DEFINITIVE GUIDE TO GOOGLE CONFLICTING ACCOUNTS

  • I do G Suite Administration to make living, and wanted to learn Google Conflicting accounts in great detail, so I can help impacted G Suite community better.

  • I started asking myself “what are Google Conflicting accounts, how do they get created, whats their impact, how to handle them and how to even restrict their creation”.

  • Let me share everything I learnt, and hopefully it would help you understand and deal with Google conflicting accounts along with stopping them from being created in future.

Table of Contents

1. What is Conflicting Account?

Understand Conflicting acs, and how they get created

Jump to section

2. How to handle conflicts?

Understand how to handle Google conflicting accounts.

Jump to section

3. Tranfer Tool Utility

Use Google's transfer tool for unmanaged users

Jump to section

4. Data Tranfer Process

Understand which apps data can be transferred and how

Jump to section

5 Block Consumer A/C creation

Block Consumer Account creation on your domain

Jump to section

6. Identify Conflict Attempts

Identify which users tried to create conflicting accounts

Jump to section

7. Advance Scenario Handling

Handle advance scenarios like SSO with conflicting accounts

Jump to section

8. FAQs

Get answer to FAQs, or ask if you have any question.

Jump to section

Google Conflicting Accounts Overview

In this section, let us clearly understand what are Google conflicting accounts, and how do they even get created.

What is a Google Conflicting Account?

As per Google “If a user has a personal Google Account with the same email address as their managed Google Account, then they have a Google conflicting account”.

Best way to understand conflicting accounts is with an example.

Let say John works for a company called “Daddy Day Care” as Marketing manager, and all of the employees of this company have an email address with their first name @ their domain.com, so John’s email id is john@daddydaycare.com

Let’s assume this company is using Microsoft Email services (may be locally hosted Exchange server or cloud based Office 365).

Now, John wants to use some Google products for his company’s marketing needs like Google Ads and Google Analytics which need him to sign up for a Google account.

So John goes to a Google account sign up page and he sees two options to create his Google account, first option is create a new @gmail.com and second option is to use his existing email account.

Sign-up-for-Google-Account

John already owns an email account (john@daddydaycare.com) and thinks it’ll be better to create a Google account with his company email. 

So John signs up for Google account with his company email

Sign-up-for-Google-Consumer-Account-with-your-own-email-address

Google wants to verify that John indeed has this account, so Google sends a verification code to this email john@daddydaycare.com

Verify-your-email-for-Google-consumer-account-creation

John receives that email → copy the verification code → go back and provide Google that code.

After accepting Google’s terms of service.

Congratulations, John has now got a new Google account with his email address, he can now use Google products with this account like Google Ads, Analytics etc.

Google-Conflicting-Account-Created

However, John’s company email services are still with Microsoft, so when someone sends him an email or calendar invite, it goes to John’s outlook.

Ok, so far, so good? If not, please read the above story again or leave me a comment below this post.

Now, John’s company thinks Microsoft email services are overkill for their business, and decided to move to G Suite.

So our fictitious company Daddy Day Care signs up for G Suite (verifies their domain name to Google) and start creating their employees accounts in G Suite.

When they try creating John@daddydaycare.com in their G Suite (or Google Cloud Identity) administration console, Google tells them that this account already exists?

Google-Conflicting-Account-detected

Can you guess, Why?

You are right, because John already created “consumer account” with that email address, and Google does not allow users to have two separate accounts with the same email address.

So what do we have now? 

A Conflicting Google Account (or Google Conflicting Account).

So, to summarize, when your users create consumer Google accounts with your company domain email address, these accounts are called “Unmanaged Accounts” because there is no management possible on these (e.g you can not put a policy on these even if they are created with your domain email address, and the data ownership belongs to this individual (e.g John).

However, when you create these accounts in your Google management console (e.g in G Suite or Google Cloud Identity), they are called “Managed Accounts” because you can manage them (e.g you can define how these accounts can be used, suspend them, delete them etc, and the data ownership belongs to your business).

Google does not allow a user to have two separate accounts with one email address, so if a user has already created a Google Consumer account with his company email address, and then you try to create this user as a managed account, Google will tell you that there is a conflict because this account already exits.

How to handle Google Conflicting Accounts

In this section, let us understand how to seamlessly manage Google Conflicting accounts seamlessly

Resolving Google Conflicting Accounts

Well, because you have verified your domain to Google when signing up for G Suite or Google Cloud Identity, you gain the rights to straight away go ahead and create john@daddydaycare.com as managed user, but you should do that very carefully.

You might be asking, what is to be careful here?

