Restrict Google Consumer Account Creation
Hey guys, this is Goldy, welcome to definitive guide to Google Conflicting accounts.
In this video I will show you how you can restrict your corporate users to be able to create Google Consumer accounts.
I know you might have this question on “why you need to do that”, and for that let me share my screen and present you a few slides to answer that and some other questions, so here are my slides.
Now, let’s start with understanding that there are two ways to create Google account.
First, one is Google managed or work accounts, which is recommended for you to create if you’re using Google services for your business, however, there is second way, which is to create Google unmanaged or Google consumer accounts.
So if you have created a Gmail account for your personal life, let me tell you that instead of using at Gmail dot com, you can also use your corporate email address for that, for e.g if I have the domain which is goldyarora.com, I can go to Google account creation page and create a google account with email@example.com.
Now, creating Google consumer account is not recommended if you plan to use this account for business purposes otherwise the data that you put in Google consumer accounts will belong to you or that user/employee and not to the business or the company, so you won’t have control on it.
Okay, so now, because you understand that you should always go with the first option of creating work accounts instead of consumer accounts, especially when you’re using Google services for your business, your question might be how I can make sure that nobody from our company can create the consumer account, and that’s what this video is all about.
So for that, before I help you understand your options, let’s understand how the consumer account gets created.
So first user will simply go to Google Account Signup page where user will see an option.
Which is instead of Gmail, use your current email address where your user will put your company domain email address, and then Google will send a six digit verification code on that email .
Your user will go to the corporate email, copy that code, come back, paste that code, and that is it.
Your user has just created Google consumer account which he owns, including the data in it, on your corporate email address, and that’s what we are trying to stop in this video.
Ok, now let’s talk about options to restrict it, essentially, there are two options.
The first option is that you pre-provision or proactively provision all your company employees into Google Work accounts or into Google Workspace, or maybe Google Cloud Identity.
which essentially means let’s say if I have 2000 people working for our company, I will take all of those 2000 users emails and create work accounts in Google Workspace or Cloud Identity admin console.
Now, when any of these 2000 people go to Google and try to sign up for a consumer account, they will see an error saying this account already exists in Google.
Above is the first option, Now let’s talk about the second option.
Which is to block the verification email, because as per the consumer account creation flow, if you try to create a consumer account with your corporate email address, Google will send a 6 digits random code to your corp email, and would ask you to provide that code to prove you own this email.
Now, this verification email that comes to you or that user goes based on your domains MX records or mail exchange records.
So if we can somehow break that specific flow, then the user will not get this verification email and won’t be able to provide verification code and hence Google consumer account won’t be created.
Now you might be asking which option you should go with out of these two, and for that I’ve created this small options comparison table. I’ll then give you my recommendation too.
But there are a few things that you should consider.
1. Ease of use -: First option is a bit difficult to configure, for example, if you have two thousand users, you either will need to create them at once via CSV, or you might need to use Google Directory sync utility to sync everything from your active directory or LDAP to Google.
However, in block verification email, it’s pretty easy to configure, in that all we need to do is just create one email rule on our messaging server, and that is it.
2. Ease of management -: I would say the first option is not easy to manage because if new people join your organization, you will need to make sure that you take those users and provision them to Google asap, due to this ongoing maintenance required, this option becomes a bit painful.
However, with the email verification blocking rule, you don’t need to keep managing it, once you create the rule, that is it.
3. Cost Efficient-: When you provision users in Google proactively, you will need some sort of licenses, and one of those licenses is called Cloud Identity License, which is offered for free to up to 50 users.
You may be able to request more users, and if you get it, then the solution might work for you for free, otherwise you will need to purchase these licenses.
However, with the block verification email, there is no hassle of requesting or purchasing licenses, it is free because it’s just an email routing rule.
4. Probability of error -: I would say in the first option, you have more chances of error every single day because when a user joins your organization, and then let’s say you have a directory sync in place which is scheduled to be running every 4 hours. So within these 4 hours, this specific user who just joined your organization would be able to create Google consumer account.
However, in the block verification email, the probability of error is very less, it is just once in a while because this rule will only stop working if Google changes the metadata of the email which we will be targeting (I’ll talk about it in a few minutes) so you can decide which one works out for you, but my recommendation will be to go with the second one.
My recommendation -: Go with the email verification blocking rule.
Now let’s talk about how we can restrict users to create Google consumer accounts in case if you’re using Google Workspace (later I’ll also show you how you can do that if you’re using Office 365).
So if you’re using Google Workspace as your messaging solution, you’re all set. You don’t need to do anything, literally, let me explain.
For example, let’s say you have two thousand people working for you, you’ll create their user accounts in Google. Now, when somebody goes to Google consumer account sign up page, try to create an account, that person will see an error saying this user already exists.
