will appear in this filter,  you need to add the group to your filtering groups allowlist.

For details about using group filters, see Filtering results by Google Group.

Step 1: Add a group to your filtering groups allowlist:

  1. Open your report as described above.
  2. At the top of the report, click Group filter .
  3. Click Filtering groups.
    The Filtering groups page displays.
  4. Click Add Groups.
  5. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  6. (Optional) To add another group, search for and select the group.
  7. When you finish selecting groups, click Add.
  8. (Optional) To remove a group, click Remove group .
  9. Click Save.
    Changes can take up to 24 hours but typically happen more quickly. Learn more

 Step 2: Filter audit log by group

  1. Open your report as described above.
  2. At the top of the report, click Group filter .
  3. Select one or more groups and click Apply.
Show data for a particular date
Select View by date and use the date selector to show data for a particular date, or select Latest to show the latest available data for each application. Many metrics are available for the past 6 months, although some are available for a shorter time.
Export your report data

You can export your report data to a Google Sheet, or download it as a CSV file.

  1. Open your report as described in Step 1 above.
  2. (Optional) Change the data to be included in your export as described in Step 3 above.
  3. On the report, click Download .
  4. Select which columns to include and the format of the report.
  5. Click Download.

You can export up to 100,000 rows.

How old is the data I'm seeing

You won’t see complete data up to the present day. Instead, under the graph heading you'll see the latest date for the column data. The table under the graph shows 1-day data for the latest date.

Occasionally, you'll see an asterisk "*" next to a column name. The asterisk indicates that the data in this particular column might be stale compared to the data in other columns.

For details on when data becomes available and how long it's retained, go to Data retention and lag times.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
7452502025789510454
true
Search Help Center
true
true
true
true
true
73010
false
false