Here am listing some of the frequently asked questions about Google Workspace Archive User SKU, if you have any question, please comment in the bottom, and I will add it (along with the answer) to FAQs.

HOW WE DEAL WITH IT IF WE USE GOOGLE CLOUD DIRECTORY SYNC?

As of today, Google does not provide option to assign (or unassign) Google Workspace Archive license via Google Cloud Directory Sync (GCDS).

However, You may consider following as a prospective solution for now-:

1. Exclude your “Archived_Users” Org Unit from GCDS.
2. Create a cron job which calls Directory API to list users in your Archive_Users Org Unit.
3. Search within this list to find users who are still active.
4. Make a patch API call with archived=true to archive these active users.

Please watch the video above where I show how you can exactly do that with Google Apps Script (I have provided the script as well for you to copy and use).

‍

IS IT POSSIBLE TO CREATE USERS WITH ARCHIVE USER LICENSE?

It is not, and unless am missing something, it does not make sense either.

Why would you create a user with archive state?

You can only assign Google Workspace Archive User license to an active Google Workspace Business OR Google Workspace Enterprise user.

‍

WILL GOOGLE WORKSPACE LICENSE BE ASSIGNED AUTOMATICALLY UPON UNARCHIVING?

It depends.

If the concerned user is part of an Organizational Unit which has automated license assignment turned on, then yes, license will be assigned automatically upon unarchiving the user, otherwise not.

‍

CAN WE MIGRATE DATA FROM ARCHIVE USER?

Your requirement -: Our user has left, we have assigned him Google Workspace archive license, but we want to migrate his data to some other Google Workspace user in our domain, how can do that?

You can do that, but let me explain it a bit.

IMAP stops working (even if it is enabled) for archived user, so to migrate archived user’s data, you have 2 options-:

1. Migration Option One-:

(i) Change user’s password.

(ii) Migrate the data via data migration service (available within Google admin console for free or other migration services offered by Google)

(iii) Assign Archive user license once migration in completed.

2. Migration Option Two-:

(i) Assign Archive User License

(ii) Use any 3rd party migration tool which migrates via GMAIL API instead of IMAP, prominent ones are Migrationwiz and Cloudmigrator.

‍

WHAT IS THE DIFFERENCE BETWEEN VFE AND AU LICENSES?

I think VFE was more like an adjustment, but AU is a well planned SKU.

AU allows you to do a bit more, like running DLP scans which you can’t do with VFE.

No difference between the retention policies as they are still controlled by Vault on both.

You would need to manually assign AU licenses to users when migrating from VFE, though AU can’t be handled with Directory Sync for now, but Directory API has a property called isArchived = true or false which you can leverage to do this in bulk (script is provided in this post above).

VFE would also be going away, and AU would be streamlined to manage leaving users data, so it can also be considered as an upgraded version of VFE.

WHEN A USER GETS ARCHIVED IN GOOGLE WORKSPACE, DOES THEIR GCP SSH KEYS GET REMOVED/REVOKED?

Yes.

I tested this, I SSHed into my GCP linux instance, and then archived this Google Workspace user, in less than couple of minutes I lost connection to the instance.

I started seeing this message then and couldn’t reconnect to the instance-:

Transferring SSH keys to the VM.

The key transfer to project metadata is taking an unusually long time. Transferring instead to instance metadata may be faster, but will transfer the keys only to this VM. If you wish to SSH into other VMs from this VM, you will need to transfer the keys accordingly.

Click here to transfer the key to instance metadata. Note that this setting is persistent and needs to be disabled in the Instance Details page once enabled.

You can drastically improve your key transfer times by migrating to OS Login.

Also, ideally I think recommendation would be leverage os login to give ssh