But let’s say if somebody else maybe outside of these 2,000 tries to create Google consumer account, that person won’t be able to receive an email because that person actually does not exist or does not have email in your Google Workspace.
The only way for this person to receive email is to have some sort of catch all account which will usually be with Google Workspace admins, So unless your Google admin wants to create consumer accounts for some sort of testing, it is not possible to create Google consumer accounts.
What I’m going to show you will work on any messaging server till the time it provides capabilities to do some sort of rule based email routing on your email server.
For that, let’s look at the metadata of the email that is being sent when you try to create Google consumer account.
we will look at these four points here-:
1. The sender is noreply at google com.
2. The subject says verify your email address.
3. Email body has a string “Verify this email is yours“.
4. Finally, you will see the last one, which is six digits random code.
So what we will do here is we will go to our Office 365, and create an email routing rule as explained below.
We will create an email rule which will look for these four conditions, which means if the sender is noreply at Google.com, and if the subject is verify your email address, and if the body includes verify this email is yours, and if the body includes six digits code, then take the action.
Once this rule is triggered, we can have an action of redirecting that specific email to somebody else, so instead of going to the actual person who tries to create Google consumer account, that email will now go to somebody else, maybe a dedicated mailbox or an admin account etc.
Now, I have made sure to put “AND” among conditions when defining this rule because we want our rule to trigger only when all these four metadata are found, it will help us trigger only when the email indeed comes from Google, avoiding false positives.
Okay, so with that, let me share my Office 365 console and show you the live demonstration of it.
Okay, so let me show you that rule in my Office 365 admin console.
I will go to my exchange console, and in exchange, I will go to mail flow I’ll show you the rules here and you will see that I have this conflict rule, if I edit it, you will see this rule.
you will see that the rule says, apply this rule If the sender is noreply at google.com and the body or the subject includes verify this email is yours the subject matches verify your email address and last but the most important one I would say is if the subject or body matches this regex, which essentially will capture or trigger when there is a six digit code in the email body.
You can just look at it, It’s small one but I will also put that in the description so that you can just copy and paste it now.
In case of all the conditions match, then the action should be to redirect message to a choice of your user email address. In my case, I’m redirecting these emails to my Office 365 admin address, you can redirect to Admin or any dedicated mailbox.
Now, one thing that I really wanted to show you is when you click on this plus to create a new rule so that you can restrict your users to create Google Consume accounts.
Make sure you click on this more options here, otherwise, you would not see those options to put multiple conditions, but when you click on more options, you will see an option to add multiple conditions.
Now, with that, let me show you how this rule will actually stop our users to create their consumer accounts, so I am in my Office 365 admin console here as you see, I have a few active users.
When I click on this Google Consumer Account user that I created for this demonstration, you will see that consumer AC at my domain, that’s this user’s email address, and I will take this to demonstrate our scenario.
So first, let’s do one thing, let me copy this email address from here and from one of my Google Workspace mailboxes, I will send an email to this saying test email to show you that emails are coming fine to this mailbox.
Okay, when I click on send, hopefully that user should receive our email in his outlook because I’m logged in with that same account here.
so we have got our email here, which means this email box is working fine, but now when this user tries to create Google Consumer account, that email shouldn’t come here, because that email should be redirected to the admin account that we mentioned in our rule.
So now let’s go ahead and create Google consumer accounts, we will simply say Test user, and instead of Gmail, we will say we have our own email address, which is our Office 365 user email.
I will put password here and click on next and it says that it has sent a verification email to this email address.
Let’s go back in our Outlook, we don’t see anything yet and Ideally, we won’t if our rule works fine.
We will also go to another mailbox (our admin account), because that’s where this email is supposed to be coming because of that redirection in place that we configured as our email routing rule above.
So if I go to Outlook, you will see that we have got this email here instead of going to that specific user, and that’s because of the rule that we have in place.
Okay, so I waited for around five minutes, so that I can show you the message trace as well, so you understand what went behind the scenes.
If I go to my mail flow and look at message trace and let’s start a new trace for that specific user, which is a consumerAC at my domain.com, I do a quick search.
Let’s look at the latest one, and here you will notice that the sender is noreply at google.com which we expected.
And recipient was our consumer account, However, instead of delivered email to this account, It was delivered to our admin account as it triggered our email routing rule.
That is because if I look at the message events here because it triggered our conflict rule.
The conflict rule that we created which had our conditions and redirect, so it seems our rule is working as expected.
I hope this was helpful and it will help you restrict your users to be able to create Google Consumer accounts with your corporate email addresses.
If you have any questions, comments, or feedback, as usual, do not hesitate to put that under this post, and I’ll be happy to collaborate.
Thank you so much.