Sure, good question.

There might be two scenarios here.

Scenario One -: Your user (e.g John) signed up for a personal Google account with your company email address just for his personal reason, which means any data in this account actually belongs to John that he does not want to migrate to his new managed G Suite account that you would be creating for him.

Scenario Two -: Your user signed up for a personal Google account with your company email address because he wanted to use Google Products for your business like Google Ads, Google Analytics, Google Drive etc.

In this second scenario, you might want to give John the opportunity to bring all this data to his new G Suite account that you are creating for him.

So to summarize-:
If you straightway create their account in G Suite or Google Cloud Identity ignoring Google’s note that this is a google conflicting account, then you would lose the opportunity to let your users transfer their data from their unmanaged (consumer) account to their managed G Suite (or Google Cloud Identity) account.

You should only do this if you really do not want to give this user an opportunity to migrate their data to G Suite.

However, if you want to allow your google conflicting account users to transfer their data from personal Google account to their new G Suite (managed) account, then you should NOT create their G Suite account yet.

Which leads us to couple of questions-:

1. As a business, how do I know which of my users have conflicting Google accounts?

2. How do I know if they have business data in these Google conflicting accounts?

Btw – If you have these two question, awesome!!!, we are on the same page then, otherwise, please read the above story again or put a comment below this post.

I have good news for your question number one, that Google actually provides a tool which shows you the email addresses of these conflicting accounts (which users have created consumer Google account with your company email address) once you sign up for G Suite and verify your domain ownership.

However, Google does not tell you which of these accounts have your business related data inside them because of privacy reasons (remember data ownership belongs to the individual in unmanaged/consumer account and not to your company)

So, the ideal process should be-:
1. Identify all Google Conflicting Accounts

2. Send all of them an email giving opportunity to transfer data to their G Suite account where they should have an option to either accept or reject your data transfer request (remember its their personal account and they own the data not your company, so they retain the right to accept or reject your data transfer request)

3. If they accept the request, their managed account would be created automatically in G Suite  and their data should be transferred from their consumer/unmanaged to managed G Suite account.

4. If they reject the request, then you should be notified, so that you can at least create their G Suite account as you are the domain owner.

So what happens if they reject the data transfer request?

1. You should still be able to create their G Suite account

2. When they try to login next time to their personal Google account that they created with your company email address, Google will ask whether they want to login to their new managed (G Suite) corporate account or their consumer account as you see in the screenshot below-:

login options provided to conflicting user after managed account creation

If they select to login to their organizational G Suite Account account, then they would be taken to G Suite, however if they choose to login to their consumer / individual account that they had with your company email address, then Google will ask them to rename their email address as their corporate email that they had on this account is now claimed by the organization.

 
conflicting account user options after managed account creation

At this time, as you see in the screenshot above, they would need to create a new Gmail email address for this account or use any other email address they have (other than old corporate email they had for this account).

However, if they do not take any action, their email would be changed to @gtempaccount.com domain as shown below.

 
conflicting account email changed to temp email after managed account creation

Now, the above process that we discussed looks good, but it is too much to do by our own, fortunately, Google provides us a tool for this.

This tool is called “Transfer Tool for unmanaged users”

 Once you sign up for G Suite, and verify your domain ownership to Google, you can start using Transfer Tool, and it helps with following-:

1. It shows a list of all of the Google conflicting accounts in your domain (e.g list of consumer accounts which were created using your company’s domain email address).

2. It gives you an option to send email to either some or all of your google conflicting accounts with an opportunity to transfer their data to their new G Suite account.

3. It also shows you the request status of these requests like which users have accepted or rejected the data transfer request

Transfer Tool for Unmanaged Users

In this section, let us understand how we can leverage “Transfer Tool for unmanaged users”, a utility provided by Google to identify and deal with Google conflicting accounts.

How to access Transfer Tool?

You would need to perform following two steps to get access to Transfer Tool-:

Step 1 -: Sign up for G Suite
If you need assistance in signing up for G Suite the right away, you may look at my following post which I show you how the sign up process step by step-:

G Suite Registration Video

Step 2 -: Verify Your Domain Ownership to Google

Google will only allow us to see all Google Conflicting accounts after we verify our domain ownership, You can watch the video below showing how to verify your domain ownership to Google (i’ll show how to verify when your domain is with Godaddy, but the concept remains same regardless of which domain registrar you have your domain or hosting with)

Now you should be able to see and access “Transfer Tool for unmanaged users” in your G Suite (or Google Identity) administration console.

