While not a great deal of companies currently utilize Google Workspace, some do, and others may wish to consider the reasoning for verifying their domains in Google even if there are currently no plans to use Google services.
Benefits of Verifying Your Domain
- Control
The main benefit is to ensure control over your domain in the Google space. Verifying your domain in Google Workspace ensures that no other accounts can be created using your domain without administrator consent.
Without this, any user on your domain can sign up for a Google Account using email verification and technically become an administrator. The knock-on effect of this would be that IT would need to work with this user to gain access and if they have signed up for any trial licensing, free licensing or services. This could require you to purchase matching licensing to merge the tenant into a new IT managed one.
- Data Security
While using Google Services as a main environment is not that common, we often see users with Google Accounts using the company domain that have been set up as personal accounts, or even using their own personal accounts, usually for the purpose of signing into Google Chrome to save items such as favorites, passwords, history, etc. While this may seem quite low risk, there is no corporate control over the data being stored and it creates a new attack vector that could be exploited.
If passwords are leaked, accounts are compromised or sensitive data is stored in Google Drive without proper access control, this could lead to a host of issues for a company.
The reason for this is usually, companies do not issue corporate Google Accounts as a part of their user provisioning approach, so there is a reluctance to block the ability to sign in to Google Chrome using a personal account.
- Extended Device Management
With the Chrome Enterprise Upgrade, you are able to pass ChromeOS devices into Microsoft Intune to unify your device register and perform basic administrator actions from within the Intune Portal. This only applies to companies (or more often schools and universities) that utilize ChromeOS devices, such as Chromebooks.
- Enhanced Google User Management
While Intune gives you a robust set of controls for Google Chrome browsers, there are additional considerations:
- When a user signs up for a personal Google Account they will have control over the sharing policies of Google Drive, Password and Bookmark Sync and more. One option is to limit users to only use Microsoft Edge synced with their Microsoft Account. However, we often are asked to make Google Chrome available to end users, which creates an issue around how you manage the associated data
- Treating Google Chrome with the same scrutiny as Microsoft Edge in a corporate environment is a must and to do this efficiently, the infrastructure must be in place to allow this
- Provisioning users in Google will allow you to control the services that they can access. For example, if there is no need for Drive access, this can be disabled and allow users to only sign in to sync their bookmarks and passwords. If Drive is required for specific users, you can put controls around which domains data can be shared with to protect from leaks
Things to Consider When Verifying Domain
- Historic Data from Old Tenants
Many companies go through mergers, acquisitions and divestitures, which can result in old tenants becoming orphaned. IT teams will change over time, and you may not be able to access the original tenant. This poses a problem as your domain may still be tied to this tenant and any Google Services attached to it. Decommissioning the old tenant and taking control of the Google space using a new managed environment will help you to retain control.
- Unknown Existing Users
Due to the nature of Google accounts, it is entirely possible that users have signed up already without the knowledge of the IT department. Addressing these user accounts and bringing them into management will give greater control over your users and data.
- Management
- The ability to automatically create Google Accounts for your users, or a subset of users that may require them.
- Delegating administration of assets/users in specific organizational units to individual OpCo IT Teams
- A view of any ChromeOS devices from within the Intune portal
- Single Sign On (SSO)
With an Enterprise Essentials subscription and all of the required custom domains verified in Google, password synchronization can be achieved between Entra ID and Google Workspace. Login can be replaced for any ChromeOS devices with the Microsoft login screen. Microsoft applications can be deployed to the device, giving users a unified experience across device types.
- Other Services
There are several other services that may be in use, sometimes without input from the IT Team. It is important to understand exactly what is in use and what the impact of a migration away from the existing environment would be. Some examples are:
- Google Ads
- Google Analytics
- Google Business Profile
- YouTube
HOW TO SET UP GOOGLE WORKSPACE
- Licensing
While a paid subscription is not required to set up Google Workspace, there are a few points to take into consideration. Here is a list of a few recommended subscriptions and their use cases:
- Chrome Enterprise Core – A free subscription that allows control of Native Google Users, Extensions, Chrome Browsers, Apps & Extensions, this will be the base subscription to get your Google environment up and running
- Google Workspace Enterprise Essentials – A paid subscription that is required to verify your custom domain. Other subscriptions may also include this ability, but this is key to allow the management of custom domains
- Chrome Enterprise Upgrade – A paid subscription that allows ChromeOS devices to be passed into Intune using the Chrome Enterprise Connector. You only need this if device management is required from within Intune
- Domain Verification
Domain verification is completed as a part of the tenant configuration process and is straightforward unless the domain shows as already in use. If this is the case, and you are unable to gain access to the Google Tenant housing the domain, then Google offer two recovery routes:
- Email tenant administrators asking for action: If you’re not sure who in the business set up the tenant, Google will email the registered Super Admin(s) for you
- Free up the domain: If the first approach fails, or no one in the company is a Super Admin, you can request for the domain to be released. This will mean that all data in the tenant will be lost, or the tenant will be renamed to a temporary Google domain name. It does require CNAME or TXT records to be added to the domain in question to verify ownership
- User Provisioning and SSO
You can check this Google document detailing the process of configuring automatic user provisioning and Single Sign On between Entra ID and Google Workspace.
- Chrome Enterprise Connector (Intune)
Check out this Google documentation detailing the process of setting up the Chrome Enterprise Connector to pass ChromeOS devices into Intune.
Decommissioning
Decommissioning is an important step if you have recently gone through a Google Workspace migration, merger or acquisition.
Having a set of tasks to account for this will help prevent some of the issues mentioned in this document in the future. It will also help you with the following:
- Prevent data from being orphaned
- Paying for subscriptions or services that are no longer required
- Allow for future use of any custom domains in the environment
- Prevent continued access to outdated or unmonitored data
- Reduce attack vectors
- Reduce risk of leaked or compromised data
Interested to learn more about managing your Google Workspace? Explore our Insights page or contact us today to book a consultation!