The comprehensive G Suite Admin guide
Our G Suite Admin Guide will show you how to use the G Suite admin console to ensure that your data and users are secure and productive.
Why G Suite?
Google’s G Suite is quickly gaining market share with SMBs and enterprises alike, as a major challenger to Microsoft Office 365 with approximately 4 million paid users. With email as its centerpiece, G Suite features a group of productivity apps for business, ranging from document collaboration, to calendars, to video conferencing.
Many consumers and millennial workers are used to interfacing with Gmail and Google Docs, making the choice to adopt G Suite relatively simple for startups and SMBs. Recently, Google has doubled down on enterprise user acquisition, working closely with large companies to determine the features and functionality needed to close the gap with Microsoft.
Once admins configure G Suite correctly for businesses of any size, it is a great option for organization-wide (and inter-organizational) collaboration. Our G Suite Admin Guide will show you how to use the G Suite admin console to ensure that your data and users are secure and productive.
Intro to G Suite admin console
The first step to setting up G Suite is deciding who should be privileged users—or admins—as well as what type of administrative privileges to assign to each person. A general best-practice for privileged access management is to only grant the minimum permissions needed for administrators.
Types of G Suite admin roles
Google has a great overview of the different pre-built administrator roles, but here are three key roles to consider:
Super Admin: These users have access to all features in the Admin console and Admin API, and can manage every aspect of the organization’s account. Super admins also have full access to all users’ calendars and event details. Google recommends that at least two people should have super admin access, just in case one user forgets his or her password (the other user can reset it). More than three super admins limits the options for password recovery, so two is a good general rule. For SMBs, super admins could be a founder and co-founder, or for medium-to-large businesses, this duty may be assigned to an operations or IT role.
Groups Admin: Google Groups make it easier for project teams to communicate and collaborate with one another. For example, you can send an email to everyone in a group with one address, invite a group to an event, or share documents with a group. Groups admins can add or delete Google Groups in the Admin console, managing the members and access settings within groups. It can be useful to have additional groups admins on top of the super admin to make team-level changes.
User Management Admin: These admins can perform all actions on users who aren’t administrators, including creating or deleting users, or managing users’ passwords and security settings. These tasks apply only to users who aren’t administrators themselves. User management admins might be the people in the organization responsible for employee onboarding and offboarding, such as an HR team member.
Once you have decided how to set up your admin structure, now it’s time to navigate the G Suite Directory.
G Suite directory
The G Suite Directory includes each user’s name and email address (you can also add information like phone numbers, a physical address, and employee information.) From the Directory, you can get a comprehensive view of users, groups, organizational units, and buildings and resources. Let’s dive into what each sub-category means, as well as some best practices for G Suite admins.
Users: From the user directory, you can manage entire employee lifecycle, onboarding and offboarding employees when they start and leave the organization. Besides adding and removing users within your company, you can add external contacts who don’t have accounts in your organization, such as consultants or partners.
As much as possible, we recommend automating and streamlining onboarding and offboarding processes when it comes to IT, to ensure security and compliance at your organization.
Groups: Once you have your users added to G Suite, you can set up groups to create distribution lists for teams. Groups can help admins manage access to documents, sites, videos, and calendars. In addition, groups can make it easier to manage access and admin privileges.
A best practice is to sync Team Drives to Groups for easier document access management and employee onboarding and offboarding. With Team Drives, files belong to a team rather than an individual. For example, if you create a new Team Drive folder for a specific Group, and if an employee leaves the organization, offboarding that employee becomes as simple as revoking access to the group (there’s no need to transfer document ownership or reset permissions). To share a Team Drive with everyone in a group, simply invite that Group name to the Team Drive settings.
Organizational Units: Larger organizations may choose to implement organizational units to apply different layers of settings to certain users and devices. Initially in your Google Admin console, all your users and devices are placed in a single organizational unit. You can create sub-organizational units beneath your top-level organization, and then move users or devices into that sub-organization. Every user in the sub-organizational unit inherits the settings of their unit as a whole. For example, a super admin may choose to turn off certain applications or features for a sub-organizational unit. You can mix and match domains within an organizational unit, if you frequently work with people who do not share your same domain name, such as consultants or partners.
Buildings and resources: If your organization has more than one office, or certain resource requirements such as conference room bookings or Jamboards (interactive conference room boards), you can use the buildings and resources section of the console to set these up. For example, through the buildings and resources directory, admins can configure the ability to select an available conference room along with a calendar meeting invitation, or connect a Jamboard to a conference room for interactive meetings.
G Suite apps
G Suite features a range of built-in apps that are included in the platform. Not all of these apps are best-in-class, but many of them are extremely useful when you’re getting your organization’s IT services up and running. You may also want to enable API access for these apps at this time.