To access the Transfer Tool, login to your Google Admin Console as follows-:

1. Go to admin.google.com

2. Enter your Administrator User Id and Password (and second factor if it is setup) 

3. You would find “Transfer tool for unmanaged users” on the right as shown in the screenshot below.

Transfer Tool User Interface Overview

On the Transfer Tool page, you can perform a few actions including looking at the all the google conflicting accounts in your domain and whether you have sent them data transfer request or not.

It also shows you the users who have accepted or rejected your data transfer request.

You can use the filters provider by Transfer Tool to easily filter the data and see 

(i) List of users to whom you have not yet sent data transfer request

(ii) List of users to whom you have sent data transfer request

(iii) Users who have accepted the request

(iv) Users who have rejected the request

Transfer-Tool-Data-Filtering

How to see google conflicting accounts who are not yet sent data transfer request

From the Transfer tool page

Click on the filter icon to see filtering options, and then select “Not Sent” from the filter as shown in the screenshot below.

It will show you all the conflicting accounts to whom you have not yet sent data transfer request.

see-users-to-whom-you-have-not-transfer-request-via-transfer-tool

How to send data transfer request

From the Transfer tool page

Click on the filter icon to see filtering options, and then select “Not Sent” from the filter as shown in the screenshot below.

Then select either all or some users on the page, and then click “Email users a request” as shown below.

How to see users whom you have sent data transfer request

From the Transfer tool page

From the filters options, select “Request Sent” to see all Google conflicting account users to whom you have already sent data transfer request.

You can send request more than once to any conflicting account user, you would see the number of times you have sent them the request under “Request already sent” column as shown in the screenshot below.

Users-to-whom-you-have-sent-request

How to see users who have accepted request

From the Transfer tool page

From the filters options, select “Accepted” to see all the Google conflicting account users who have accepted your data transfer request.

At this time, you as a G Suite (or Google Cloud Identity) admin are all set to create their managed Google account.

users-who-have-accepted-data-transfer-request

How to see users who have declined request

From the Transfer tool page

From the filters options, select “Declined” to see all the conflicting account users who have declined your data transfer request.

At this time, you as a G Suite (or Google Cloud Identity) admin are all set to create their managed Google account.

see-users-who-have-declined-data-transfer-request

Data Move Process

In this section, we will understand the data moving process, which applications data can be moved and how does it happen

Data move request email

So far we have learnt that that as a G Suite (or Google Cloud Identity), we can see Google conflicting accounts, and can also send them a data transfer request.

Let us look at this email

As you see the screenshot of this email below, it tells the user, that his company (your Google Org name) wants him to transfer his unmanaged account to company.

Sign-in-and-transfer-account

This user has some data in this Google conflicting or unmanaged account as you see in the screenshot below, we’ll see how this data gets moved to managed account once this user goes through the data transfer process.

Data in unmanaged user account

User begins the data transfer process

When user clicks on “Transfer Account”, he is taken to another screen where he is presented an option to either “Decline this request” or to start account transfer process as you see in the screenshot below.

Sign-in-and-transfer-account

Then user is shown a final notification which includes details on what would happen after the transfer, along with an option to start the transfer process or decline the request.

complete-the-transfer

Now within a few minutes, user would see a success message informing him that his Google Account transfer process has been completed.

Account-Transfer-Completed

Now as a G Suite (or Google Cloud Identity) admin, if you go to Google admin console, you would see that this user has automatically been created there.

managed-account-has-been-created

Now, when this user logins to his G Suite account, he would find his moved data in there as you see in the screenshot below.

Note -: You would need to ensure that this user has been assigned G Suite license, otherwise this user won’t see his moved data for the services which are only available to G Suite users (e.g Google Drive data).

Unmanaged user data has been transferred to managed account

Supported Applications for Data Move

When an unmanaged Google Account user accepts your company request to move this account to managed Google (G Suite or Cloud Cloud Identity) account, some applications data would be moved to his/hew new managed account.

I have done some testing to come up with following conclusion, however please only take it as a reference and I do not plan to keep testing and updating this table.

Also, you should recommend your users to download all their data via Google Takeout before starting data transfer process from their unmanaged to managed Google Account.

