The steps in this article do not apply if Google has enforced 2-Step Verification on the admin account in your organization. To check the enforcement status on your account, go to Track users’ enrollment and add the 2-Step verification enforcement column. For more details, go to Important: 2SV soon required for admin accounts.
When you enforce 2-Step Verification, you can specify an enrollment period during which new users can sign in with just their passwords. It gives new employees time to enroll before enforcement is applied to their accounts. To avoid account lockouts, put users in a configuration group where 2-Step Verification isn’t enforced until they can enroll.
How users get locked out of their account
- If you change your organizational structure and move users from an organizational unit without enforcement to an organizational unit that enforces 2-Step Verification, users who aren’t enrolled in 2-Step Verification won’t be able to sign in to their accounts.
- If you enforce a different 2-Step Verification policy, you might lock users out of their accounts. For example, say you allow users to get verification codes by text message and then change the policy to require them to use a security key, users who don’t comply with the new policy will be locked out of their accounts.
- If users remove their last known second step on their account, such as a phone number, they get a warning. If they don't add a new second step, they could lock themselves out of their account. If a user needs to add back their last known second step, tell them to review Turn on 2-Step Verification.
Step 1: Create an exempt from 2-Step Verification group
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Create the group in the Admin console or Google Cloud Directory Sync and add the users who aren’t required to use 2-Step Verification to the group. For the steps, go to Create a group in your organization.
Step 2: Turn off enforcement for the group
Before you begin: If needed, learn how to apply the setting to a department or group.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAuthentication2-step verification.
-
(Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- In the Groups section, enter the name of the configuration group that you created.
If you don’t find your group, it might have been created in Google Groups. Configuration groups must be created in the Admin console, Directory API, or Google Cloud Directory Sync. - Let users turn on 2-Step Verification and use any verification method, but don't require 2-Step Verification yet. Check the Allow users to turn on 2-Step Verification box and select EnforcementOff.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Step 3: Move enrolled users out of the group
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingUser ReportsSecurity.
You see which users are enrolled in 2-Step Verification. This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, go to Manage a user’s security settings
- When a member of the Exempt from 2-Step Verification group enrolls in 2-Step Verification, remove them from the group and move them into the appropriate organizational unit.