What’s changing
Earlier this year, we announced multi-party approvals for sensitive actions taken in the admin console, specifically requiring one admin to approve actions taken by another. At launch, these protections applied to several settings, including 2-step verification, account recovery, and more.
Today, we’re expanding multi-party approvals to include domain-wide-delegation. Domain-wide-delegation is a powerful feature which allows admins to grant third-party applications permission to access your Workspace users’ data. Bringing this feature under the umbrella of multi-party-approvals helps mitigate the risk of data exfiltration by internal bad actors or if admin credentials have been compromised.
Overall, multi-party-approvals help ensure no sensitive action happens in a silo and, most importantly, helps prevent unauthorized or accidental changes from being made. This added layer of approval helps ensure actions are being taken appropriately and not too broadly or too often. For more information, see our original announcement.
When domain-wide-delegation changes are attempted, admins will be required to submit the change to a super admin for approval.
Super admins can review and take action on these requests in the Admin console by navigating to Security > Multi-party approval. Super admins will also receive email alerts when a change is requested or any other protected action is attempted.
Getting started
Admins: The multi-party approvals feature is available for eligible Workspace customers with two or more super admin accounts. Multi-party approvals are OFF by default and can be turned on in the Admin console by going to Security > Multi-party approval settings. Visit the Help Center to learn more about multi-party approvals for sensitive actions.
Rollout pace
Rapid Release and Scheduled Release domains: Available now.
Availability
Available for all Google Workspace customers