Product Name What happens to data after account move?
Google Drive Google Drive data would be transferred including-:
1. Folder Structure (including nested folders)
2. Google Native Docs (e.g docs, sheets, slides)
3. Non Google native docs (e.g pdf, jpeg)

Note-: User should have a G Suite license in managed account to see transferred data as Google Drive needs either a G Suite or Drive Enterprise license.
Google Calendar Google Calendar events would be transferred to managed Google account including all recurring events and event attendees.
Gmail Emails User will not have email data in consumer account because the emails were coming to your company email service and not to Gmail (based on your MX records), so emails would not be transferred as Google wan'st hosting them for unmanaged user.
Google Sites Google Sites would be transferred to managed Google account
Google Groups Google Groups would not b e transferred
Google Chat Google Chat is not available to unmanaged Google Account, and hence there would not be any data to be transferred
Google Keep Google Keep data (including lists, and labels) would be transferred from unmanaged to managed Google Account.
Google Analytics Google Analytics data would be transferred to managed Google account
Google Ads (Adwords) I have not tested it yet as I would need to setup an Ads account and put some data there, hopefully would test soon and update this post

Block Consumer Account Creation

In this section, we will learn how to restrict users to create unmanaged or consumer Google account with our company’s domain email address.

How to block Google Consumer Account Creation
Play Video

Watch the video to understand how this solution would work

A Comprehensive Solution

Congratulations, You now have managed G Suite accounts either with (for users who have accepted the request) or without transferred data.

But here is a catch……..

Though you have verified your domain ownership, users can still create Google consumer account directly with Google IF following conditions are met-:

1. You have not yet created their account in G Suite.

2. They can receive the verification email which Google send to verify while creation of consumer account.

Let’s talk about couple of scenarios which will make it clear.

Scenario One -: Let say you are using Office 365, you have 10000 users, and now you are switching to G Suite, so you start with a G Suite pilot, sign up for G Suite, verify your domain ownership to Google and create 50 users in G Suite, which means these 50 users now got a G Suite account on your domain, However rest of 9950 users can still go to directly to Google and sign up for consumer Google account, because when Google sends them a verification email, they can get that email in their Outlook.

Scenario Two -: You use Office 365 for email, but signed up for Google Cloud Platform for your cloud based IT infrastructure needs → verified your domain ownership to Google and you created Google managed accounts for your DevOps and IT team who would be creating and managing projects in Google Cloud Platform.

However, in this scenario, any of your users for whom you didn’t create managed Google account, can still go directly to Google and create a consumer Google account with your company email address as they have access to this email (e.g when Google sends them verification code on this email, they can get it, and verify it to Google).

Some organizations might not like this, especially after verifying their domain to Google, they would prefer to restrict Google account creation with their @domain only to them.

So, what’s the solution?

There is no out of the box solution for it, however if you are with me so far, then you know the process of signing up for Google consumer account with your company email account.

Let us understand this process again with the following flow chart

Stop Google Conflicting Accounts Creation in G Suite

Google Consumer Account Creation Process-:

  1. User goes to Google consumer account sign up for page, and sign up with his company email account (e.g user@domain.com).

  2. Google sends a verification email on provided email (e.g user@domain.com) which has 6 digit code and ask the user to provide this code to verify that he owns this email.

  3. If a user is able to receive this email and provide code back to Google, then his Google consumer account will be created.

If you look at this process, Step 3 is critical for this account creation, what if we block this email at our email server and do not let it reach out to the user?

Bingo!!! 

We can stop users from creating Google conflicting accounts then!!!

But we don’t want to mere block this email, ideally we also need to know which users are trying to create these consumer accounts, so we can reach out to them asking for justification and if we required, we should rather create their managed Google account from our Google admin console.

So, now let me break this solution in easy to understand parts, and also show you how to put this in place.

 

Solution breakdown

1. Block Consumer Account Creation

We should block the users to create consumer accounts by not letting the Google verification email reach out to these users.

So now let us look at some of metadata and message body of the email that Google sends to the user in the email email-:

Google-consumer-account-verification-email
  • Email Subject
    • Subject of this verification email would be “Verify your email address”
  • Email Body
    • This email verification message body would have
      • Verify this email is yours” and a
      • 6 digit code (which will user will need to provide back to Google to verify email ownership)

This metadata and email body would be very helpful for us to create a rule at our email server to block such email to reach out to our users.

Here is how you would create such email rule in G Suite (but you should be able to create such rule in any prominent email gateway or server).

Rule Conditions-:

  • If the email “Sender Header” is “noreply@google.com
    • AND
  • Email Subject = “Verify your email address
    • AND
  • Email Body contains  “Verify this email is yours” AND a 6 digits code

Rule Actions-:

  • Rename “Envelope Recipient” (to a user to whom we want to send these emails, such as admin@yourdomain.com)
    • AND
  • Append to Subject line (e.g append “Consumer Account Creation Attempt –)
    • AND
  • Add X-Original-Header

Rule Result-:

  • Instead of going to the actual user (e.g user@domain.com) who tried to create Google consumer account, it would go to the user which we have defined above (e.g admin@yourdomain.com).