Core apps
Most people are familiar with the core, “killer apps” of G Suite, including:
Gmail: If you personally use Gmail, there’s a lot of continuity with the G Suite version. Admins can keep and search email logs as an added benefit for security and compliance.
Calendar: G Suite admins can specify how users can share their primary calendar inside and outside the company’s domain. For example, you can specify whether to show event details or keep them private, whether people outside your domain can change calendars, and more.
Google Drive / Team Drives (for G Suite Business and Enterprise): As mentioned above, Team Drives provide a simple way to store and organize files. The benefit is granting ownership of files to teams, rather than individuals. It’s easy to add and remove team members, or decide how you want to grant and restrict access. You’ll need to configure Google Drive correctly before you set up your Team Drive.
Once you’ve done so, you can configure a range of Team Drive settings that control who can view, comment on, edit, create, and remove files, as well as who can add and remove people from Team Drives and individual files and folders. You can also set permissions that will prevent users from moving, deleting, or restoring files from the trash, so that you don’t have to worry about a disgruntled employee wrecking order for the rest of your organization.
Docs, Sheets and Slides: These core productivity apps in G Suite allow you to create documents, spreadsheets, and slide presentations, and easily share or revoke access for collaboration purposes.
Less critical apps
Certain Google apps can be useful for many applications, but aren’t necessarily best-in-class solutions for every use case. Here are a few examples:
Google Forms: This application can be good for organizations that need to manage a lot of events or conduct polls. Otherwise, it isn’t a daily must-have for most people.
Google Meet: This recently updated video conferencing app (formerly known as Hangouts) can also be used as a conference calling line. A wealth of other free conferencing apps challenge Google Meet in terms of reliability and audio quality.
Google Hangouts Chat: A quick and easy default chat app is ok for one-to-one interactions, but other applications like Slack may be better for group chat or collaboration.
Long-tail apps
These apps are new or recently updated, but not 100 percent necessary within most organizations. In the long-run, they may become increasingly useful, especially if Google continues to invest in product development.
Sites: Google Sites has been rebuilt by Google in the past few years, and can sometimes be useful to create company intranets. For Sites, G Suite admins can turn access rights for certain users on and off (or allow access to certain areas of a site).
Jamboard: Connecting Jamboard to Google Meet can be incredibly useful if you have a lot of remote employees, but the dedicated Jamboard hardware is expensive, and there are cheaper (or free) alternatives for collaboration.
Keep: Some people view Keep as a good way to keep notes and lists. Recently Google has added Keep reminders natively to Calendar, which can be a useful way to remember to complete a timed task.
G Suite marketplace & third-party apps
In addition to built-in apps, admins can extend the functionality of G Suite with deep integrations to other third-party SaaS applications via the G Suite Marketplace. This marketplace includes both free and paid business applications, ranging from simple Gmail extensions to robust business productivity applications.
Many SaaS apps outside of the G Suite Marketplace also offer Single Sign On (SSO) with Google functionality. This feature is useful for admins who want to know which permissions people are giving to which apps. Admins can pull custom reports (which is relatively complicated), or automatically get this data from your SaaS management solution. But, a little more on that later in our security section.
G Suite security
When it comes to SaaS security, people can be either your best line of defense or your weakest link. It’s key to build your security policies and procedures around people, including taking the time to understand what is intuitive and user-friendly (and most likely to be followed). Generally speaking, we believe that you should rely more on systems and guardrails than on user actions and training. In other words, take human error out of the equation whenever possible.
The good news is, with G Suite, there are quite a few security tools and configuration options at your disposal. However, these are no good to you unless they are thoughtfully implemented and automatically enforced. Here are the areas you should be looking at securing when it comes to your G Suite applications. To implement these security best practices, use our G Suite Security Checklist.
Multi-factor authentication
The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication (MFA) for G Suite. This greatly reduces the harm that an attacker can do with stolen credentials.
While this may seem like a requirement in today’s age, our data shows that the average company only has 37% of their employees using MFA on their main G Suite account. And this number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.
Another benefit of implementing strong Google-based authentication is that many SaaS products are increasingly supporting Google SSO, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.
Team Drives
As we’ve discussed, G Suite Team Drives are shared spaces for teams to store and access their files. This feature is included in the Business and Enterprise versions of G Suite. Files in Team Drives belong to the entire team rather than to individuals. This makes life easier if someone leaves your team, because there is no need to transfer document ownership or reset permissions. The files stay put regardless of any individual’s status, so employees can get work done without interruption.
There is also a security benefit to using Team Drives. When you add new members, you can decide whether you want to give them full access to upload, edit, and delete files, or whether you want to restrict them to certain activities at the user level. It is easy to add members, set and change member permissions, and remove members as needed.
