What is the proper way to configure / enforce MFA, so that all of the admin accounts in my Google Cloud Platform are required to have MFA configured and enabled? I found some guidance about this topic, but that required logging in each and every admin and checking manually.
Asked
Active
Viewed 2,867 times
0
Hector Martinez Rodriguez
- 277
- 4
- 11
roman hüsler
- 26
- 1
- 3
-
MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code). Which solution would you like to use for the implementation of the 2-step verification? – Ismael Clemente Aguirre Mar 10 '22 at 21:22
-
Hi Ismael. I would like the users to be required to do 2 Step verification by SMS or the Google Authenticator App. – roman hüsler Mar 11 '22 at 05:52
-
1Think I found the solution. Need to "enable cloud identity and create an organisation", then migrate the resources to the organisation, then enable a mfa enforcement policy. – roman hüsler Mar 11 '22 at 09:49
-
@romanhüsler if any answer has solved or helped you please consider [accepting it](https://meta.stackexchange.com/q/5234/179419) by clicking the check-mark. This indicates to the wider community that you've found a solution and gives some reputation to both the answerer and yourself. There is no obligation to do this. – Hector Martinez Rodriguez Mar 16 '22 at 22:31
1 Answers
0
To set up cloud identity:
Choose between Cloud Identity Free or Cloud Identity Premium. In this link, you can compare both editions.
- Instructions for signing up for Cloud Identity Free
- Instructions for signing up for Cloud Identity Premium
To create your Cloud Identity account and first admin user using the Setup Wizard:
- In the About you section, enter your first and last name in the Name field.
- In the Current email address you use for the work field, enter the email you used to create your prototype project.
- This email address will be used as a recovery address. It must be different from the address you create below that you'll use as your
admin account for Cloud Identity.- In the About your business section, enter your company name in the Business or organization name field.
- In the Country/Region field, choose the appropriate country or region from the pulldown list.
- Click Next to set up your domain.
- In the Your Cloud Identity Domain window, add the domain you've already purchased for your company. You'll need to verify that you
own it by creating a specific CNAME record or uploading an html file.- In the Create your Cloud Identity account window, enter a username and password. This account is your Cloud Identity administrator
account and must be different from the email address you entered in
step 2 above. As a best practice, we recommend that you enter a
username with the following format: admin@example.com.
More information about setting up Cloud Identity can be found here.
Multi Factor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).
To deploy a 2-step verification
Step 1: Notify users of 2-Step Verification deployment (required) Before deploying 2-Step Verification, communicate your company’s plans to your users, including:
- What is 2-Step Verification and why your company is using it
- Whether 2-Step Verification is optional or required
- If required, give the date by which users must turn on 2-Step Verification Which 2-Step Verification method is required or
recommended.Step 2: Set up basic 2-Step Verification (required) Next, let your users turn on 2-Step Verification. By default, users can turn on 2-Step Verification and use any verification method. (G Suite accounts created before December 2016 have 2-Step Verification turned off by default).
Step 3: Enforce 2-Step Verification (optional) As an administrator, enforcing 2-step verification for your users is an optional step.
Make sure users are enrolled in 2-Step Verification before turning on enforcement. Users who aren’t enrolled can't sign in to their accounts.
Enforcement methods
- Any—Users can set up any 2-Step Verification method.
- All except verification codes via text, phone call—Users can set up any 2-Step Verification method except using their phones to receive 2-Step Verification verification codes.
- Only security key—Users must set up a security key.
More detailed instructions in this link.
If you want to use Text message or phone call as your 2-step verification method, consider:
If you currently allow any 2-Step Verification method, you probably have users who verify only by text and voice call. To avoid locking out these users from their accounts:
Before enforcement takes effect, tell users to start using another 2-Step Verification method. Also, inform them that 2-Step Verification verification codes won't be available on their phones after the enforcement date. Use the login_verification Login Audit activity event to track users who sign in using 2-Step Verification verification codes they receive by text message or voice call. If the login_challenge_method parameter has the value idv_preregistered_phone, the user authenticated with a text or voice verification code.
In this link, you will find a more detailed guide for the users to activate their 2-step verification method.
Ismael Clemente Aguirre
- 671
- 1
- 8