  • Email subject would be Consumer Account Creation Attempt — Verify your email address
  • Email TO: would have the actual user email to whom Google sent verification email (because we asked Google to insert X-Original-Header)

Configuring Rule in G Suite

Step 1 – Login to G Suite (or Google Cloud Identity) Admin Console

1. Go to Admin.google.com
2. Enter your G Suite (or Google Cloud Identity) Admin id and password

Step 2 – Create a Content Compliance Rule with our conditions and actions

Go to Apps –> Gmail –> Advance Settings –> Content Compliance
Click on “Add Another” to create a new content compliance rule

Note -: As shown in the screenshot below, please make sure to select your root OrgUnit to ensure this rule gets applied on all users in your G Suite (or Google Cloud Identity) tenant/account.

Create-Content-Compliance-Rule
  •  
  • Give your rule a description to it becomes easy for other admins to understand what is it doing (e.g This rule blocks Google consumer account creation)

  • Select “Inbound” as scope for this rule as the consumer verification emails will come from Google.com domain which is external to us as shown in the screenshot below.
Content-Compliance-Rule-Scope

Add the conditions to trigger our rules as we discussed above.

  • All conditions should match
  • Sender header should contain noreply@google.com
  • Subject should be Verify your email address.
  • Body should match our regex \d{6} which would detect any 6 digit code in the email body.

Though above conditions are good enough for our rule to work, but you may also consider adding one more condition (which i forgot to add) that should look for Verify this email is yours in the email body.

Here is how your expressions would look like-: 

Content-Compliance-Trigger-conditions

Once our rule triggers, it should perform following actions.

  • It should add Add X-Gm-Original-To header (this will keep the email of the user who tried creating consumer account, so we can identify the user and reach out to him/her asking for justification as part of our solution)

  • Also prepend custom subject (e.g Consumer Account Creation Attempt). This will help us keep all of these separate in a separate Gmail label later.

    Please look at the screenshot below.
Add-headers-and-prepend-subject-to-content-compliance
  • Another action that we want our rule to perform is to change the envelope recipient from the actual recipient (who attempted to create consumer account) to the account of our choice.

  • In the screenshot below, I changed it to my admin account, but you may change it to any user of your choice (make sure you have ownership to this account, as we’ll need it for the rest of solution)
Change-envelope-recipient
  • Now as a final step, go ahead and apply this rule only on “Unrecognized Users”

  • Unrecognized Users in G Suite or Google Cloud Identity are the users whom are not created as managed account or aliases yet.

  • As the users who are trying to create consumer accounts are not in our G Suite or Google Cloud Identity yet as managed users, applying this rule only on unrecognized users would be perfect.

  • Finally, save the rule as shown in the screenshot below.
apply-content-compliance-only-on-unrecognized-addresses

Testing our rule

  • Now let us test our rule to ensure it is works as expected by creating a Google Account with any random email on our domain (make sure the email you are putting does not exist in your G Suite or Google Cloud Identity)

  • Click Next 
Try-creating-consumer-account
  • Head over to Google Admin Console –> Reports –> Admin Audit –> Email Log Search

  • Put the sender as noreply@google.com

  • You should ideally see email with the subject Verify your email address

  • Open this log and confirm it matched the rule we configured above

  • Please see my email log below as reference. 
Content-Rule-triggered-on-consumer-account-creation
  • Now when you go the mailbox which you have put in the rule while changing envelope recipient, you should see the verification email from Google with our appended subject as you see below.
envelope-changed
  • Open this email and look at metadata and elements

  • It has the sender header we put in the rule along with changed subject, and a 6 digit code.

  • You would also see the email address of the actual user who tried creating consumer account in the TO field as shown in the screenshot below.
View-the-triggered-email

Awesome Job so far, we were able to block consumer account creation, give yourself a pat on the back.

But we are not done yet, we do not want to keep coming to this mailbox and open these emails one by one manually to see which users tried creating Google consumer accounts.

So let us move to next step of our solution, and automate this process.

2. Identify the users who tried creating Google consumer accounts.

  • Let us put all these verification emails in a separate label in our Gmail, and also let them skip the inbox to keep our inbox clean (we will later parse all emails from this label to read their TO field).

  • Your label criteria would be very simple, look for the subject [Consumer Account Creation Attempt] Verify your email address

  • And put all such emails directly to a new label called Conflict (of-course, you can name this label anything you want)
Create-Gmail-filter-criteria-for-conflicting-accounts
Create-Gmail-filter-for-conflicting-accounts
  • So far based on the work we have done, we are now getting all the consumer account verification emails in our Gmail (instead of the actual user) account and that too in a specific label that we created called Conflict skipping the inbox.