App & file sharing activity reports
Another important function of the G Suite Admin Console is reporting. Two especially useful reports are “Apps Usage Activity” and “File Sharing Activity.” App usage can give you an indicator on how many total emails, files, and video hangouts have been shared within a set period of time. For example, if a user’s email is hacked, there may be an unusual volume of activity indicated for the Gmail app. File sharing activity can show you exactly how files have been shared both inside and outside the organization’s domain in a set timeframe. If there are an unusual number of shares outside the domain, you’ll be able to drill down and find out why this may be happening.
Device management
G Suite has two ways for admins to manage devices, with its mobile device management and endpoint verification tools.
Mobile Device Management: Admins can distribute apps to employees and keep data secure on employee’s iOS and Android devices using mobile management. Using these tools, you can check usage, manage security settings, and lock or wipe devices remotely.
Endpoint Verification: Google recently rolled out Endpoint Verification, a way for G Suite admins to get an inventory of which desktop and laptop computers are being used to access their corporate data and apps. Endpoint Verification collects information via Chrome extensions and native apps on users’ devices, and displays that information to admins in a report in the Admin console.
SaaS app auditing
As we mentioned above, If your team uses Google SSO, you can pull reports in your admin console to find out if your users have authorized any unknown or unapproved apps through their Google accounts.
The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication on all products that support it, especially your primary email and collaboration platform (as you may know, we recommend G Suite). This greatly reduces the harm that an attacker can do with stolen credentials.
While this may already seem like a requirement today, our data shows that the average company only has 37% of their employees using multi-factor authentication on their main G Suite accounts. And this number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.
If you are one of the organizations lagging behind with multi-factor authentication, our hope is that this straightforward guide will help you implement this powerful and simple security measure.
Why multi-factor authentication works
For those of you who aren’t aware, multi-factor authentication (sometimes abbreviated MFA, and often called two-factor authentication or 2FA) relies on the idea of requiring multiple types of identification. This allows services to ensure that when someone attempts to log in, it is the actual user, and not someone who has stolen a username and password.
Since, as always, we want to employ people-first security (and not drive our users insane), most services just require two forms of authentication (hence 2FA being a common acronym). By requiring the user to provide two different types of evidence, 2FA makes credential theft and forgery significantly harder.
Here are the common types of authentication you will be asked to offer:
- Knowledge: Something you (and hopefully only you) know. A good example is a password or passphrase.
- Possession: Something only you have access to. The most common is a smartphone. Many 2FA-enabled services will ask you to submit your phone number and receive one-time-use codes that serve as your second piece of identification.
- Inherence: Something only you are. You’re probably most familiar with fingerprints, which are increasingly being used as an authentication factor via smartphones. Retina and other biometric factors are also beginning to become popular.
In most cases, a combination of knowledge and possession will be required of your users to sign in to a service that has implemented 2FA.
To put a finer point on it, the 2016 Verizon DBIR found that 63% of confirmed data breaches leveraged weak, default, or stolen passwords. With multi-factor authentication in place, stealing a password isn’t enough to allow criminals to break into your accounts.
Another benefit of implementing strong Google-based multi-factor authentication, should you go that route, is that many SaaS products are increasingly supporting Google Single Sign-on, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.
How to implement multi-factor authentication with G Suite
Alright, let’s get down to brass tacks. Google has recently improved the process of enforcing MFA across your organization. Here’s a step-by-step walkthrough of the process:
- First, set up two-step verification for your entire domain.
- Next, turn on Two-Step Verification Enforcement for your entire domain.
- When you do this, you’ll have to create a work-around for new employees and contractors: For new employees, you can create a “waiting period” by going to Under Security -> Advanced Security Settings under 2-Step Verification, you can set an enrollment period after a new account is created. For contractors, you’ll need to create an “Exception Group.” This requires quite a few steps, but it will allow members of that group to login without two-step verification.
- Google’s default second factor is the Google app on mobile devices, which is a very user-friendly authentication step (a notification simply pops up on the smartphone to ask whether the user is approving this sign in). This is recommended over the more traditional SMS-based second factor, because it is both simpler and more secure.
People-first multi-factor authentication
As we’ve mentioned before, a security protocol is only valuable if it is simple and straightforward for your users to apply. Otherwise, they will try to get around it, and if they can’t, you’ll lose productivity and efficiency (and possibly have some rather unhappy users on your hands). Multi-factor authentication, when implemented intelligently, makes it simple for your users to prove they are who they say they are when they log in to business-critical services, protecting your organization without creating unnecessary hassle.
Final thoughts
We hope this guide to G Suite Admin basics was useful to you, as you look to set up G Suite for your organization. Setting the right administrative privileges and following these best-practices can help keep your organization secure, compliant, and productive. It’s all a matter of having the right visibility into user activity, while setting and automating as many processes as possible to avoid unnecessary human error.
Check out our Google Workspace Buyer's Guide for a comprehensive breakdown of Google's pricing and plans.