  • Now let us write a Google Apps script as part of our solution which would fetch all emails from this label, and parse the email address in TO to find out the actual user who attempted consumer account creation along with the timestamp of the email.
 

Google Apps Script Sheet

Instead of manually copying and pasting each of the scripts that we would need for rest of the solution, you can better copy below Google sheet as it will give you all the scripts automatically.

Also, once you copy this sheet, it does not have any connection with me, you can run it securely in your own Google sheets.

    • To use above scripts, better watch the video I provided above, otherwise follow the screenshots below.

    • After you copy above sheet, give it a few seconds, and then you would find a new add-on called “Conflict Account Manager” under Add-ons menu in your Google sheet as you see in the screenshot below.
Conflict Account Manager Google Apps Script
  • Go to Add ons –> Conflict Account Manager –> Setup Wizard –> and Click on “Setup Sheet”. 

  • Script will ask you for authorization when you run it for the first time
Authorize conflict account script sheet
  •  Google will show you a warning that this app is not verified, but you are not actually installing any 3rd party app here, this app now belong to you as you copied the sheet (and associated script came over with it).

  • Click on the Advanced option as shown below.

Go to advance option
  • Click on Conflict Accounts Manager (unsafe) to proceed to authorization screen.
Click on Conflict Account Manager
  • Authorize the script for the scopes in needs.
Authorize the script to run
  • Go to Add-Ons Menu –> Conflict Accounts Manager –> Setup Wizard –> and click on “Setup Sheets”
Click on setup sheets

It will two sheets in your Google Sheets

  • (i) Conflict Account Creation Attempts -: It will list all the users who tried to create consumer accounts with your corporate email address.

  • (ii) Email Template -: It will have email subject and email body which will be used to send emails to these users asking for justification (feel free to change content in the email template sheet).
  • Now run the script function to list all consumer account creation attempts.
Run the function to find consumer account creation attempts
    • Once you click it, script will fetch all the emails in your Gmail from the “Conflict” label –> Parse the email address in TO: –> and list it under “Attempted By

    • Script will also fetch the date and time stamp from the email/s and list them out so you know on which date and at what time this user attempted to create consumer account as you see in the screenshot below.
Note -: Make sure to change the label name in the script called emailExtractor too if your have named your label anything other than Conflict.

Also, if your Conflict label does not have any emails, script will be finished without writing any data in your sheet as it couldn’t find any.
Get consumer account creation attempts
  • If you do not want to come to this sheet and run this function manually, then you can also automate it by leveraging Google Apps trigger functionality which helps us setup cron jobs.
  • To setup the trigger, Go to Tools in your sheets menu bar –> and click on “script editor” –> and then click on clock icon to open triggers page.
Click on trigger button
 
  • On this page, click on Add Trigger button in the bottom right.
Add-an-apps-script-trigger
  • In below settings, you are asking Google to run our script function every hour, and notify you immediately (on your email) if something goes wrong.

  • I have put this trigger to run every hour, but you may change this timing as per your needs.
apps-script-trigger-settings

What is expected to happen now?

  •  Every hour (or based on the time that you have put in your apps script trigger), our script will run and it will look for emails in Conflict label in our Gmail mailbox.

  • If any email is found, it will parse the email timestamp AND the email address in the TO: field and put that in our Google Sheet columns A and B respectively.

  • We can look at this sheet anytime to see which users tried creating Google conflicting accounts on which date and time.

3. Reaching out to users asking for justification

  • Now as we have the email addresses of the users who tried creating Google consumer account with our company email address, we can reach out to them asking for justification.

  • This can also be automated by adding another function to our apps script which does following-:
    • Read the users email address from our sheet.
    • Loop through to send them all an email one by one.
    • Put a status in the sheet after it sent email (e.g Justification Email Sent)
    • Run again based on a time based apps script trigger but this time only pick the users where status is not equal to “Justification Email Sent”.

However, if we automate it like this, then this email will be sent to every user in our sheet including the user who does not even work for your organization but tried to create consumer account with your domain.

So you would get some bounce backs or these emails will go to catch all account (if you have setup one).

Now let me show you how to send justification emails to these users.

 

  • To run the send justification email to users, Click on “Send Justification Email” from the menu as shown in the screenshot.
run the function to send justification emails to users
  • You would see that once the script sent emails, it will update the status in Column D to “Justification Email Sent” along with the date on which it sent email.
Justification email sent from script
  • If you want to automate this email sending as well, then setup one more apps script trigger similar to the one we setup above, however this time you would be choosing “sendEmail” as your function to be run at a regular interval.

  • You may also consider putting a different interval than you have put for extractEmails trigger to avoid conflicts.

4. Automatically (or manually) create managed accounts for users with Justification

  • In the justification email that you send to these users, you may consider including a Google Form which asks users to provide some information.

  • Based on the responses, you have two choices
    • Create Users Manually as usual (either via Google admin console, directory sync or via API.

    • Create users automatically calling Google Directory API from our apps script based on Google Form fill up trigger
      • Look at this video where I setup self service group creation based on form fill up

Handing Advance Scenarios

In this section, let us talk about handling unmanaged accounts with some advance scenarios like when you are using Single Sign On and user lifecycle management with an external Identity provider

Using IdP with unmanaged users scenario

When you use an external Identity provider with G Suite or Google Cloud Identity or Google Cloud Platform, your IdP may provide you following-:

User Lifecycle Management where your IdP would create (or suspend, delete, update) users in Google based on the rules that you setup (e.g based on group membership in your IdP or LDAP server thats connected to your IdP) 

Concerns-:

  • Your Identity provider would be using Google’s Directory API to create the users in Google directory.

  • However, Directory API does not detect and tell you whether the user you are trying to create has a Google conflicting account or not. It will go ahead and straight away create the users in Google Directory.


  • It means, you would miss an opportunity to send data/account transfer request to your users

Solution-:

  • Do not use IdP to create users who are Google conflicting accounts (e.g you can leverage transfer tool for unmanaged users as shown above to identify conflicting accounts in your domain and exclude them from being created in Google via an exclusion rule or similar capability in your IdP).
  • Also, if your conflicting users reject your data transfer request OR you straight away create their managed account in Google, then also this behavior remains same, which means when they go to login to Google –> they will need to choose whether they want to login to individual account or corporate account.
  • If they select to login to corporate account, they will be redirected to your Identity provider page, otherwise they will be asked to put their Google credentials if they try to login to their individual account.

Provide Single Sign On access where your IdP sends a SAML response to Google for authentication.

Concern

  • What if a user who has an account in our IdP creates a Google consumer account and authenticate via our IdP (through SAML)?

Solution-:

  • Google can easily detect whether an email account is an unmanaged (consumer account) or managed (G Suite or Google Cloud Identity) account, and can follow authentication flow accordingly.
  • This means, if an unmanaged  user tries to login to his Google consumer account (which ends up in yourdomain.com), Google will not redirect him to your IdP because Google knows him as unmanaged user.
  • Similar to above, if a managed user tries to login to G Suite or Google Cloud Platform (or any other Google service), Google would redirect him to your IdP page. 

Using Google Cloud Directory Sync with unmanaged users scenario

Google customers use Google Cloud Directory Sync (GCDS) to sync their Active Directory or LDAP with Google Directory.

Concerns-:

  • Google Cloud Directory  Sync also leverages Google’s Directory API to create (suspend, update, delete) the users in Google directory based on your AD/LDAP and settings your configure in GCDS.
  • However, Directory API does not detect and tell GCDS whether the users it is trying to create have a conflicting account or not. It will go ahead and straight away create the users in Google Directory.
  • It means, you would miss an opportunity to send data/account transfer request to these your users.

Solution-:

  • Do not use GCDS to create users who are conflicting accounts (e.g you can leverage transfer tool for unmanaged users as shown above to identify conflicting accounts in your domain and exclude them from being created in Google via an exclusion rule either based on OrgUnit, Group or user attribute in GCDS).

  • E.g – Export all the unmanaged users from Transfer Tool, and put them in a group in your LDAP or mark a custom user attribute with value of ‘unmanaged account’ and use it to create exclusion rule in your GCDS)

Google Conflicting Accounts - FAQs

Here am listing some of the frequently asked questions about Google Conflicting accounts, if you have any question, please comment in the bottom, and I will add it (along with the answer) to FAQs.

FAQ

Most frequent questions and answers about G Suite Conflicting Accounts

User needs a G Suite license to access Google Drive, and would see an error page saying “You do not have access to this service” without the license.

Please ensure to assign your user a G Suite license so user can access Google Drive and see transferred data.

No, only users with your corporate email (e.g user@yourdomain.com) which were created directly with Google as consumer account are conflicting accounts.

@Gmail.com accounts (even if they have your company related data) are not conflicting accounts.

There are options to migrate data from any @gmail.com account to G Suite corporate accounts.

  • It might take Google sometime to sync the data and show you the conflicting accounts in Transfer Tool,  allow it couple of days after you verify the domain ownership.

  • Another case might be that you have this user’s consumer account email address as an alias email (and not as primary email address) in your G Suite. It will not show in transfer tool in this case.

  • The user has not created consumer account with their corporate email address, however has put corp email as an alternative email address in consumer account, transfer tool would not show this account as conflicting in this case.

  • As per Google, if the user has unsupported special characters in their email address. The user must update their username to remove the special characters before their account can be transferred.
  • No, as per Google’s public documentation there is no API available to deal with Google conflicting accounts.

Ask it in the comments below, and I would try to answer it (if i can) as soon as I get time.

10 thoughts on “Definitive Guide to Google Conflicting Accounts”

  1. Great guide! was very useful to fix a few mistakes in our migration process. I have a question on Google’s support statement regarding unmanaged users not showing in the list… “A synchronization hasn’t updated the data yet. This usually happens if you recently verified your domain. It might take a few hours for all accounts to appear.”

    We’ve waited over a day now and we still don’t see a critical account we need to migrate. Any idea on what to do in this instance?

  2. Thank you so much for your thorough breakdown! This is incredible. Do you have any insight into YouTube and data transfer? My organization’s YouTube channel exists on a conflicting account and I’m extremely concerned about losing the data (and more importantly, stats) in the transfer. Do you know if this information would stay intact if we used the data transfer tool? Thanks for your help.

    1. You’re welcome, glad you find this overview of Google conflicting accounts helpful.

      I have not tested with youtube, but I agree this is sensitive as you shouldn’t be taking any risk with your youtube channel.

      I would love to test it out in coming days as I get sometime, but in the meantime, I would recommend you to create a new channel in google account, and try converting this user to managed account.

  3. My company’s YouTube channel is owned by an employee’s conflicting unmanaged account, which is apparent because whenever the employee logs into YouTube, he gets the warning about having a conflicting account with the option to create a new @gmail.com account or an existing non-Google email address. However, the Transfer Tool for Unmanaged Users does not show the conflicting account; I think this may be because YouTube and file ownerships are already held by an @gtempaccount.com account.

    Our goal is to get rid of the conflict without losing our YouTube files and analytics. I think the solution is to create a @gmail.com account that will remove the conflict. I assume that the new @gmail.com account will own the YouTube files and analytics. We would then create a Google Brand Account that can be managed by anyone in our company.

    FWIW, I don’t think the option to transfer files from the conflicting account to an existing account at my company would work because our company uses G Suite. Therefore an existing email address at my company is a Google account. We tried this route and got an error message saying as much.

    1. This is because this account is not in conflict anymore, it seems you already created this account in Google admin console as a managed G Suite account, and that’s why this user lost this email (user@yourdomain.com) email address and getting option to rename it to @gmail.com id.

  4. David Gabrielsen

    I have taken over as a super admin for non-profit g suite account. (recovering the admin status was quite a chore.) There is a conflicting account associated with the login name, and is not identifiable as to who created it. The email name is info@w*******.org and I don’t know the password or the person that created the conflicting account. I don’t want to just delete it till I know what’s in it. Non-profit support people tend to come and go when it’s small and unpaid.

    1. I understand, I think your option is to send the invite to this user instead of creating it, so the user gets the email, and if you do not hear it in couple days, you may considering another reminder before making the decision to create this account.

  5. Hi There,
    After hours of searching for relevant information on the topic, you clearly have a deep understanding of all this. Here is my situation, please let me know if you’re able to assist:

    I am a one-man business, and in 2018, I signed up for G-Suite for one reason and one reason only: So I could have a custom domain. The domain I purchased through GoDaddy is “bohnhomes.com” and my email address is eric@bohnhomes.com. That’s it. No other users. Somewhere along the way, “eric@bohnhomes.com” is listed as Google account TWICE. I’ve always used Safari on my iPhone/iPad, but I am transitioning into a more Google-centric environment as far as adopting Google Drive (vs iCloud), Google Apps (instead of MSFT Office Suite), Google Calendar, etc, etc. And now I want to use Chrome (instead of Safari) on my devices. One ecosystem, more alignment.
    My Chrome app on my iPhone/iPad does not sync the Bookmarks to the Chrome on my laptop. Somehow it’s tied to A “eric@bohnhomes.com” user I created (one of two). And this particular one isn’t where I’ve been storing my bookmarks all these years. Long story short, I want my Chrome to bookmarks to sync in real time and I want to delete whatever this second account is, and prevent me from doing this again in the future. Is this something you could help me with, Sir?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top